谁能给个思路，关于破解的

显示全部楼层 · 2021-1-27 06:56:28

有16个数据(A1~A6,B1~B6,C1~C4)，要生成8个数据(S1~S8)，我用主机模拟得到以下关系
A1->>S4S6B1->>S1S7C1->>S3S6
A2->>S6S8B2->>S4S8C2->>S2S4
A3->>S3S5B3->>S1S8C3->>S5S6
A4->>S7S8B4->>S3S7C4->>S1S4
A5->>S2S7B5->>S2S3
A6->>S2S5B6->>S1S5
主机是这样模拟的：A1++，其他为0，返回S4,S6发生变化(两数字相同)，其他类似，这个过程中我得到了两个表格,其中A1~A6生成的表格是一样的（一张表格)，B5,B6,C1~C4生成的表格也是一样的(另外一张表格）,B1~B4变化生成的表格与前述两张表格重复。
变化数S1S2S3S4S5S6S7S8
A1=0,其他为0FF,FF,FF,FF,FF,FF,FF,FF
A1=1,其他为0FF,FF,FF,5E,FF,5E,FF,FF
A1=0xff其他为0FF,FF,FF,F2,FF,F2,FF,FF由此生成一个256字节的表格，每个数唯一
B1=0,其他为0FF,FF,FF,FF,FF,FF,FF,FF
B1=1,其他为05E,FF,FF,FF,FF,FF,C4,FF
B1=0xff其他为0F2,FF,FF,FF,FF,FF,5B,FF
B5=0,其他为0FF,FF,FF,FF,FF,FF,FF,FF
B5=1,其他为0FF,C4,C4,FF,FF,FF,FF,FF
B5=0xff其他为0FF,5B,5B,FF,FF,FF,FF,FF由此生成另外一个256字节的表格，每个数唯一
因此可以得到如下关系
S1->>B1B3B6C4
S2->>A5A6B5C2
S3->>A3B4B5C1
S4->>A1B2C2C4
S5->>A3A6B6C3
S6->>A1A2C1C3
S7->>A4A5B1B4
S8->>A2A4B2B3
并且我发现若A1,A3~A6,B1~B6,C1~C4改变任意一个字节(针对我抓到的原始数据)，都有
S[1]=table1[B1]^table1[B3]^table2[B6]^table2[C4]^0xff;
S[2]=table1[A5]^table1[A6]^table2[B5]^table2[C2]^0xff;
S[3]=table1[A3]^table1[B4]^table2[B5]^table2[C1]^0xff;
...
S[8]=table1[A2]^table1[A4]^table2[B2]^table2[B3]^0xff;
但只要用抓到的原始数据去读取从机数据，结果就发生了突变(不是公式得出的结果)。A2从0~0xFF发生变化，很多地方会发生突变(32个地方)
针对这个突变我发现只要用我这个公式得到的S1^S2^...^S8=0的时候,真的S1^S2^...^S8=0。到这里为止我就卡住了，
想问问坛上的高人要走下去的话还有什么地方需要去留意。
以下为一组数据
unsignedcharDatA[]={0x40,0x81,0x81,0x81,0x81,0x81,0x81};
unsignedcharDatb[]={0x46,0x81,0x81,0x81,0x81,0xef,0x65};
unsignedcharDatC[]={0x4c,0x7b,0x43,0x75,0x0c};//0x22,0xe6,0xa3,0x8f,0x1e,0xf6,0xff,0xff
/*原始数据查表真正结果
S1B1/B3/B6/C481,81,65,0c//|30^30^31^b2^ff=7c->22(formertable)关系???
S2A5/A6/B5/C281,81,ef,43//-30^30^cf^1f^ff=2f->e6
S3A3/B4/B5/C181,81,ef,7b//|30^30^cf^ea^ff=da->a3(formertable)
S4A1/B2/C2/C481,81,43,0c//|30^30^1f^b2^ff=52->8f(formertable)
S5A3/A6/B6/C381,81,65,75//-30^30^31^8a^ff=44->1e
S6A1/A2/C1/C381,81,7b,75//-30^30^ea^8a^ff=9f->f6
S7A4/A5/B1/B481,81,81,81//|30^30^8b^8b^ff=ff->ff(latertable)
S8A2/A4/B2/B381,81,81,81//|30^30^8b^8b^ff=ff->ff(latertable)*/
分 -->

