CorCTF 2024 DigestMe 逆向分析完整解析<\/h1>

题目概述<\/h2>
本题是CorCTF 2024中的一个逆向题目，名为"DigestMe"。题目描述了一位名为FizzBuzz101的开发者在编写一个秘密编译器时电脑被Crowdstrike攻击，恢复密钥被放在他自己编写的一个哈希器中。挑战者需要逆向分析这个哈希器来获取恢复密钥。<\/p>

初步分析<\/h2>

文件特征<\/h3>

程序是一个非常大的C代码编译而成<\/li>
IDA反编译提示函数过大（0x1090到0xED97F，约90万行汇编）<\/li>

代码分为两部分：

开头的普通处理逻辑<\/li>

大量重复的操作序列<\/li> <\/ol> <\/li> <\/ul>

初始逆向技巧<\/h3>

Patch技巧<\/strong>：将程序中间某处patch成ret，阻断IDA对后续逻辑的分析，以便使用F5查看简化逻辑<\/li>

输入验证分析<\/strong>：

输入必须以"corctf{"开头，以"}"结尾<\/li>
输入长度至少18个字符（从s[7]~s[17]）<\/li>
特定约束关系：
s[8<\/span>] ==<\/span> s[17<\/span>] <\/span><\/span>s[9<\/span>] ==<\/span> s[11<\/span>] <\/span><\/span>s[7<\/span>] ==<\/span> s[16<\/span>] +<\/span> 1<\/span> <\/span><\/span>s[14<\/span>] ==<\/span> s[16<\/span>] +<\/span> 4<\/span> <\/span><\/span><\/code><\/pre><\/li> 循环边界表明输入长度很可能是19字节<\/li> <\/ul> <\/li> <\/ol> 深入逆向分析<\/h2> 内存操作模式<\/h3> 程序对一个大内存空间（称为tmp或v3）进行大量操作，主要分为四种类型：<\/p> 与操作<\/strong>：两个32字节连续内存空间的与处理<\/li> 或操作<\/strong>：两个32字节连续内存空间的或处理<\/li> 异或操作<\/strong>：两个32字节连续内存空间的异或处理<\/li> 混合操作<\/strong>：与\/或\/异或处理，同时混入0B40h和0B41h进行操作<\/li> <\/ol> 加法运算识别<\/h3> 通过分析汇编代码，发现以下模式：<\/p> mov cl, [rax+87h] xor cl, [rax+7] ; a[af] = a[87]^a[7] mov [rax+0A7h], cl mov cl, [rax+87h] and cl, [rax+7] ; a[B40] = a[87]&a[7] mov [rax+0B40h], cl mov cl, [rax+86h] xor cl, [rax+6] ; a[b41] = a[86]^a[6] mov [rax+0B41h], cl mov cl, [rax+0B41h] xor cl, [rax+0B40h] ; a[ae] = a[b40]^a[b41] mov [rax+0A6h], cl <\/code><\/pre> 这实际上是模拟加法运算：<\/p> a[87]^a[7]：当前位的和<\/li> a[87]&a[7]：进位位<\/li> 将进位影响下一位的运算<\/li> <\/ul> 数据排列方式<\/h3> 单个数据按小端序排列<\/li> 4个数字也按小端序排序<\/li> 示例： 0x1000000: [0 0 0 0 1 0 0 1] [1 0 0 0 1 0 1 0] # a[0] = 0x9, a[1] = 0x8a 0x1000008: [0 0 0 0 1 0 0 0] [1 0 0 0 1 0 0 0] # a[2] = 0x8, a[3] = 0x88 组合后: a = 0x88088a09 <\/code><\/pre> <\/li> <\/ul> 循环位移操作<\/h3> 发现代码中存在循环右移操作：<\/p> mov cl, [rax+98h] or cl, [rax+118h] mov [rax+0CCh], cl <\/code><\/pre> 实际操作为：<\/p> def<\/span> rotate_right<\/span>(num, shift_amount): <\/span><\/span> shift_amount =<\/span> shift_amount %<\/span> 32<\/span> <\/span><\/span> return<\/span> (num >><\/span> shift_amount) |<\/span> (num <<<\/span> (32<\/span> -<\/span> shift_amount)) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span><\/code><\/pre>其中shift_amount<\/code>由被操作数和操作数的偏移计算得出：<\/p> def<\/span> reverse_origin_offset<\/span>(offset): <\/span><\/span> return<\/span> (offset\/\/<\/span>8<\/span>)*<\/span>8<\/span> +<\/span> (8<\/span> -<\/span> (offset%<\/span>8<\/span>)) <\/span><\/span><\/code><\/pre>算法识别<\/h2> MD5特征值<\/h3> 在dump出的数据中发现MD5的魔数：<\/p> 0xd76aa478<\/li> 0xe8c7b756<\/li> 其他MD5特征常量<\/li> <\/ul> MD5变换函数对比<\/h3> 程序逻辑与MD5的md5_transform<\/code>函数高度相似：<\/p> static<\/span> void<\/span> md5_transform<\/span>(const<\/span> unsigned<\/span> char<\/span> block[64<\/span>]) { <\/span><\/span> int<\/span> i, j; <\/span><\/span> UINT4 a,b,c,d,tmp; <\/span><\/span> const<\/span> UINT4 *<\/span>x =<\/span> (UINT4 *<\/span>) block; <\/span><\/span> <\/span><\/span> a =<\/span> state[0<\/span>]; <\/span><\/span> b =<\/span> state[1<\/span>]; <\/span><\/span> c =<\/span> state[2<\/span>]; <\/span><\/span> d =<\/span> state[3<\/span>]; <\/span><\/span> <\/span><\/span> \/* Round 1 *\/<\/span> <\/span><\/span> for<\/span> (i =<\/span> 0<\/span>; i <<\/span> 16<\/span>; i++<\/span>) { <\/span><\/span> tmp =<\/span> a +<\/span> F(b, c, d) +<\/span> le32_to_cpu(x[i]) +<\/span> T[i]; <\/span><\/span> tmp =<\/span> ROTATE_LEFT(tmp, s1[i &<\/span> 3<\/span>]); <\/span><\/span> tmp +=<\/span> b; <\/span><\/span> a =<\/span> d; d =<\/span> c; c =<\/span> b; b =<\/span> tmp; <\/span><\/span> } <\/span><\/span> \/* 类似结构处理Round 2-4 *\/<\/span> <\/span><\/span> <\/span><\/span> state[0<\/span>] +=<\/span> a; <\/span><\/span> state[1<\/span>] +=<\/span> b; <\/span><\/span> state[2<\/span>] +=<\/span> c; <\/span><\/span> state[3<\/span>] +=<\/span> d; <\/span><\/span>} <\/span><\/span><\/code><\/pre>最终验证<\/h3> 程序最后比较两个特定的哈希值：<\/p> cmp dword ptr [rsp+4C8h+var_4A8+8], 19C603BAh ; tmp[2] == 0xba03c619 cmp dword ptr [rsp+4C8h+var_4A8+0Ch], 14353CE4h ; tmp[3] == 0xe43c3514 <\/code><\/pre> 解题方法<\/h2> 约束条件总结<\/h3> 输入格式：corctf{...}<\/code>，长度19字节<\/li> 有效内容长度：11字节（扣除固定部分）<\/li> 特定约束： flag[8] == flag[17]<\/li> flag[9] == flag[11]<\/li> flag[7] == flag[16] + 1<\/li> flag[14] == flag[16] + 4<\/li> <\/ul> <\/li> <\/ol> 爆破策略<\/h3> 由于Z3求解器无法在合理时间内解决（约1e12种可能性），采用CUDA加速爆破：<\/p> 修改CUDA MD5爆破工具<\/strong>：<\/p> 调整初始化逻辑以匹配题目要求<\/li> 修改MD5计算函数以包含特定填充规则<\/li> <\/ul> <\/li> 关键修改点<\/strong>：<\/p> \/\/ 设置映射关系 <\/span><\/span><\/span><\/span>char<\/span> mapping_index[8<\/span>] =<\/span> {0<\/span>,1<\/span>,2<\/span>,3<\/span>,5<\/span>,6<\/span>,8<\/span>}; <\/span><\/span> <\/span><\/span>\/\/ 应用约束条件 <\/span><\/span><\/span><\/span>threadTextWord[9<\/span>] =<\/span> threadTextWord[0<\/span>] -<\/span> 1<\/span>; <\/span><\/span>threadTextWord[7<\/span>] =<\/span> threadTextWord[9<\/span>] +<\/span> 4<\/span>; <\/span><\/span>threadTextWord[10<\/span>] =<\/span> threadTextWord[1<\/span>]; <\/span><\/span>threadTextWord[4<\/span>] =<\/span> threadTextWord[2<\/span>]; <\/span><\/span> <\/span><\/span>\/\/ 修改MD5填充 <\/span><\/span><\/span><\/span>vals[i \/<\/span> 4<\/span>] |=<\/span> 0x80<\/span> <<<\/span> ((i %<\/span> 4<\/span>) *<\/span> 8<\/span>); <\/span><\/span>vals[56<\/span> \/<\/span> 4<\/span>] |=<\/span> 0x58<\/span> <<<\/span> ((56<\/span> %<\/span> 4<\/span>) *<\/span> 8<\/span>); <\/span><\/span><\/code><\/pre><\/li> 目标哈希<\/strong>：<\/p> 查找产生特定MD5部分哈希(0xba03c619, 0xe43c3514)的输入<\/li> <\/ul> <\/li> <\/ol> 最终结果<\/h3> 经过约3小时的CUDA爆破，得到有效输入：<\/p> cPv3v8VfWbP <\/code><\/pre> 完整flag：<\/p> corctf{youtu.be\/dQw4w9WgXcQ} <\/code><\/pre> 总结<\/h2> 逆向技巧<\/strong>：<\/p> 对超大函数使用分段分析<\/li> 识别重复模式并自动化处理<\/li> 通过对比调试验证算法理解<\/li> <\/ul> <\/li> 算法识别<\/strong>：<\/p> 注意特征常量和数据结构<\/li> 对比已知算法（如MD5）的结构<\/li> <\/ul> <\/li> 解题策略<\/strong>：<\/p> 当符号执行不可行时，考虑约束爆破<\/li> 利用GPU加速大规模计算<\/li> <\/ul> <\/li> 工具使用<\/strong>：<\/p> IDA Python脚本自动化分析<\/li> CUDA编程实现高性能计算<\/li> <\/ul> <\/li> <\/ol> 本题展示了现代CTF逆向题目的典型特点：需要结合逆向工程、算法识别和高效计算技术才能解决。<\/p>