SEKAI CTF 2025——Miku Music Machine
SEKAI CTF 2025——Miku Music Machine
直接在IDA中查看:
看伪代码就能够知道这个主程序的逻辑:
-
先判断带的参数(就是要你找prompt)是不是50个字符
-
通过循环prompt的每一个字符异或上byte_140073000对应字符,得结果v11:
-
还有一层循环,v11的后两位进行与操作(&3)
-
为0,n22-21
-
为1,n22++
-
为2,n22+21
-
为3,n22--
-
进行移位操作(>>2)
这里就是取你的prompt的每一个字符与程序内置的KEY进行异或,后进行每两位&3的结果进行更新n22,当然每次得到的n22,都要取函数地址数组
off_140073040[n22],进行dwMsg的更新 -
-
经过上述操作,最终n22等于418就是答案
需注意off_140073040这个函数地址数组并不是全部有效的,该程序应用了了CFG保护机制:
所以需要对该程序进行PE解析,去找到 Guard CF Function Table,我对PE结构的学习欠缺,就不深说,需要的自行查找学习(小声嘀咕:就因为不熟悉,费了一堆时间去看是不是自己的有效函数整理错了/(ㄒoㄒ)/~~)。
我使用的是Developer Command Prompt for VS 2022这个工具,dumpbin.exe /headers /loadconfig mmm-v2.exe:
自行整理出有效函数表、函数地址数组off_140073040,数据有点庞大,在此不给出了。
然后,我就直接编写暴力搜索的法子发现存在N万中符合条件的prompt(其实我一开始自己写了DFS的暴力算法去解,但是太慢了,后面就AI帮我优化成动态规划啦【不懂DP的痛】)
注意了!!!有可能是我电脑版本问题竟然随便那其中一个prompt去测,竟然成功返回了That was beautiful!:
呵呵!!!把我兴奋到。。。一提交直接Wa:
后面呢,我就使用的是mmm-v2.exe去分析的。
随便拿一个生成的prompt,通过动态调试发现:
有六个函数都是需要有对应的前置函数将int 29h这个中断处理给覆盖掉的,也就是说如果要想正确地在调用这六个函数,就需要在此之前调用其对应能够重写覆盖内部中断的函数。
理清这点后,就可以修改编写我们的脚本去生成正确的prompt了
脚本生成的最终结果:
附上脚本:
#include <stdio.h>
#include <string>
#include <iostream>
#include <Windows.h>
#include <map>
#include <unordered_map>
#include <set>
#include <stack>
#include <utility> // for pair
#include <vector>
#include <tuple>
using namespace std;
// 定义标记位掩码
#define F_235_MASK 0x01
#define F_153_MASK 0x02
#define F_187_MASK 0x04
#define F_26_MASK 0x08
#define F_368_MASK 0x10
#define F_383_MASK 0x20
const int MAX_FLAGS = 64; // 2^6=64种组合
pair<int, int> count_a_charAns(unsigned char c, int current_n22, int flags);
BOOL DFS_search(int index);
// 1. 白名单: 从 PE - bear 的 "Guard CF Function Table" 找到的所有合法函数地址
const uintptr_t all_valid_CFG_tables[] = {
0x140001010, 0x140001050, 0x140001070, 0x140001090, 0x1400010b0, 0x140001110, 0x140001170, 0x1400011b0, 0x1400011f0, 0x140001250,
0x1400012d0, 0x140001370, 0x140001390, 0x1400013f0, 0x140001410, 0x140001430, 0x140001470, 0x140001490, 0x1400014d0, 0x1400014f0,
0x140001510, 0x140001570, 0x1400015b0, 0x1400015f0, 0x140001610, 0x140001630, 0x1400016b0, 0x1400016d0, 0x140001710, 0x140001730,
0x140001790, 0x1400017d0, 0x1400017f0, 0x140001810, 0x1400018f0, 0x140001910, 0x140001990, 0x1400019f0, 0x140001a50, 0x140001af0,
0x140001b10, 0x140001b30, 0x140001bb0, 0x140001bf0, 0x140001c70, 0x140001cb0, 0x140001cf0, 0x140001d70, 0x140001db0, 0x140001e50,
0x140001eb0, 0x140001ed0, 0x140001f50, 0x140001f70, 0x140001f90, 0x140001fd0, 0x140001ff0, 0x140002010, 0x140002030, 0x140002050,
0x140002070, 0x140002090, 0x1400020f0, 0x140002110, 0x140002150, 0x1400021b0, 0x140002210, 0x140002250, 0x140002270, 0x140002290,
0x1400022f0, 0x140002350, 0x140002390, 0x1400023d0, 0x140002410, 0x140002430, 0x140002450, 0x140002490, 0x1400024b0, 0x1400024d0,