千问 · 2021-1-27 06:56:28

lz说的我也不太懂,我觉得可以试一试这个思路,看
7c->22
2f->e6
这种转化是不是稳定的,如果每次都是这样转换的,那么做一个表来查也不算太麻烦

千问 · 2021-1-27 06:56:28

多谢楼上回帖，不是固定的，如果是固定的就好办了，可能是我没描述清楚。
两个表格:
unsignedchartable1[256]={
0xFF,0x5E,0x57,0x9C,0x28,0xC1,0x7B,0x59,0x48,0x2A,0x04,0xEB,0x98,0xE9,0xF7,0x43,
0xA3,0xEA,0xCA,0xD8,0xA7,0x8C,0x6F,0xAA,0xF8,0xB1,0x06,0x4E,0xA5,0x8A,0x6D,0x67,
0x72,0x0C,0xBB,0x33,0x14,0xB0,0x53,0xEE,0xB4,0x1B,0x34,0x10,0x21,0x38,0x91,0x61,
0x76,0x70,0xFC,0x32,0xF6,0x56,0x89,0x6A,0x93,0xDF,0x4F,0xD6,0x1A,0xC7,0x87,0x68,
0x9E,0x8F,0x7F,0xE8,0xD0,0x18,0x86,0x47,0x3A,0xB8,0x64,0xBC,0x50,0x49,0x82,0xBD,
0x4D,0xDC,0xE4,0x78,0x3C,0xCC,0xC3,0xD3,0x62,0x2C,0xD7,0x17,0x9D,0x65,0x2F,0xCF,
0xC6,0xA0,0xE0,0xC8,0xBF,0x45,0xFD,0xE6,0xD5,0xC0,0x41,0x96,0x9F,0x02,0xAC,0x3E,
0x20,0x1E,0xF4,0xA6,0xED,0xA4,0xFE,0x40,0xE2,0x6E,0xF0,0xAD,0xEC,0x03,0x1C,0x90,
0x44,0x30,0xDA,0xD9,0xBA,0x81,0x79,0x5D,0x5F,0x2B,0xAE,0xBE,0x1D,0x07,0x7D,0x09,
0x39,0x5C,0xCB,0x36,0x25,0xE7,0x55,0xD1,0xEF,0xDB,0x13,0xCD,0x60,0xAB,0x1F,0xB6,
0x51,0x8D,0x7A,0x24,0xD4,0x54,0xAF,0x15,0x63,0x6B,0x4C,0x35,0x19,0x8E,0x7E,0x00,
0xB2,0x9B,0xFA,0x11,0x3B,0x0F,0x3D,0xC4,0x4A,0x0B,0xA1,0xDD,0x77,0x23,0xCE,0x5B,
0x75,0x2D,0x08,0x22,0xB3,0x9A,0x29,0x0E,0x71,0x12,0xA8,0xC9,0xA2,0x5A,0xF3,0xF9,
0x88,0x74,0xD2,0xF5,0x4B,0x26,0x3F,0xE1,0x16,0xC5,0x0A,0xB5,0xE5,0xB9,0x92,0xB7,
0x99,0x85,0x6C,0x31,0x8B,0x80,0xDE,0x27,0x83,0xC2,0x69,0x84,0x2E,0xFB,0x95,0xF1,
0xE3,0x05,0x7C,0x66,0xA9,0x73,0x0D,0x94,0x42,0x52,0x37,0x58,0x01,0x46,0x97,0xF2};
unsignedchartable2[256]={
0xFF,0xC4,0xB3,0x76,0x84,0x5A,0x88,0xE8,0x00,0x61,0x64,0x63,0xB2,0x5C,0x1E,0xF3,
0x0D,0xB8,0x95,0x11,0xC3,0x72,0xB9,0x0E,0xC9,0xB4,0x93,0x05,0x0A,0x18,0x6C,0xED,
0x7E,0x03,0xE0,0x26,0x0F,0x16,0xAF,0x39,0x3C,0xFB,0x06,0xD4,0x8E,0xBB,0x29,0x1B,
0xE4,0xD2,0x85,0x6F,0x2B,0xE3,0x8D,0xE1,0xF4,0x17,0x13,0xEB,0x4E,0x7A,0x28,0x73,
