Reserve ctf SSE_KEYGENME VAX2学习
最近的一场ctf比赛,让我去学习了这个
首先附上我查看的一个很重要的资料
打开ida查看代码
发现主要判断函数再于这个check_login这个函数,然后点进去看看
loc_94E: mov [rbp+var_108], 1 mov [rbp+var_107], 1 mov [rbp+var_106], 1 mov [rbp+var_105], 1 mov [rbp+var_104], 1 mov [rbp+var_103], 1 mov [rbp+var_102], 1 mov [rbp+var_101], 1 mov [rbp+var_100], 1 mov [rbp+var_FF], 1 mov [rbp+var_FE], 1 mov [rbp+var_FD], 1 mov [rbp+var_FC], 1 mov [rbp+var_FB], 1 mov [rbp+var_FA], 1 mov [rbp+var_F9], 1 movzx edx, [rbp+var_100] movzx eax, [rbp+var_FF] shl rdx, 8 or rdx, rax movzx eax, [rbp+var_FE] shl rdx, 8 or rdx, rax movzx eax, [rbp+var_FD] shl rdx, 8 or rdx, rax movzx eax, [rbp+var_FC] shl rdx, 8 or rdx, rax movzx eax, [rbp+var_FB] shl rdx, 8 or rdx, rax movzx eax, [rbp+var_FA] shl rdx, 8 or rdx, rax movzx eax, [rbp+var_F9] shl rdx, 8 or rdx, rax movzx eax, [rbp+var_108] movzx ecx, [rbp+var_107] shl rax, 8 or rax, rcx movzx ecx, [rbp+var_106] shl rax, 8 or rax, rcx movzx ecx, [rbp+var_105] shl rax, 8 or rax, rcx movzx ecx, [rbp+var_104] shl rax, 8 or rax, rcx movzx ecx, [rbp+var_103] shl rax, 8 or rax, rcx movzx ecx, [rbp+var_102] shl rax, 8 or rax, rcx movzx ecx, [rbp+var_101] shl rax, 8 or rax, rcx mov qword ptr [rbp+var_130], rdx mov qword ptr [rbp+var_130+8], rax vmovaps xmm0, [rbp+var_130] vmovaps [rbp+var_C0], xmm0 lea rax, p_box mov [rbp+var_C8], rax mov rax, [rbp+var_C8] vlddqu xmm0, xmmword ptr [rax] vmovaps [rbp+var_B0], xmm0 lea rax, x_box mov [rbp+var_D0], rax mov rax, [rbp+var_D0] vlddqu xmm0, xmmword ptr [rax] vmovaps [rbp+var_A0], xmm0 vmovaps xmm0, [rbp+var_B0] vmovaps [rbp+var_20], xmm0 vmovaps xmm0, [rbp+var_C0] vmovaps [rbp+var_10], xmm0 vmovaps xmm0, [rbp+var_20] vmovaps xmm1, [rbp+var_10] vpsubb xmm0, xmm0, xmm1 vmovaps [rbp+var_B0], xmm0 mov rdx, [rbp+var_118] mov rax, [rbp+var_F8] add rax, rdx mov [rbp+var_D8], rax mov rax, [rbp+var_D8] vlddqu xmm0, xmmword ptr [rax] vmovaps [rbp+var_90], xmm0 vmovaps xmm0, [rbp+var_90] vmovaps [rbp+var_40], xmm0 vmovaps xmm0, [rbp+var_B0] vmovaps [rbp+var_30], xmm0 vmovaps xmm1, [rbp+var_30] vmovaps xmm0, [rbp+var_40] vpshufb xmm0, xmm0, xmm1 vmovaps [rbp+var_80], xmm0 vmovaps xmm0, [rbp+var_80] vmovaps [rbp+var_60], xmm0 vmovaps xmm0, [rbp+var_A0] vmovaps [rbp+var_50], xmm0 vmovaps xmm1, [rbp+var_60] vmovaps xmm0, [rbp+var_50] vxorps xmm0, xmm1, xmm0 vmovaps [rbp+var_80], xmm0 mov rdx, [rbp+ptr] mov rax, [rbp+var_F8] add rax, rdx mov [rbp+var_E0], rax vmovaps xmm0, [rbp+var_80] vmovaps [rbp+var_70], xmm0 vmovaps xmm0, [rbp+var_70] mov rax, [rbp+var_E0] vmovups xmmword ptr [rax], xmm0 add [rbp+var_F8], 10h
发现了这一串函数,一开始我在查找vpshufb这个指令的时候以为是国密加密,所以去看了很久,然后发现其实这个是打乱你原本字节顺序的函数,而打乱是根据你的第一个操作数打乱的,所以通过代码不难发现每次的第一个操作数都是同一个,所以打乱顺序都一样,记录下来,在解密就可以轻松解决
1 char s1[] = { 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 0 }; 2 char flag[] = { 0x43,0x51,0x43,0x36,0x40,0x52,0x21,0x55,0x24,0x42,0x5b,0x68,0x7d,0x67,0x1f,0x7b,0x5d,0x7e,0x4e,0x0e,0x58,0x4,0x22,0x40,0x1e,0x14,0x16,0x2c,0x20,0x22,0x26,0x34 }; 3 char temp1[33]{ 0 }; 4 for (int i = 0; i < 2; i++) 5 { 6 for (int j = 0; j < 16; j++) 7 { 8 temp1[i * 16 + j] = flag[i * 16 + j] ^ s1[j]; 9 } 10 cout << temp1 << endl; 11 } 12 13 cout << endl; 14 cout << endl; 15 cout << endl; 16 cout << endl; 17 18 19 int arr1[] = { 4, 0, 7, 15, 2, 6, 1, 9, 14, 13, 10, 5, 12, 3, 11, 8 }; 20 char arr2[33] = { 0 }; 21 for (int i = 0; i < 2; i++) 22 { 23 for (int j = 0; j < 16; j++) 24 { 25 arr2[i * 16 + j] = temp1[i * 16+ arr1[j]]; 26 } 27 cout << arr2<<endl; 28 }