0x140002530, 0x140002570, 0x1400025b0, 0x140002610, 0x140002650, 0x140002690, 0x1400026d0, 0x140002710, 0x140002730, 0x140002790,
0x1400027f0, 0x140002850, 0x1400028b0, 0x1400028d0, 0x140002970, 0x1400029d0, 0x1400029f0, 0x140002a10, 0x140002a70, 0x140002a90,
0x140002ab0, 0x140002af0, 0x140002bf0, 0x140002c50, 0x140002c90, 0x140002cd0, 0x140002d90, 0x140002df0, 0x140002e90, 0x140002eb0,
0x140002ed0, 0x140002ef0, 0x140002f10, 0x140002f50, 0x140002f90, 0x140002ff0, 0x140003030, 0x140003050, 0x140003090, 0x140003110,
0x140003150, 0x140003190, 0x1400031b0, 0x140003210, 0x140003270, 0x140003290, 0x1400032d0, 0x1400032f0, 0x140003330, 0x140003410,
0x140003430, 0x140003450, 0x140003470, 0x140003490, 0x1400034b0, 0x140003590, 0x140003610, 0x140003650, 0x140003670, 0x1400036b0,
0x1400036d0, 0x140003710, 0x1400037d0, 0x1400037f0, 0x140003810, 0x140003850, 0x140003970, 0x1400039d0, 0x1400039f0, 0x140003a30,
0x140003ab0, 0x140003ad0, 0x140003af0, 0x140003b10, 0x140003b30, 0x140003bd0, 0x140003c10, 0x140003c50, 0x140003c70, 0x140003cd0,
0x140003cf0, 0x140003dd0, 0x140003e10, 0x140003e50, 0x140003e70, 0x140003e90, 0x140003ef0, 0x140003f10, 0x140003f30, 0x140003f70,
0x140003fd0, 0x140003ff0, 0x140004010, 0x140004070, 0x1400040b0, 0x1400040f0, 0x140004170, 0x1400041b0, 0x1400041d0, 0x140004210,
0x140004230, 0x140004270, 0x140004290, 0x1400042b0, 0x1400042d0, 0x1400042f0, 0x140004310, 0x140004390, 0x1400043d0, 0x140004410,
0x140004430, 0x1400044f0, 0x140004590, 0x1400045d0, 0x140004610, 0x140004630, 0x140004650, 0x1400046d0, 0x1400046f0, 0x1400049c0,
0x140004c40, 0x140004d00, 0x140004d10, 0x140004f50, 0x1400054b0, 0x140005740, 0x1400057e0, 0x140005cb0, 0x140005cc0, 0x140005f60,
0x140006620, 0x140006650, 0x1400067f0, 0x14000b910, 0x14000b920, 0x14000b930, 0x14000b960, 0x14000b9a0, 0x14000d6f0, 0x14000d740,
0x14000d760, 0x14000d790, 0x14000d7e0, 0x14000f450, 0x14000f460, 0x14000f470, 0x14000f4a0, 0x14000f4f0, 0x14000f630, 0x14000f640,
0x14000f650, 0x14000f660, 0x14000f670, 0x140010200, 0x1400112d0, 0x140013db0, 0x140013e00, 0x140013e70, 0x140014060, 0x140015080,
0x140015420, 0x140015560, 0x14003ada0, 0x14003add0, 0x14003ae90, 0x14003b830, 0x14003d7e0, 0x14003d800, 0x14003d830, 0x14003d840,
0x14003d850, 0x14003d870, 0x14003d880, 0x14003d890, 0x14003d8e0, 0x14003d8f0, 0x14003d940, 0x14003d9b0, 0x14003dcb0, 0x140040bc0,
0x140042670, 0x140042780, 0x140043280, 0x1400432d0, 0x140046650, 0x140046e80, 0x140046ed0, 0x140047630, 0x140047650, 0x14004a040,
0x14004b760, 0x14004b7d0, 0x14004c1c0, 0x14004c360, 0x14004cb30, 0x14004d100, 0x14004d9d0, 0x14004e570, 0x14004e860, 0x14004ee10,
0x14004f120, 0x14004f370, 0x14004fa40, 0x14004fa70, 0x14004fd90, 0x140057710, 0x14005c840, 0x14005d270, 0x14005d310, 0x14005e440,
0x14005e5f0
};
