ciscn2024初赛部分题目复现

gdb_debug

64位ida反编译，将主要加密部分使用chatgpt写成更容易理解的python形式如下：

def encrypt_string(s):v17 = []for i in range(len(s)):v17.append(ord(s[i]) ^ rand_1[i])ptr = list(range(len(s)))for k in range(len(s) - 1, 0, -1):v18 = rand_2[len(s)-k-1]ptr[k], ptr[v18] = ptr[v18], ptr[k]v31 = []for m in range(len(s)):v31.append(v17[ptr[m]])for n in range(len(s)):v31[n] = rand_3[n] ^ v31[n]for n in range(len(s)):v31[n] = asc_55AE330010A0[n] ^ v31[n]return v31

ida配合kali远程动态调试，扒下来随机数。

以上产生的随机数无法直接得到，只能使用操作前后的数值再次异或得到，其他部分的随机数都有变量存储，可以直接得到数值。
异或前：

异或后：

获得该部分随机数的代码如下：

hex_pairs = ["06^d8", "4a^e0", "5b^19", "14^e8", "c4^cd", "77^9f", "df^6d", "63^65","b5^b8", "82^11", "e0^81", "3c^c8", "4a^6e", "99^d0", "ce^db", "f9^f8","bc^6b", "52^f9", "79^7d", "ca^d2", "19^d6", "3c^d5", "da^0f", "1f^89","2d^1e", "fe^34", "93^6a", "ef^c5", "a3^fd", "2b^c1", "c4^e9", "1a^26","44^d0", "d5^ba", "c2^fa", "04^99", "bf^e7", "ec^06"
]results = []
for pair in hex_pairs:hex1, hex2 = pair.split('^')dec1 = int(hex1, 16)dec2 = int(hex2, 16)result = dec1 ^ dec2results.append(hex(result)[2:].upper())print(results)

这里其实不用一个一个扒下来，随机数种子的设置如下：

v3 = time(0LL);
srand(v3 & 0xF0000000);

也就是说在在 2^28 秒内，随机数都会维持一个相同的序列，时长换算成年，最高位是十万，有生之年都不会变。

另外因为windows和linux下的随机数生成过程不一样，一定要使用linux运行才能得到相同数值。

exp如下：

rand_1 = [0xd9, 0x0f, 0x18, 0xbd, 0xc7, 0x16, 0x81, 0xbe, 0xf8, 0x4a,0x65, 0xf2, 0x5d, 0xab, 0x2b, 0x33, 0xd4, 0xa5, 0x67, 0x98,0x9f, 0x7e, 0x2b, 0x5d, 0xc2, 0xaf, 0x8e, 0x3a, 0x4c, 0xa5,0x75, 0x25, 0xb4, 0x8d, 0xe3, 0x7b, 0xa3, 0x64
]rand_2 = [0x21, 0x00, 0x0a, 0x00, 0x20, 0x1f, 0x0a, 0x1d, 0x09, 0x18,0x1a, 0x0b, 0x14, 0x18, 0x15, 0x03, 0x0c, 0x0a, 0x0d, 0x02,0x0f, 0x04, 0x0d, 0x0a, 0x08, 0x03, 0x03, 0x06, 0x00, 0x04,0x01, 0x01, 0x05, 0x04, 0x00, 0x00, 0x01
]rand_3 = [0xDE, 0xAA, 0x42, 0xFC, 0x09, 0xE8, 0xB2, 0x06, 0x0D, 0x93,0x61, 0xF4, 0x24, 0x49, 0x15, 0x01, 0xD7, 0xAB, 0x04, 0x18,0xCF, 0xE9, 0xD5, 0x96, 0x33, 0xCA, 0xF9, 0x2A, 0x5E, 0xEA,0x2D, 0x3C, 0x94, 0x6F, 0x38, 0x9D, 0x58, 0xEA
]asc_55AE330010A0 = [0xBF, 0xD7, 0x2E, 0xDA, 0xEE, 0xA8, 0x1A, 0x10, 0x83, 0x73,0xAC, 0xF1, 0x06, 0xBE, 0xAD, 0x88, 0x04, 0xD7, 0x12, 0xFE,0xB5, 0xE2, 0x61, 0xB7, 0x3D, 0x07, 0x4A, 0xE8, 0x96, 0xA2,0x9D, 0x4D, 0xBC, 0x81, 0x8C, 0xE9, 0x88, 0x78
]def decrypt_string(s):v31 = []for n in range(len(s)):v31.append(asc_55AE330010A0[n] ^ ord(s[n]))for n in range(len(s)):v31[n] = rand_3[n] ^ v31[n]ptr = list(range(len(s)))for k in range(len(s) - 1, 0, -1):v18 = rand_2[len(s)-k-1]ptr[k], ptr[v18] = ptr[v18], ptr[k]v17 = [None] * len(s)for m in range(len(s)):v17[ptr[m]] = v31[m]result = []for i in range(len(s)):result.append(v17[i] ^ rand_1[i])return results2 = "congratulationstoyoucongratulationstoy"
s2_list = list(s2)result = decrypt_string(s2_list)
flag = ''.join(chr(result[j]) for j in range(len(result)))
print(flag)
# flag{78bace5989660ee38f1fd980a4b4fbcd}