首页
论坛
课程
招聘
[原创][第九题] 歧路亡羊 wp
2020-5-6 14:40 3720

[原创][第九题] 歧路亡羊 wp

2020-5-6 14:40
3720

歧路亡羊 98k战队wp

物华天宝,龙光射荆州之地。人杰地灵,洞庭下道人之榻。偶有闻道,半盲善防御之术。吾闻道甚浅,望能访半盲而得神术。奈何吾无名无术,不止如何面见。闻看雪竞软件攻防之道,高朋满座,喜迎士子,又闻半盲道人携多年心血,潜心练术,可使众士无可攻破防御之术公之于众。吾甚喜,奈何手无屠龙之剑,无精晓之术。不知何以面见诸位道友。吾甚是沮丧,广罗在野英雄,手握名册,寻志同道合之友。呕心搜寻获得神器pizza一。欲善其事必先利器,吾得pizza之助,必可在半盲道人府大显身手。吾甚喜,吾之所历,此册详录。

测半盲道人仙术之志

pizza甚善攻破之术,余侍立左右,看pizza用x64dbg记录其函数所算,先使数据尽为0x00后使数据尽为0xff,pizza尽得半盲运算,后pizza查半盲术之型,半盲术虽困人心智,其中却仍有特征,pizza将其详录其侧,在其断后仔细观察,观察log后晓术中真假类别。而后pizza追溯栈区,寻求马迹。一全局变量现于其中,而后尽得半盲小术。pizza其一人即可攻破,吾未尝助之,吾甚愧。pizza得一奇特之术,问余,此术可解?吾反复查之,见pizza录之如此。

zero = [
0x4D09AF3ABCA28A8D,
0x9FE10506A2C9A9A,
0xD2CAE855C068E1E1,
0x8E86479F6E6A694,
0x6A4BD5F20EFD8499,
0xA0449A4DF2C0F524,
0x61B1EE4C89A1C74A,
0x3E2A0CF5AFC54669,
0xBCC700EAD1995E75,
0x281876D27FDD03C6,
0x601A1255813ADF30,
0xF507E8AC585A4E42,
0xF81BB1D3980A2FA4,
0x18E55A56CA0AD2C7,
0xAAD9CFC2182BEBA0,
0xEEE198AABDBE8A18,
0x63FF598FDA7E7D6F,
0xE15CE23DF925822A,
0xBC36E215B5689224,
0xB7800C9EBAE07702,
0x80931FC6D227F8DC,
0x3F8DF570B658B85D,
0x7BA207CB52F24E88,
0x6A633F82966E82AB,
0x75E0B5660623690F,
0xCC9148B45107B5C9,
0x586B216EF43AD48E,
0xA96B5A8AFF1878F3,
0x87762DB8DCE9B73C,
0x6FA7015E6BB367B6,
0xBFD039B8B4F29C94,
0x7EE7E8FD8040BD86,
0x5A0CE9D5D3AF4435,
0xBB3113E0107ADEDC,
0x3E7FFB6F3748AE83,
0xA1F7BF0929977159,
0xC269314AC1FEA8E7,
0x5C064C38F21BC241,
0x120D6129A85D8E4B,
0xFCA8B3EE674F2565,
0x97C2F6A547610C57,
0x1619A76F4EBE3D6,
0x508180C897BA2FC6,
0x9E6749482573B96D,
0x3FF6CC85C6A56601,
0x7F9A7AE568EBFFB8,
0xBFEFF562CE0D5D58,
0x294B87E2897091D2,
0x1C117BA895F600EE,
0xBFBE146E10193B6E,
0x8AB612550AA8E1AB,
0xDCC914BED9036F0D,
0xBA1343A95D820BA9,
0x2F55690A4CACCA44,
0x5B57CE14DACA37FC,
0x29D2BFF018B00740,
0xA8A8FF75703DD709,
0xF587AAEF1F9516F,
0xF50617B128A0071E,
0xFBD4FD51CEA9D12B,
0x7E1F54E20AFC1CD9,
0x90148276BF1E5D49,
0x527EA699DE716460,
0x34F21BFC6D7943B3,
]

