攻防世界|攻防世界 reverse reverse-for-the-holy-grail-350 攻防世界reversereverse-for-the-ho

reverse-for-the-holy-grail-350tu-ctf-2016
【攻防世界|攻防世界 reverse reverse-for-the-holy-grail-350】程序流程很简单，就一个检验函数：

1 __int64 __fastcall stringMod(__int64 *a1) 2 { 3__int64 length; // r9 4char *c_str; // r10 5__int64 i; // rcx 6signed int v4; // er8 7int *temp_2; // rdi 8int *temp_3; // rsi 9signed int t; // ecx 10signed int j; // er9 11int index; // er10 12unsigned int tmp; // eax 13int sign; // esi 14int v12; // esi 15int temp[24]; // [rsp+0h] [rbp-60h] 16 17memset(temp, 0, 0x48uLL); 18length = a1[1]; 19if ( length ) 20{ 21c_str = (char *)*a1; 22i = 0LL; 23v4 = 0; 24do 25{ 26v12 = c_str[i]; 27temp[i] = v12; 28if ( 3 * ((unsigned int)i / 3) == (_DWORD)i && v12 != firstchar[(unsigned int)i / 3] )// 当i是3的倍数时，str=first[i/3] 29// { 65, 105, 110, 69, 111, 97} 30v4 = -1; 31++i; 32} 33while ( i != length ); 34} 35else 36{ 37v4 = 0; 38} 39temp_2 = temp; 40temp_3 = temp; 41t = 666; 42do 43{ 44*temp_3 = t ^ *(unsigned __int8 *)temp_3; 45t += t % 5; 46++temp_3; 47} 48while ( &temp[18] != temp_3 ); // 异或操作 49j = 1; 50index = 0; 51tmp = 1; 52sign = 0; 53do// 0,1,2每三个数验证 54{ 55if ( sign == 2 ) 56{ 57if ( *temp_2 != thirdchar[index] )// { 751, 708, 732, 711, 734, 764, 0, 0 } 58// temp[2]= 59v4 = -1; 60if ( tmp % *temp_2 != masterArray[index] )// { 471, 12, 580, 606, 147, 108 } 61// 62// temp[0]*temp[1]%temp[2]= 63v4 = -1; 64++index; 65tmp = 1; 66sign = 0; 67} 68else// sign0,1, 69{ 70tmp *= *temp_2; // 0 tmp=temp[0] 71// 1 tmp=temp[0]*temp[1] 72if ( ++sign == 3 ) 73sign = 0; 74} 75++j; 76++temp_2; 77} 78while ( j != 19 ); // 18循环 79return (unsigned int)(t * v4); 80 }

wp:

1 firstchar=[65, 105, 110, 69, 111, 97] 2 thirdchar=[751, 708, 732, 711, 734, 764] 3 masterArray=[471, 12, 580, 606, 147, 108 ] 4 t=[] 5 x=666 6 for i in range(18): 7t.append(x) 8x+=x%5 9 flag=[0 for i in range(18)] 10 index=0 11 for i in range(0,18,3): 12flag[i]=firstchar[index]#0,3,6 13index+=1 14 index=0 15 for i in range(2,18,3): 16flag[i]=thirdchar[index]^t[i]#2 5,8 17index+=1 18 index=0 19 for i in range(1,18,3): 20for f in range(32,126):#常用可输入字符 21if (flag[i-1]^t[i-1])*(f^t[i])%(flag[i+1]^t[i+1])==masterArray[index]: 22flag[i]=f 23index+=1 24break; 25 26 print('tuctf{'+''.join(map(chr,flag))+'}')

tuctf{AfricanOrEuropean?}

转载于:https://www.cnblogs.com/DirWang/p/11575270.html