CTF中的字节爆破技术详解<\/h1>

一、字节爆破技术概述<\/h2>
字节爆破是CTF比赛中解决加密类题目的重要技术手段，主要针对单字节或多字节加密的情况。其核心思想是通过自动化方式逐个或成组尝试可能的字符组合，利用程序反馈信息判断当前字节是否正确。<\/p>

二、方法一：利用exit返回下标<\/h2>

1. 基本原理<\/h3>
通过修改程序，使比较失败时exit返回当前比对成功的下标值，作为判断字节是否正确的依据。<\/p>

2. 实战案例：吾杯CTF re的love题目<\/h3>

2.1 前期处理<\/h4>

题目中存在需要解密的段<\/li>

通过函数调用前的栈操作反推需要异或的值<\/li> <\/ul>

IDC脚本示例：<\/strong><\/p>

#include<\/span> <idc.idc><\/span>
<\/span><\/span><\/span><\/span>static<\/span> main<\/span>(){
<\/span><\/span>    auto<\/span> des =<\/span> 0x176d<\/span>;
<\/span><\/span>    auto<\/span> addr=<\/span>0x155f<\/span>;
<\/span><\/span>    auto<\/span> i;
<\/span><\/span>    for<\/span>(i =<\/span> 0<\/span>;addr+<\/span>i!=<\/span>des; ++<\/span>i){
<\/span><\/span>        PatchByte(addr+<\/span>i,Byte(addr+<\/span>i)^<\/span>0x43<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>#include<\/span> <idc.idc><\/span>
<\/span><\/span><\/span><\/span>static<\/span> main<\/span>(){
<\/span><\/span>    auto<\/span> des =<\/span> 0x155f<\/span>;
<\/span><\/span>    auto<\/span> addr=<\/span>0x12CB<\/span>;
<\/span><\/span>    auto<\/span> i;
<\/span><\/span>    for<\/span>(i =<\/span> 0<\/span>;addr+<\/span>i!=<\/span>des; ++<\/span>i){
<\/span><\/span>        PatchByte(addr+<\/span>i,Byte(addr+<\/span>i)^<\/span>0x44<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 题目分析<\/h4>

检查flag开头是否为"wucup"<\/li>
采用单字节加密方式<\/li>
<\/ul>
2.3 程序修改步骤<\/h4>

修改程序使比较错误字节时exit返回当前下标值<\/li>
编写Python脚本接收退出值实现爆破<\/li>
定位并修改汇编代码<\/li>
<\/ol>
2.4 Python爆破脚本<\/h4>
import<\/span> string
<\/span><\/span>import<\/span> itertools
<\/span><\/span>import<\/span> subprocess
<\/span><\/span>import<\/span> time
<\/span><\/span>from<\/span> paramiko.util import<\/span> mod_inverse
<\/span><\/span>
<\/span><\/span>alp =<\/span> "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!<\/span>{}<\/span>_"<\/span>
<\/span><\/span>input_data =<\/span> "WuCup<\/span>{aaaaaaaaaaaaaaaaaaaa}<\/span>"<\/span>
<\/span><\/span>exe_file_path =<\/span> r<\/span>"\/home\/ubuntu\/pycharm\/cx\/pythonProject\/love"<\/span>
<\/span><\/span>star =<\/span> ord('0'<\/span>) +<\/span> 1<\/span>
<\/span><\/span>flag=<\/span>0<\/span>
<\/span><\/span>ans =<\/span> ''<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(6<\/span>,len(input_data)-<\/span>1<\/span>):
<\/span><\/span>    for<\/span> chars in<\/span> itertools.<\/span>product(alp, repeat=<\/span>1<\/span>):
<\/span><\/span>        modified_data =<\/span> (input_data[:i *<\/span> 1<\/span>] +<\/span> ''<\/span>.<\/span>join(chars) +<\/span> input_data[(i +<\/span> 1<\/span>) *<\/span> 1<\/span>:])
<\/span><\/span>        process =<\/span> subprocess.<\/span>Popen(
<\/span><\/span>            exe_file_path,
<\/span><\/span>            stdin=<\/span>subprocess.<\/span>PIPE,
<\/span><\/span>            stdout=<\/span>subprocess.<\/span>PIPE,
<\/span><\/span>            stderr=<\/span>subprocess.<\/span>PIPE,
<\/span><\/span>            text=<\/span>True<\/span>
<\/span><\/span>        )
<\/span><\/span>        stdout, stderr =<\/span> process.<\/span>communicate(input=<\/span>modified_data)
<\/span><\/span>        print(process.<\/span>returncode)
<\/span><\/span>        print(modified_data)
<\/span><\/span>        print(stdout)
<\/span><\/span>        
<\/span><\/span>        if<\/span> process.<\/span>returncode><\/span>flag:
<\/span><\/span>            flag=<\/span>process.<\/span>returncode
<\/span><\/span>            input_data=<\/span>modified_data
<\/span><\/span>            break<\/span>
<\/span><\/span>            
<\/span><\/span>        if<\/span> "Congratulations"<\/span> in<\/span> stdout:
<\/span><\/span>            print(stdout)
<\/span><\/span>            print(modified_data)
<\/span><\/span>            exit(0<\/span>)
<\/span><\/span>            
<\/span><\/span>print(input_data)
<\/span><\/span><\/code><\/pre>注意事项：<\/strong><\/p>

该脚本需要在Ubuntu等Linux环境下运行<\/li>
<\/ul>
三、方法二：通过回显进行爆破<\/h2>
1. 基本原理<\/h3>
利用程序输出的回显信息判断当前字节是否正确。<\/p>
2. 实战案例：BuildCTF的ezvm题目<\/h3>
2.1 题目特点<\/h4>