const uintptr_t function_addresses[] = {
0x1400025F0, 0x140001EF0, 0x1400039B0, 0x140004090, 0x140002F70, 0x140003B70, 0x140002590, 0x140001210, 0x140002E70, 0x140004370,
0x140001E70, 0x140003A50, 0x140003D70, 0x1400033F0, 0x140002B50, 0x140003070, 0x140004250, 0x140003230, 0x1400013D0, 0x140002E30,
0x140002B10, 0x140001D50, 0x140001ED0, 0x140002190, 0x140001370, 0x1400016B0, 0x140004430, 0x140001770, 0x140004230, 0x140002530,
0x140002290, 0x140001710, 0x1400010B0, 0x1400015B0, 0x1400037D0, 0x140003290, 0x1400041B0, 0x140004270, 0x140001F70, 0x140003F70,
0x140003B10, 0x1400023B0, 0x1400034D0, 0x140003610, 0x1400018D0, 0x140004490, 0x140004450, 0x140003E70, 0x140003A70, 0x140001CD0,
0x140002D30, 0x1400020B0, 0x140003570, 0x140002DB0, 0x1400045F0, 0x140002EF0, 0x140003770, 0x140001910, 0x140002DD0, 0x1400029D0,
0x140002AD0, 0x140001F50, 0x140001A30, 0x140003D30, 0x140001DB0, 0x140003AD0, 0x140001B30, 0x1400017D0, 0x140002450, 0x140003FD0,
0x140002390, 0x140002350, 0x140001790, 0x1400013B0, 0x140003CD0, 0x140003030, 0x140002110, 0x140002770, 0x1400016D0, 0x1400019B0,
0x140003E10, 0x140001A90, 0x140003CF0, 0x1400017B0, 0x140002BB0, 0x140001F10, 0x140001890, 0x1400045D0, 0x140003C30, 0x1400011D0,
0x140001BD0, 0x140004510, 0x140001650, 0x140002150, 0x140003B50, 0x1400040D0, 0x140002830, 0x140004650, 0x1400012B0, 0x140003AB0,
0x140002C30, 0x1400019D0, 0x140003BB0, 0x140002B90, 0x140002370, 0x140003930, 0x140003810, 0x1400042F0, 0x140002F50, 0x140003250,
0x1400015F0, 0x140002630, 0x1400024D0, 0x140001830, 0x140003BD0, 0x1400046F0, 0x140002AF0, 0x140001C70, 0x140003710, 0x140002C70,
0x1400042D0, 0x140004010, 0x1400019F0, 0x140003050, 0x140002410, 0x140001DD0, 0x1400046B0, 0x140002230, 0x140004710, 0x140003DF0,
0x140001450, 0x140004070, 0x140003730, 0x140001090, 0x140003ED0, 0x140002670, 0x140003DB0, 0x1400016F0, 0x140003350, 0x1400034B0,
0x140004570, 0x140002CF0, 0x140003870, 0x140001B10, 0x1400032B0, 0x140002F30, 0x140001310, 0x140003D10, 0x140003850, 0x140003430,
0x140001430, 0x140001010, 0x1400042B0, 0x140003650, 0x140002850, 0x1400022F0, 0x140002710, 0x140003F10, 0x1400014D0, 0x140004590,
0x140003E90, 0x140001810, 0x140003E50, 0x140003EB0, 0x140001AF0, 0x140002270, 0x140002430, 0x140004130, 0x140003E30, 0x1400039D0,
0x140001970, 0x140001870, 0x140001290, 0x140002130, 0x1400035F0, 0x140003C90, 0x140002BD0, 0x140003550, 0x1400033D0, 0x140001FF0,
0x140002A30, 0x140002330, 0x1400010D0, 0x140001190, 0x140001530, 0x1400015D0, 0x140002810, 0x140001570, 0x1400043B0, 0x140002B30,
0x140002F10, 0x140001670, 0x140001CB0, 0x140002930, 0x1400040B0, 0x1400045B0, 0x140001730, 0x140002210, 0x1400017F0, 0x1400032F0,
0x1400046D0, 0x140001390, 0x1400039F0, 0x140002550, 0x140003590, 0x1400035D0, 0x1400026D0, 0x1400022B0, 0x140001FD0, 0x140003CB0,
