首页
论坛
课程
招聘
[原创]第6题
2017-11-5 03:25 1784

[原创]第6题

2017-11-5 03:25
1784
 

16<=len(sn) <=24

.text:00402723                 call    edi ; getchar
.text:00402725                 cmp     al, 0Ah
.text:00402727                 mov     [esp+esi+104h+var_B4], al
.text:0040272B                 jz      short loc_402735
.text:0040272D                 add     esi, 1
.text:00402730                 cmp     esi, 1Ch
.text:00402733                 jl      short loc_402723
.text:00402735                 mov     [esp+esi+104h+var_B4], 0
.text:0040273A                 add     esi, 0FFFFFFF0h
.text:0040273D                 cmp     esi, 8
.text:00402740                 ja      loc_4029DD

des加密, 其中多个常数表被替换

key="*2017*10"
des_cbc_encrypt(sn, key)

.text:00402771                 call    des_cbc_encrypt

.data:0045AE9C PC1_Table
.data:0045AED4 LOOP_Table
.data:0045AEE4 PC2_Table
.data:0045AF18 IP_Table
.data:0045AF58 E_Table
.data:0045AF88 P_Table
.data:0045AFA8 IPR_Table
.data:0045AFE8 S_Box

sn高4位与低4位与换, 转换为16进制字符串

.text:004027B0                 push    esi
...
.text:00402806                 jb      short loc_4027B0

sn计算

.text:00402808                 call    mirvar
...
.text:00402876                 call    sub_4022E0

big x = mirvar(0);
big v = mirvar(173);
big y = mirvar(1817);
bytes_to_big(len, sn, x);
multiply(x, v, x);
fft_mult(x, y, y);
power(y, 2, y);
decr(y, 1001, y);
v=mirvar(317)
multiply(y, v, y); // 4022E0是用c的浮点函数计算的

sn=((sn*173*1817)^2-1001)*317
sn=reverse(sn)

lua jit计算

.text:004028F0                 push    offset aLuajit210Beta3 ; "luajit2.1.0-beta3"
.text:004028F5                 push    917h            ; a3
.text:004028FA                 push    offset byte_45A578 ; a2
.text:004028FF                 push    esi             ; a1
.text:00402900                 call    luaL_loadbuffer
.text:00402905                 push    0
.text:00402907                 push    0
.text:00402909                 push    esi
.text:0040290A                 call    luaJIT_setmode
.text:0040290F                 push    0               ; a4
.text:00402911                 push    0               ; a3
.text:00402913                 push    0               ; a2
.text:00402915                 push    esi             ; a1
.text:00402916                 call    lua_pcall
.text:0040291B                 add     esp, 2Ch
.text:0040291E                 test    eax, eax
.text:00402920                 jnz     short loc_40296F
.text:00402922                 push    ebp
.text:00402923                 push    esi
.text:00402924                 call    lua_pushstring
.text:00402929                 push    offset aXut     ; "xut"
.text:0040292E                 push    0FFFFD8EEh
.text:00402933                 push    esi
.text:00402934                 call    lua_setfield
.text:00402939                 push    offset aMyst    ; "myst"
.text:0040293E                 push    0FFFFD8EEh
.text:00402943                 push    esi
.text:00402944                 call    lua_getfield
.text:00402949                 push    0               ; a4
.text:0040294B                 push    1               ; a3
.text:0040294D                 push    0               ; a2
.text:0040294F                 push    esi             ; a1
.text:00402950                 call    lua_pcall    
...
.text:00402986                 push    0FFFFFFFFh      ; a2
.text:00402988                 push    esi             ; a1
.text:00402989                 call    lua_tonumber
.text:0040298E                 add     esp, 8
.text:00402991                 test    eax, eax
.text:00402993                 jz      short loc_4029A2
.text:00402995                 push    0FFFFFFFFh      ; a2
.text:00402997                 push    esi             ; a1
.text:00402998                 call    lua_tointeger
.text:0040299D                 add     esp, 8
.text:004029A0                 jmp     short loc_4029A6
.text:004029A2                 mov     eax, [esp+104h+var_F0]
.text:004029A6                 test    eax, eax
.text:004029A8                 jz      short loc_4029B1

xut=sn
if myst()==1 then ok

myst():
    x=xut
    x+=101*1001+(10101+1001*99)*100
    x*=983751509373
    x-=1023*13+1203*13*14+1230*13*14*15+1231*13*14*15*16
    x=(x+1)*2
    expected=1574592838300862641516215149137548264158058079230003764126382984039489925466995870724568174393389905601620735902909057604303543552180706761904
    if (x==expected) return 1
    else return 0

lua jit分析

根据luaJIT_setmode定位到lj_dispatch_update函数
从lj_dispatch_update定位到lj_vm_asm_begin与lj_bc_ofs
在lj_vm_asm_begin+lj_bc_ofs[i]处下断, 分析各个bytecode的功能

.text:0040AFCE                 call    lj_dispatch_update

.text:0040ACA9                 movzx   esi, ds:lj_bc_ofs+96h
.text:0040ACB0                 movzx   edi, ds:lj_bc_ofs+9Ch
.text:0040ACB7                 movzx   ebp, ds:lj_bc_ofs+0A2h
.text:0040ACBE                 movzx   eax, ds:lj_bc_ofs+0AAh
.text:0040ACC5                 add     esi, offset lj_vm_asm_begin
.text:0040ACCB                 add     edi, offset lj_vm_asm_begin
.text:0040ACD1                 add     ebp, offset lj_vm_asm_begin
.text:0040ACD7                 add     eax, offset lj_vm_asm_begin

KXCTF201710BYLoudy08


[培训]12月3日2020京麒网络安全大会《物联网安全攻防实战》训练营,正在火热报名中!地点:北京 · 新云南皇冠假日酒店

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回