2019/9/13 看雪CTF2019Q2-第8题 迷雾中的琴声-『CrackMe』-看雪安全论坛
https://bbs.pediy.com/thread-252071.htm 1/6
看雪CTF2019Q2-第8题 迷雾中的琴声 精
sn长度为32
hex2bin(大写的16进制)
sn = hex2bin(sn);
sn ^= key;
创建5个线程分别计算
5个线程的一轮都计算结束后才会进行下一轮计算, 共300轮
每个线程更新sn中的两个字节(二元一次方程)
把计算中用到的sn的2个索引值和1个中间变量保存下来, 用来做逆运算(不用管随机数什么的)
计算过程
风间仁 19
举报
2019-6-19 00:51 2454
1
2
3
.text:00401250 call ds:GetWindowTextLengthA
.text:00401256 cmp eax, 20h
.text:00401259 jz short loc_401296
.text:00401299 call x_init_sn
.data:0040401C g_xor_key db 0E9h, 4Fh, 6Eh, 20h, 78h, 1Ah, 7, 0Fh, 0, 17h, 36h, 9, 0Ah, 7, 1Fh, 0Ch
.text:00401900 x_start_check
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
DWORD xorshift32(DWORD x)
{
x ^= x << 13;
x ^= x >> 17;
x ^= x << 5;
return x;
}
// m2, m3
DWORD transform1(DWORD a, DWORD b)
{
DWORD m = a ^ (a >> 7);
DWORD n = b ^ (m << 7);
return m ^ b ^ (n << 6);
}
void swap8(BYTE& a, BYTE& b)
{
BYTE t = a;
a = b;
b = t;
}
string g_temp_data;
{
WORD v_00;
WORD v_01;
WORD v_02;
DWORD v_03;
// wait for g_h_ary[id]
if (g_thread_inited[id])
{
v_00 = (WORD)g_4045EC ^ g_rnd0[id];
v_01 = (WORD)g_4045EC ^ g_rnd1[id];
v_02 = (WORD)g_4045EC ^ g_rnd2[id];
v_03 = g_4045EC ^ g_rnd_xorshift[id];