0x140003A10, 0x1400041F0, 0x1400033B0, 0x140003A30, 0x140002910, 0x1400024B0, 0x140003A90, 0x1400021B0, 0x1400024F0, 0x1400041D0,
0x140004330, 0x1400034F0, 0x1400038D0, 0x140001630, 0x140001590, 0x140002DF0, 0x140003530, 0x140002C90, 0x140001F30, 0x140002A10,
0x1400023F0, 0x1400044D0, 0x140002AB0, 0x140003130, 0x140003DD0, 0x140004210, 0x140001510, 0x1400011B0, 0x140002030, 0x1400030B0,
0x140003470, 0x140002ED0, 0x1400040F0, 0x140003910, 0x1400011F0, 0x140002170, 0x1400012D0, 0x140002FF0, 0x140003C70, 0x140002090,
0x140003FF0, 0x1400018B0, 0x140002CB0, 0x140002C50, 0x140001550, 0x140003B90, 0x1400043F0, 0x140001D10, 0x140001D90, 0x140004170,
0x140003690, 0x140003510, 0x140003890, 0x140002A50, 0x140003370, 0x1400012F0, 0x1400037B0, 0x1400013F0, 0x140001C90, 0x1400028F0,
0x140002D10, 0x140004390, 0x140001DF0, 0x140001150, 0x140003AF0, 0x140002490, 0x1400043D0, 0x140003090, 0x140001470, 0x140003110,
0x1400014F0, 0x140001410, 0x140003EF0, 0x140004290, 0x140002050, 0x1400018F0, 0x140003270, 0x140002470, 0x140002610, 0x140003F90,
0x1400037F0, 0x140004310, 0x140004630, 0x140001270, 0x140002C10, 0x140002A90, 0x1400038B0, 0x140001AB0, 0x140001230, 0x140002F90,
0x140001C10, 0x140002250, 0x1400030F0, 0x1400036B0, 0x140002750, 0x140003210, 0x140001690, 0x140001BF0, 0x1400036F0, 0x1400028D0,
0x140004030, 0x140002A70, 0x1400021D0, 0x1400029F0, 0x140002870, 0x140002E10, 0x140003330, 0x1400031F0, 0x140001E50, 0x140003C10,
0x140001A50, 0x140001A70, 0x1400028B0, 0x140001B70, 0x1400025B0, 0x1400029B0, 0x140001990, 0x140003FB0, 0x140003670, 0x140001130,
0x140002010, 0x1400030D0, 0x140001F90, 0x140004690, 0x140001CF0, 0x140004190, 0x140004530, 0x140001E30, 0x1400027D0, 0x1400044F0,
0x1400025D0, 0x140001D70, 0x1400022D0, 0x140001950, 0x1400021F0, 0x140004410, 0x140003170, 0x140004670, 0x140001C50, 0x140002730,
0x140002B70, 0x1400020F0, 0x140003750, 0x140002FD0, 0x140001E90, 0x140003150, 0x1400038F0, 0x140002D70, 0x140001BB0, 0x140003410,
0x140002CD0, 0x1400026F0, 0x140002D90, 0x140001B50, 0x140002EB0, 0x1400032D0, 0x140002790, 0x140002070, 0x140002970, 0x140001850,
0x140001170, 0x140002950, 0x140001610, 0x140003490, 0x140004610, 0x140004470, 0x140001EB0, 0x140003830, 0x1400020D0, 0x140002BF0,
0x140002E50, 0x140003C50, 0x140004150, 0x140003F30, 0x140001350, 0x140001D30, 0x1400035B0, 0x1400027F0, 0x140003D90, 0x140004550,
0x140002FB0, 0x140003990, 0x140004050, 0x140002690, 0x140001930, 0x140002650, 0x140002990, 0x1400023D0, 0x1400044B0, 0x140001E10,
0x140002E90, 0x140001FB0, 0x140001250, 0x140003D50, 0x140001110, 0x140003970, 0x140001050, 0x140001A10, 0x140003450, 0x140001070,
0x140002570, 0x1400026B0, 0x1400031B0, 0x1400036D0, 0x140003190, 0x140001B90, 0x140003B30, 0x140002D50, 0x140001490, 0x140001750,