one = [
0x3796F61D3F496D9A,
0xFA62CE8FF9D33901,
0xC4F9550241FDFFA3,
0x8ACDD6E445EFBD97,
0x30A83415D047FB98,
0x73957581242C53D,
0xAF82609DE0AEC05C,
0xAD063DBEB266AF43,
0x435068F420FA4FF0,
0xCE6C8C612BD1E439,
0x1D3D3C45D52394CF,
0x1FA5D059C60AA3E3,
0x3C4D092D773B3A2E,
0x97BF010CCFF099F9,
0x5C35272C4834AD4D,
0x8A18F8556F480632,
0x1A9B941774F6CDF4,
0x3C73B45AE0CDBA4,
0xB93D7864763E24E6,
0x6A0ECDEBB77CD18F,
0x69295501BE7EC046,
0x7A530DC89A3FCD12,
0x253E5D6E09849A46,
0xE6DE159244D58711,
0xD1245D0E166D6484,
0x88520272CC6E4A8D,
0x5F78D84D7401F1B9,
0x821447502D8F83A5,
0x5C9D9EE1F131C160,
0xECE764A468850EF,
0xC4769184600CF71,
0xCC566B2C807D1B84,
0x4DC8AFA3B4485576,
0x9D73EA268C866AC8,
0x8133D136D4F81831,
0x1F3C37467929918B,
0x9C2BCA2EA39C691F,
0xD69F4D2FC2D45B9E,
0xD5B60F964288FD32,
0xE9E70AFED5EE6CBF,
0xA45472C49BED802F,
0x4549C58141A7CCC9,
0x4659FD56784637A8,
0xAB69D618D946FFA,
0x49F2759549998302,
0xBFC400DFEF2928C8,
0xFA1507576A21B1AE,
0x381BA1BD97727CDD,
0x2AF20C4B4D98CF16,
0xA5141F6DDE5BE4F0,
0x2BD13515C74A6B36,
0x584603B14F9C07BE,
0x404CEC02BC8B778A,
0xB56620E4E50ED47C,
0x79467C2907B00174,
0xF6BA88D86FE38A7F,
0x7C592711E4673A1E,
0x32252E609065990A,
0xAD8E364386CBA8D4,
0xCE5280D041F19AAA,
0xFB738CEFCB4EBE76,
0xA44396F44F4B69B8,
0x717B237316B0728,
0xA2D352BA607243F5,
]

pair = [
(0x4, 0x20), 
(0x5, 0x40), 
(0x2, 0x1), 
(0x5, 0x20), 
(0x3, 0x8), 
(0x1, 0x4), 
(0x4, 0x1), 
(0x7, 0x8), 
(0x0, 0x20), 
(0x0, 0x4), 
(0x5, 0x4), 
(0x1, 0x80), 
(0x1, 0x2), 
(0x7, 0x10), 
(0x6, 0x1), 
(0x0, 0x10), 
(0x5, 0x1), 
(0x4, 0x8), 
(0x7, 0x2), 
(0x2, 0x40), 
(0x3, 0x10), 
(0x3, 0x40), 
(0x6, 0x20), 
(0x6, 0x4), 
(0x6, 0x80), 
(0x7, 0x4), 
(0x1, 0x1), 
(0x7, 0x80), 
(0x1, 0x20), 
(0x1, 0x10), 
(0x0, 0x8), 
(0x5, 0x80), 
(0x2, 0x2), 
(0x1, 0x8), 
(0x6, 0x10), 
(0x3, 0x80), 
(0x1, 0x40), 
(0x2, 0x10), 
(0x7, 0x20), 
(0x3, 0x20), 
(0x4, 0x80), 
(0x2, 0x8), 
(0x3, 0x4), 
(0x6, 0x2), 
(0x0, 0x1), 
(0x0, 0x80), 
(0x6, 0x40), 
(0x2, 0x4), 
(0x0, 0x2), 
(0x7, 0x40), 
(0x0, 0x40), 
(0x4, 0x10), 
(0x4, 0x40), 
(0x5, 0x10), 
(0x2, 0x80), 
(0x5, 0x8), 
(0x2, 0x20), 
(0x3, 0x2), 
(0x5, 0x2), 
(0x4, 0x2), 
(0x3, 0x1), 
(0x4, 0x4), 
(0x7, 0x1), 
(0x6, 0x8), 
]

out = 0
val = [0xD0, 0x8E, 0x85, 0x01, 0xBF, 0x45, 0x04, 0x6A] # input
val = [0x30 for i in range(8)]
for i in range(64):
    x, y = pair[i]
    x = 7 - x
    if val[x] & y == y:
        out ^= one[i]
    else:
        out ^= zero[i]

print(hex(out))
print(len(one))
#zero*(1-x)+one*x

吾观其之术,虽无可穷之,其用术之深,不闻者不知,半盲深晓防御之术,其亦深通数学计数之道。吾使用sage,吾知此为整数环之运算,虽不可明解,却可在整数环2上用矩阵之术,得高斯助之。必可求逆解之。

a=(M_zero * one_vector) + ((M_zero + M_one)*x_input)

输入单表换之,可为式之入,而后求解。吾略知数学计数之道,可将其推换至得其输出而至其如。

temp_input = (~(M_zero + M_one))*(the_hex - (M_zero * one_vector))

得其逆,pizza则一气呵成,求得其逆,吾与pizza解之已到三天寅时。此吉时助我,寅虎捕亡羊,可为天时地利人和也。

后记

大家看ccfer dalao的wp调试就差多不了,我们战队能做此题,功劳全是pizza的,我是负责递茶的。


《0day安全 软件漏洞分析技术(第二版)》第三次再版印刷预售开始!

最后于 2020-5-6 14:42 被全盲法师编辑 ,原因:
收藏
点赞3
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回