0xC6,0xA1,0xCD,0x1F,0xDD,0xAB,0x97,0x04,0x75,0xB0,0x08,0x59,0xDA,0x15,0x83,0x9E,
0x40,0x66,0x9B,0x52,0x38,0xA8,0xB7,0x36,0x8C,0x43,0x46,0xF0,0x62,0x34,0xCA,0x42,
0x23,0xC2,0xFC,0xCC,0xBA,0x31,0x3F,0x87,0x41,0x58,0x69,0xA5,0x7C,0x2F,0xA3,0x8F,
0xEF,0x51,0x55,0x0C,0x9C,0x8A,0xF6,0xBF,0x32,0x60,0x20,0xEA,0x19,0x44,0x3A,0xC0,
0x14,0x8B,0xAD,0xC5,0xE7,0x37,0xD1,0x4C,0x9D,0xD0,0x3E,0x9A,0x98,0x01,0x2E,0xDB,
0xCB,0x30,0x49,0xA7,0x5D,0x10,0x35,0xF9,0x67,0x77,0xD7,0xBC,0x4B,0x4A,0xD8,0xA0,
0x71,0x0B,0x7F,0x47,0xF8,0x57,0x6E,0xE6,0xB1,0x56,0xFA,0x54,0xBD,0xF2,0xB6,0xEC,
0x48,0x92,0x78,0x1D,0xFE,0xAE,0xBE,0xB5,0x25,0x70,0x2C,0xF1,0x80,0x2A,0x6B,0x22,
0xD5,0xAA,0x6D,0xF5,0x02,0x99,0x1C,0x3B,0xCE,0x4F,0x9F,0xAC,0xD3,0xA6,0xD9,0xDE,
0xC7,0x33,0xC8,0xD6,0x6A,0xE2,0xE9,0x7B,0x07,0x65,0x82,0x90,0xA9,0x2D,0x4D,0x86,
0x79,0x91,0xC1,0xE5,0x81,0x12,0x96,0xF7,0x45,0xA4,0x09,0x5F,0xEE,0xDC,0xFD,0xCF,
0x3D,0x1A,0x53,0x7D,0x27,0x68,0x74,0xDF,0x94,0x5E,0x21,0x24,0x50,0xA2,0x89,0x5B};
array.h
//以下为我抓到的数据，
unsignedchararray195[16]=//shouldreturn{0x42,0xf6,0xe1,0xae,0x7b,0x49,0xa7,0x6e}
{0xd4,0x4e,0xd4,0x4e,0xd4,0x4e,0xd4,0x4e,0xd4,0x4e,0x1d,0x0c,0x3c,0x0a,0xda,0x5c};
unsignedchararray196[16]=//shouldreturn{0x70,0xd6,0x2c,0x46,0xf7,0x4c,0x05,0x72}
{0x52,0xea,0x52,0xea,0x52,0xea,0x52,0xea,0x52,0xea,0xad,0x2e,0x09,0x44,0x27,0x71};
unsignedchararray197[16]=//shouldreturn{0xfc,0x03,0x33,0x8c,0x18,0xcf,0xbd,0x2a}
{0xc7,0x60,0xc7,0x60,0xc7,0x60,0xc7,0x60,0xc7,0x60,0x8e,0x6e,0xa2,0x36,0x97,0xf4};
unsignedchararray198[16]=//shouldreturn{0xcd,0x65,0xb1,0x79,0x79,0x19,0xff,0xff}
{0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0x1d,0xa4,0x43,0x39,0xda,0xf4};
unsignedchararray199[16]=//shouldreturn{0x70,0xd6,0x2c,0x46,0xf7,0x4c,0x05,0x72}
{0x52,0xea,0x52,0xea,0x52,0xea,0x52,0xea,0x52,0xea,0xad,0x2e,0x09,0x44,0x27,0x71};