0x140001330, 0x140001C30, 0x140003790, 0x140002890, 0x140001AD0, 0x1400031D0, 0x1400014B0, 0x140003BF0, 0x140002310, 0x1400027B0,
0x140002510, 0x1400010F0, 0x140004350, 0x140003F50, 0x140003390, 0x140001030, 0x140003010, 0x140003630, 0x140003950, 0x140003310,
0x140004110
};
char KEY[] = {
0x09, 0x40, 0x11, 0xE4, 0x1C, 0x81, 0x92, 0xDB, 0x0B, 0x75, 0x26, 0x6A, 0x2F, 0x7F, 0xDD, 0xD2,
0x52, 0x21, 0x76, 0x9F, 0xDF, 0x8E, 0x8F, 0xCD, 0x9F, 0x84, 0x61, 0x3F, 0x6D, 0x7A, 0x87, 0x1E,
0x21, 0x99, 0xC7, 0x65, 0xDC, 0xC8, 0x4A, 0x22, 0x7D, 0x28, 0x64, 0x69, 0xDC, 0x20, 0x34, 0xED,
0xFB, 0xD7
};
//string char_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_";
string char_table = "";
int n22 = 22;
char item_str[51] = { 0 };
set<uintptr_t> function_map;
// 预计算表 [index][n22][char_index] -> 贡献值
vector<vector<vector<int>>> precomputed_table;
int main(int argc, char* argv[]) {
for (char c = 33; c < 127; c++)
{
char_table += c;
}
// 初始化函数映射
for (const auto& addr : all_valid_CFG_tables) {
function_map.insert(addr);
}
// 设置固定字符
item_str[0] = 'S', item_str[1] = 'E', item_str[2] = 'K',
item_str[3] = 'A', item_str[4] = 'I', item_str[5] = '{',
item_str[49] = '}';
// 计算固定字符贡献
int current_n22 = 22;
int flags = 0;
for (int i = 0; i < 6; i++) {
unsigned char c = item_str[i] ^ KEY[i];
auto result = count_a_charAns(c, current_n22, flags);
if (result.first == -1) {
cout << "固定字符无效: " << item_str[i] << endl;
return -1;
}
current_n22 = result.first;
flags = result.second;
}
cout << "初始 n22: " << current_n22 << endl;
cout << "初始 flags: " << flags << endl;
// 调整DP表大小
const int MAX_INDEX = 50; // 索引0-49
const int MAX_STATE = 440; // n22状态范围
const int MAX_FLAGS = 64; // 标记状态范围
// DP表:dp[index][n22][flags] = 是否可达
vector<vector<vector<bool>>> dp(MAX_INDEX,
vector<vector<bool>>(MAX_STATE,
vector<bool>(MAX_FLAGS, false)));
// 前驱信息存储结构
struct PrevInfo {
int prev_n22;
int prev_flags;
char c;
};
vector<vector<vector<vector<PrevInfo>>>> prev(MAX_INDEX,
vector<vector<vector<PrevInfo>>>(MAX_STATE,
vector<vector<PrevInfo>>(MAX_FLAGS)));
// 初始化DP表(索引6)
dp[6][current_n22][flags] = true;
// DP计算(索引6到48)
for (int index = 6; index < 49; index++) {
for (int n = 0; n < MAX_STATE; n++) {
for (int f = 0; f < MAX_FLAGS; f++) {
if (!dp[index][n][f]) continue;
for (char c : char_table) {
unsigned char x = c ^ KEY[index];
auto result = count_a_charAns(x, n, f);
if (result.first == -1) continue;
int next_n = result.first;
int next_f = result.second;
// 检查状态是否在有效范围内
if (next_n < 0 || next_n >= MAX_STATE) continue;
if (next_f < 0 || next_f >= MAX_FLAGS) continue;
// 标记可达状态
dp[index + 1][next_n][next_f] = true;
// 记录前驱状态和字符选择
prev[index + 1][next_n][next_f].push_back({
n, f, c
});
}
}
}
}
// 收集所有可能的最终状态
vector<pair<int, int>> final_states; // (n22, flags)