VM类题目，有op值指定对应操作<\/li>
动态调试发现连续执行两次操作，属于双字节加密<\/li>
<\/ul>
2.2 程序修改要点<\/h4>

定位关键修改位置<\/li>
处理空间不足问题（使用jmp跳转到空白区域编写代码）<\/li>
修改后的程序逻辑<\/li>
<\/ol>
2.3 Python爆破脚本<\/h4>
import<\/span> string
<\/span><\/span>import<\/span> itertools
<\/span><\/span>import<\/span> subprocess
<\/span><\/span>import<\/span> time
<\/span><\/span>
<\/span><\/span>alp =<\/span> "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!<\/span>{}<\/span>_"<\/span>
<\/span><\/span>input_data =<\/span> "aaaaaaaaaaaaaaaaaaaaaaaa"<\/span>
<\/span><\/span>exe_file_path =<\/span> r<\/span>"D:\桌面\ez_vm\ez_vm\ez_vm.exe"<\/span>
<\/span><\/span>star =<\/span> ord('A'<\/span>) +<\/span> 2<\/span>
<\/span><\/span>ans =<\/span> ''<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(len(input_data)\/\/<\/span>2<\/span>):
<\/span><\/span>    for<\/span> chars in<\/span> itertools.<\/span>product(alp, repeat=<\/span>2<\/span>):
<\/span><\/span>        modified_data =<\/span> (input_data[:i *<\/span> 2<\/span>] +<\/span> ''<\/span>.<\/span>join(chars) +<\/span> input_data[(i +<\/span> 1<\/span>) *<\/span> 2<\/span>:])
<\/span><\/span>        process =<\/span> subprocess.<\/span>Popen(
<\/span><\/span>            exe_file_path,
<\/span><\/span>            stdin=<\/span>subprocess.<\/span>PIPE,
<\/span><\/span>            stdout=<\/span>subprocess.<\/span>PIPE,
<\/span><\/span>            stderr=<\/span>subprocess.<\/span>PIPE,
<\/span><\/span>            text=<\/span>True<\/span>
<\/span><\/span>        )
<\/span><\/span>        print(modified_data)
<\/span><\/span>        stdout, stderr =<\/span> process.<\/span>communicate(input=<\/span>modified_data)
<\/span><\/span>        
<\/span><\/span>        flag_prompt =<\/span> "Please input your flag :"<\/span>
<\/span><\/span>        output_after_flag_prompt =<\/span> stdout.<\/span>split(flag_prompt, 1<\/span>)[-<\/span>1<\/span>].<\/span>strip() if<\/span> flag_prompt in<\/span> stdout else<\/span> ""<\/span>
<\/span><\/span>        num =<\/span> output_after_flag_prompt
<\/span><\/span>        
<\/span><\/span>        if<\/span> num ==<\/span> chr(star):
<\/span><\/span>            ans +=<\/span> ''<\/span>.<\/span>join(chars)
<\/span><\/span>            input_data =<\/span> modified_data
<\/span><\/span>            print('[!]<\/span>\t<\/span>'<\/span> +<\/span> ans)
<\/span><\/span>            star +=<\/span> 2<\/span>
<\/span><\/span>            break<\/span>
<\/span><\/span>        elif<\/span> 'You did it! Flag is '<\/span> in<\/span> num:
<\/span><\/span>            ans +=<\/span> ''<\/span>.<\/span>join(chars)
<\/span><\/span>            print('[!]<\/span>\t<\/span>'<\/span> +<\/span> ans)
<\/span><\/span>            exit(0<\/span>)
<\/span><\/span>        else<\/span>:
<\/span><\/span>            continue<\/span>
<\/span><\/span><\/code><\/pre>最终flag示例：<\/strong> vMp_1s_r0u9h_ORZ<\/code><\/p>
四、总结与扩展<\/h2>


爆破方法多样性<\/strong>：<\/p>

除了上述两种方法，还可利用程序崩溃、时间延迟等作为判断依据<\/li>
核心思路是让程序返回可判断flag正确位数的信息<\/li>
<\/ul>
<\/li>

适用场景<\/strong>：<\/p>

单字节加密（如异或、加减等简单加密）<\/li>
多字节组合加密（如双字节、四字节等）<\/li>
VM类题目中的加密操作<\/li>
<\/ul>
<\/li>

优化方向<\/strong>：<\/p>

根据字符集缩小爆破范围<\/li>
利用已知flag格式减少尝试次数<\/li>
并行化处理提高爆破速度<\/li>
<\/ul>
<\/li>

防御措施<\/strong>：<\/p>

作为出题者，可加入反爆破机制<\/li>
增加时间延迟或随机因素<\/li>
使用更复杂的加密方式组合<\/li>
<\/ul>
<\/li>
<\/ol>

CTF中的字节爆破技术详解<\/h1>

二、方法一：利用exit返回下标<\/h2>

1. 基本原理<\/h3> 通过修改程序，使比较失败时exit返回当前比对成功的下标值，作为判断字节是否正确的依据。<\/p>

2. 实战案例：吾杯CTF re的love题目<\/h3>

三、方法二：通过回显进行爆破<\/h2>

1. 基本原理<\/h3> 利用程序输出的回显信息判断当前字节是否正确。<\/p>

2. 实战案例：BuildCTF的ezvm题目<\/h3>

1. 基本原理<\/h3>
通过修改程序，使比较失败时exit返回当前比对成功的下标值，作为判断字节是否正确的依据。<\/p>

1. 基本原理<\/h3>
利用程序输出的回显信息判断当前字节是否正确。<\/p>