October Month Race

Record two reverse writeup, the second is a bit of a bother.

Re elf

The topic is simple, the algorithm is also very simple, asks the user to be named ctfking the registration code.

The registration code needs to meet the criteria:

1. All numbers are 2. Multiples of length 10 3. Serial_gen generated by the serial algorithm and Name_gen generated by the user name ctfking equal

Such as:

The following simple analysis of the algorithm:

　　

Serial_gen each byte of the input Serial a value from 9 to sliding scale. Because the user name is already fixed, that is ctfking. So after debugging, you can directly find Name_gen as 0x8c, and then directly write a few lines of script blasting, the second results.

　　

Re PE

Navigate directly to key locations

　　

Within the handle function, inputstring must satisfy the XXXXXXXX-XXXXXXXX format and convert the first 8 bytes and the last 8 bytes to two integers in V8 and v7.

As an example, if the input format is 12ab34cd-ab345678, then V8=0X12AB34CD,

v7=0x12ab34cd ^ 0xab345678.

The Judge function determines whether the two integers satisfy the condition, and if the condition is met, the registration succeeds.

Focus is within the judge function.

　　

The algorithm is concise, so my focus is how to find a qualified num1 and num2. Violent search, search space is too large, we can analyze the algorithm to reduce the scope of the search.

V4 form the string String1 need to meet equals String2, and V7 is the machine code, are known.

As shown in, *v4++ = num1 ^ (v7–num2), the LSB (i) takes the lowest bit of I, according to which we can know that the LSB (*v4++) = LSB (NUM1) ^ lsb (v7) ^ LSB (num2), then we can know the LSB (NUM1) ^ LSB (num2). So after 32 rounds, we can see the value of Num1 ^ Num2.

Note Byte0 (i) is the lower 8 bits of the integer I, byte1 (i) is the [8,16] bit of the integer I, Byte3 (i) is the [16,24] bit of the integer I, and byte4 (i) is the highest 8 bits of the integer i.

If you think carefully, you will find that each time the cycle shifts 8 times, it will be calculated to NUM1 and num2 of Byte0, Byte1, Byte2, Byte3 one.

In other words, string2[0] = byte0 (NUM1) ^ (string1[0]–byte0[num2]), i.e., string2[0] ^ byte0 (num1) ^ byte0 (num2) = Byte0 (num2) ^ (stri NG1[0]–BYTE0[NUM2]). and num1 ^ num2 we've got, so Byte0 (NUM1) ^ byte0 (num2) has also known, byte0[num2] a total of 256 cases, traverse these 256 cases can also determine which values byte0[num2] can take.

Similarly, you can determine byte1[num2], byte2[num2], byte3[num2], thus determining the range of num2 can be taken, therefore, greatly reduced the search space.

According to the above ideas, write the following script, a few seconds out of the registration code.

October Month Race