for (int n = 0; n < MAX_STATE; n++) {
for (int f = 0; f < MAX_FLAGS; f++) {
if (!dp[49][n][f]) continue;
auto result = count_a_charAns('}' ^ KEY[49], n, f);
if (result.first != -1 && result.first == 418) {
final_states.push_back({ n, f });
}
}
}
if (final_states.empty()) {
cout << "未找到任何解" << endl;
return 0;
}
set<string> uni_ans;
int solution_count = 0;
// 重建所有路径
for (auto& fs : final_states) {
// 使用栈进行非递归回溯
stack<tuple<int, int, int, string>> state_stack; // (index, n22, flags, path)
state_stack.push(make_tuple(49, fs.first, fs.second, ""));
while (!state_stack.empty()) {
auto [index, state, flags, path] = state_stack.top();
state_stack.pop();
if (index == 6) {
// 找到完整路径
solution_count++;
string flag = "SEKAI{" + path + "}";
if (uni_ans.find(flag) == uni_ans.end()) {
uni_ans.insert(flag);
cout << "解 " << solution_count << ": " << flag << endl;
}
continue;
}
// 遍历所有前驱状态
for (auto& p : prev[index][state][flags]) {
string new_path = string(1, p.c) + path;
state_stack.push(make_tuple(
index - 1,
p.prev_n22,
p.prev_flags,
new_path
));
}
}
}
if (solution_count == 0) {
cout << "未找到任何解" << endl;
}
else {
cout << "共找到 " << solution_count << " 个解" << endl;
cout << "唯一解数量: " << uni_ans.size() << endl;
}
return 0;
}
// 计数一个字符与密匙对应位异或后能给n22提供的值
pair<int, int> count_a_charAns(unsigned char c, int current_n22, int flags) {
int new_n22 = current_n22;
int new_flags = flags;
for (int i = 0; i < 4; i++) {
unsigned char ctrl_num = c & 3;
switch (ctrl_num) {
case 0: new_n22 -= 21; break;
case 1: new_n22++; break;
case 2: new_n22 += 21; break;
case 3: new_n22--; break;
}
c >>= 2;
// 检查状态是否有效
if (new_n22 < 0 || new_n22 >= 440)
return make_pair(-1, -1);
// 检查函数地址是否有效
if (function_map.find(function_addresses[new_n22]) == function_map.end())
return make_pair(-1, -1);
// 检查前提函数是否满足
if (new_n22 == 76 && !(new_flags & F_235_MASK))
return make_pair(-1, -1);
if (new_n22 == 281 && !(new_flags & F_153_MASK))
return make_pair(-1, -1);
if (new_n22 == 280 && !(new_flags & F_187_MASK))
return make_pair(-1, -1);
if (new_n22 == 72 && !(new_flags & F_26_MASK))
return make_pair(-1, -1);
if (new_n22 == 397 && !(new_flags & F_368_MASK))
return make_pair(-1, -1);
if (new_n22 == 156 && !(new_flags & F_383_MASK))
return make_pair(-1, -1);
// 更新标记(如果经过特定函数)
if (new_n22 == 235) new_flags |= F_235_MASK;
if (new_n22 == 153) new_flags |= F_153_MASK;
if (new_n22 == 187) new_flags |= F_187_MASK;
if (new_n22 == 26) new_flags |= F_26_MASK;
if (new_n22 == 368) new_flags |= F_368_MASK;
if (new_n22 == 383) new_flags |= F_383_MASK;
}
return make_pair(new_n22, new_flags);
}
反思
- 太依赖于IDA的伪代码了,导致一开始完全没有发现程序应用了了
CFG保护机制 - 对PE文件结构不熟悉,浪费了很多时间在进行脚本解析PE结构
- 在静态分析感觉差不多时,不及时使用动态的去分析,导致很晚才发现那六个限制函数(或者说陷阱函数)
/(ㄒoㄒ)/最终一题都没有写出来/(ㄒoㄒ)/
浙公网安备 33010602011771号