FizzBuzz101 was innocently writing a new, top-secret compiler when his computer was Crowdstriked. Worse, the recovery key is behind a hasher that he wrote and compiled himself, and he can’t remember how the bits work! Can you help him get his life’s work back? FizzBuzz101 正在无辜地编写一个新的绝密编译器,这时他的电脑遭到了 Crowdstriked。更糟糕的是,恢复密钥在他自己编写和编译的哈希器后面,他不记得这些位是如何工作的!你能帮他找回他一生的工作吗?
一
初步分析
mov byte ptr [rax+x], 1
,x范围是120h到13Fhmov byte ptr [rax+x], 0
,x范围是0FA0h到101Fhmov cl, [rax+0FA0h]
or cl, [rax+100h]
mov [rax+0], cl
mov byte ptr [rax+x], y
,赋值0或1二
main函数逻辑
__int64 __fastcall main(int a1, char **a2, char **a3)
{
// ...
puts("Welcome!nPlease enter the flag here: ");
v3 = calloc(1uLL, (size_t)byte_186A0);
v22 = __ctype_b_loc();
while ( 1 )
{
memset(s, 0, 1000);
fgets(s, 999, stdin);
v4 = strcspn(s, "n");
s[v4] = 0;
if ( !memcmp("corctf{", s, 7uLL) && v4 > 1 && s[v4 - 1] == '}' && s[8] == s[17] && s[9] == s[11] )
{
v5 = s[7];
if ( s[7] == s[16] + 1 && s[14] == s[16] + 4 )
{
v6 = &s[8];
v7 = v3 + 0x940;
v8 = *v22;
if ( ((*v22)[s[7]] & 8) != 0 )
{
while ( 1 )
{
v9 = v7;
v10 = 7;
do
{
v11 = v5 >> v10--;
*v9 = v11;
*v9++ &= 1u;
}
while ( v10 != -1 ); // 输入按位拆分
v7 += 8;
if ( &s[18] == v6 ) // 遍历范围是s[7]~s[17]
break;
v5 = *v6++; // v5是遍历s[7]~s[17] (s[0]~s[6]="corctf{")
if ( (v8[(char)v5] & 8) == 0 )
goto LABEL_14;
}
v3[0x998] = 1;
for ( i = 0LL; i != 64; ++i )
v3[i + 0xB00] = ((0x8000000000000000LL >> i) & 0x5800000000000000LL) != 0;
memset(v3 + 0x120, 1, 32uLL); // // [0x1290,0xED854)部分的代码
memset(v3 + 0xFA0, 1, 128uLL); // // [0x1290,0xED854)部分的代码
v13 = v3;
v14 = 0;
v15 = 0;
for ( j = 0LL; ; v14 = *(_DWORD *)&v24[4 * (v15 >> 5) - 16] )
{
v16 = 0LL;
v17 = v15 >> 5;
do
{
v18 = (char)v13[v16];
v19 = 0x80000000 >> v16++;
v14 |= v19 * v18;
}
while ( v16 != 32 );
v15 += 32;
v13 += 32;
*(_DWORD *)&v24[4 * v17 - 16] = v14;
if ( v15 == 128 )
break;
}
if ( *((_QWORD *)&j + 1) == 0x14353CE419C603BALL )
break;
}
}
}
LABEL_14:
puts("Try again: ");
}
puts("Nice!n");
// ...
}
三
分析位运算虚拟机
def f():
global d
d[0xA7] = d[0x87] ^ d[0x7]
d[0xB40] = d[0x87] & d[0x7]
d[0xB41] = d[0x86] ^ d[0x6]
d[0xA6] = d[0xB41] ^ d[0xB40]
d[0xB40] = d[0xB41] & d[0xB40]
d[0xB41] = d[0x86] & d[0x6]
d[0xB40] = d[0xB41] | d[0xB40]
d[0xB41] = d[0x85] ^ d[0x5]
d[0xA5] = d[0xB41] ^ d[0xB40]
d[0xB40] = d[0xB41] & d[0xB40]
d[0xB41] = d[0x85] & d[0x5]
d[0xB40] = d[0xB41] | d[0xB40]
d[0xB41] = d[0x84] ^ d[0x4]
d[0xA4] = d[0xB41] ^ d[0xB40]
d[0xB40] = d[0xB41] & d[0xB40]
d[0xB41] = d[0x84] & d[0x4]
d[0xB40] = d[0xB41] | d[0xB40]
d[0xB41] = d[0x83] ^ d[0x3]
d[0xA3] = d[0xB41] ^ d[0xB40]
d[0xB40] = d[0xB41] & d[0xB40]
d[0xB41] = d[0x83] & d[0x3]
d[0xB40] = d[0xB41] | d[0xB40]
d[0xB41] = d[0x82] ^ d[0x2]
d[0xA2] = d[0xB41] ^ d[0xB40]
d[0xB40] = d[0xB41] & d[0xB40]
d[0xB41] = d[0x82] & d[0x2]
d[0xB40] = d[0xB41] | d[0xB40]
d[0xB41] = d[0x81] ^ d[0x1]
d[0xA1] = d[0xB41] ^ d[0xB40]
d[0xB40] = d[0xB41] & d[0xB40]
d[0xB41] = d[0x81] & d[0x1]
d[0xB40] = d[0xB41] | d[0xB40]
d[0xB41] = d[0x80] ^ d[0x0]
d[0xA0] = d[0xB41] ^ d[0xB40]
四
反编译
五
gpu爆破
看雪ID:wx_御史神风
https://bbs.kanxue.com/user-home-907036.htm
# 往期推荐
2、恶意木马历险记
球分享
球点赞
球在看
点击阅读原文查看更多
原文始发于微信公众号(看雪学苑):corCTF 2024:位运算虚拟机及gpu hash爆破