avatar
Articles
58
Tags
5
Categories
8
Home
Archives
Tags
Categories
Link
About
List
L0x1c's Sky garden
Home
Archives
Tags
Categories
Link
About
List
看雪CTF — 白云苍狗 (week 4)
|个人笔记
Word count:843|Reading time: 3 min
|Post View:

👴好像上周没干啥,复现了点东西,查到自己有点知识点不好的地方,一个是angr,一个是vm,还有一个动态规划,这周主要是进行他们几个加强训练,因为RCTF有一个VM和动态规划,所以说我就不格外找题了,以题代练了,angr我看科二师傅给我的md学习,动态规划的话,我准备去看视频,看paper有点看不懂!

步入正题

看雪CTF-第十二题 白云苍狗

image-20200511144928222

看说一个windows逆向,盘!

image-20200511151206231

我用od调试了一下,去看了一下什么逻辑

image-20200511151231823

我输入的KCTF,把我输入进去的字符都减去了0x37,存在了0x1311CB8,我们输入的长度在4到16之间

image-20200511162612229

我把key_new2 72个数据搞出来013119DF 00 01 01 01 00 01 00 00 00 00 01 00 01 01 01 00 00 01 01 01 00 00 01 01 01 00 00 01 00 00 01 01 00 00 00 00 00 01 01 00 00 00 01 01 01 01 01 00 01 00 00 00 01 01 00 01 00 01 01 00 00 01 01 01 01 00 00 00 01 01 00 00

image-20200511175559869

这里,这群0 1,代表的就是我们输入的数据转化成了hex,再转化成了二进制逐位放进去:

image-20200511175659338

这个就是例子,类似于了我们内存中的 00 01 01 01

我用了题目中给的密码:E247EC9C06C71B6E13,所以猜测这里是要给类似于计算机组成原理的运算

image-20200511160632122

https://www.dllhook.com/post/217.html

发现不太好使,去看看是干了什么

image-20200511164139960

image-20200511171450823

img

万用门其实就是数字电路中的与非门,一般是用nor表示。

Nor(a,b) = ~a & ~b

Not(a) = ~a = ~a & ~a = Nor(a,a)

Or(a,b) = a | b = ~(~a & ~b) = Nor(Nor(a,b),Nor(a,b))

And(a,b) = a & b = ~~a & ~~b = Nor(Nor(a,a),Nor(b,b))

Xor(a,b) = (~a & b) | (a & ~b) = (0 | (a & ~b)) | (0 | (b & ~a)) = (a & (~a | ~b)) | (b & (~a | ~b)) = (~a | ~b) & (a | b) = ~(a & b) | ~(~a & ~b) = Nor(And(a,b),Nor(a,b)) = Nor(Nor(Nor(a,a),Nor(b,b)),Nor(a,b))

Aryb1n师傅的脚本:😂直接拿过来学习一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/python
import capstone as cs

with open('KCTF2020-Totoro/Totoro2020.exe') as f:
    raw = f.read()

l = 0x078E489 - 0x01113E0
st = 0x7E0
ed = st + l
code = raw[st: ed]


md32 = cs.Cs(cs.CS_ARCH_X86, cs.CS_MODE_32)

def getNand(addr):
    # 0x17 - 0x3 = 20
    op1 = ""
    op2 = ""
    res = ""
    for h, i in enumerate(md32.disasm(code[addr: addr + 20], addr)):
        sop = i.op_str
        if "byte" in sop:
            if not op1:
                op1 = sop[19:19+3]
            else:
                if not op2:
                    op2 = sop[19:19+3]
                else:
                    res = sop[15:15+3]

    print "{} = {} Nand {}".format(res, op1, op2)

cur_addr = 0x3

for i in range((l - 3) / 20):
    getNand(cur_addr)
    cur_addr += 20
1
2
3
4
5
6
7
8b9 = 949 Nand 992   
9dc = 8b9 Nand 949   9dc = (949 Nand 992) Nand 949
8b9 = 8b9 Nand 992   8b9 = (949 Nand 992) Nand 992
8b9 = 8b9 Nand 9dc   8b9 = ((949 Nand 992) Nand 992) Nand ((949 Nand 992) Nand 992)
                     //8b9 = 949 xor 992
9dc = 949 Nand 992   半加器
9dc = 9dc Nand 9dc   9dc = (949 Nand 992) Nand (949 Nand 992)

半加器:真值表

被加数A 被加数B C S
0 0 0 0
1 0 0 1
0 1 0 1
1 1 1 0

A ^ B = S A & B =C

image-20200512122822801

判断加法,就能大概就能猜到是乘法,刚开始那么就是个平方的东西

mod 4321040810422309623323,继续分析就是大概总结出来就是 x^27 = 556372 mod n

那么使用欧拉定理:(x^27)^y = x = 556372^y (mod m) 得到 4A3A9740B735704562

image-20200518173858335

Author: L0x1c
Link: https://l0x1c.github.io/2020/05/11/2020-5-11/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
Donate
  • 微信
    微信
  • 支付寶
    支付寶