unsignedchararray200[16]=//shouldreturn{0x7b,0x4b,0xf8,0x52,0xd1,0x45,0xc7,0x4a}
{0x32,0x9f,0x32,0x9f,0x32,0x9f,0x32,0x9f,0x32,0x9f,0x2d,0x31,0x85,0xf9,0xd8,0x17};
unsignedchararray201[16]=//shouldreturn{0x05,0xb6,0xfc,0x6f,0x35,0xd4,0x24,0xe5}
{0xcc,0xff,0xcc,0xff,0xcc,0xff,0xcc,0xff,0xcc,0xff,0x73,0xd9,0xd4,0xb2,0xea,0x21};
//上面数据中有些数组前面10个数据是比较特殊的，这种数组得出的8个值异或后肯定=0
main.c
#definearrayXarray##201
voidmain()
{
unsignedcharres=0,sum=0;
unsignedcharrxor=0,r[8];
unsignedinti;
unsignedchar*pchar;
for(i=0;i<16;i=i+1)
{
res^=arrayX;
}
for(i=0;i<16;i=i+1)
{
sum+=arrayX;
}
r[0]=table1[arrayX[6]]^table1[arrayX[8]]^table2[arrayX[0xb]]^table2[arrayX[0xf]]^0xff;
r[1]=table1[arrayX[4]]^table1[arrayX[5]]^table2[arrayX[0xa]]^table2[arrayX[0xd]]^0xff;
r[2]=table1[arrayX[2]]^table1[arrayX[9]]^table2[arrayX[0xa]]^table2[arrayX[0xc]]^0xff;
r[3]=table1[arrayX[0]]^table1[arrayX[7]]^table2[arrayX[0xd]]^table2[arrayX[0xf]]^0xff;
r[4]=table1[arrayX[2]]^table1[arrayX[5]]^table2[arrayX[0xb]]^table2[arrayX[0xe]]^0xff;
r[5]=table1[arrayX[0]]^table1[arrayX[1]]^table2[arrayX[0xc]]^table2[arrayX[0xe]]^0xff;
r[6]=table1[arrayX[3]]^table1[arrayX[4]]^table2[arrayX[0x6]]^table2[arrayX[0x9]]^0xff;
r[7]=table1[arrayX[1]]^table1[arrayX[3]]^table2[arrayX[0x7]]^table2[arrayX[0x8]]^0xff;
rxor=r[0]^r[1]^r[2]^r[3]^r[4]^r[5]^r[6]^r[7];
while(1)
{}
}

千问 · 2021-1-27 06:56:28

因为抓取原始数据中如果有相同数据，但对应我计算出来的两个数据是不同的。比如对应这16个字节，
{0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0xd4,0x1d,0xa4,0x43,0x39,0xda,0xf4}
抓取的返回结果为{0xcd,0x65,0xb1,0x79,0x79,0x19,0xff,0xff}
但我计算出的数据为0x20,0xf0,0xf8,0xcf,0x85,0x62,0xff,0xff，两个0x79对应数据不同，所以无法用查表解决。

千问 · 2021-1-27 06:56:28

很牛逼，关注一下。

千问 · 2021-1-27 06:56:28

好长，mark下。

千问 · 2021-1-27 06:56:28

没看明白。
看来我要继续努力了。

千问 · 2021-1-27 06:56:28

有点困难
帮顶一下

千问 · 2021-1-27 06:56:28

如果认真做了加密，直接研究数据我觉得希望是渺茫的。