sus-ccc

题目地址

主函数很简单,直接看验证函数:

1
2
3
4
5
6
7
8
9
10
11
v6 = 0;
if ( a2 != 42 )
return 0;
for ( i = 3; i <= 42; i += 3 )
{
v3 = crc32(0, (_BYTE *)a1, i);
v4 = v6++;
if ( v3 != hashes[v4] )
return 0;
}
return 1;

输入一共42位,1-3,1-6,1-9一直到1-42循环经过crc32函数处理后与hashes值进行比对,一共比对14次。crc32函数如下:

1
2
3
4
5
6
7
8
9
v6 = a2;
for ( i = ~a1; ; i = (i >> 8) ^ crc32_tab[(unsigned __int8)(i ^ *v3)] )
{
v4 = a3--;
if ( !v4 )
break;
v3 = v6++;
}
return ~i;

然而不管是写爆破脚本还是逆运算脚本都没能得到flag……觉得自己对函数的理解没有错误,百度了一下python中~0=-1,c语言中~0=1,所以出了问题。看了大佬的writeup发现python里可以使用crc32函数,于是爆破脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python
import string
import binascii
hashes=[0xD641596F,0x80A3E990,0xC98D5C9B,0xD05AFAF,0x1372A12D,0x5D5F117B,0x4001FBFD,0xA7D2D56B,0x7D04FB7E,0x2E42895E,0x61C97EB3,0x84AB43C3,0x9FC129DD,0xF4592F4D]
flag=''
for n in hashes:
for i in string.printable:
for j in string.printable:
for k in string.printable:
temp=i+j+k
if binascii.crc32(flag+temp)&0xffffffff == n:
flag+=temp
break;
print flag

flag get

文章目录
|