攻防世界|攻防世界 reverse Newbie_calculations 攻防世界reverseNewbie_calculation

Newbie_calculations Hack-you-2014
题目名百度翻译成新手计算，那我猜应该是个实现计算器的题目。。。。
IDA打开程序，发现一长串的函数反复调用，而且程序没有输入，只有输出。额，那这样的话程序运行就应该输出flag，但程序中肯定会有垃圾循环操作，就让你跑不出来。0.0
【攻防世界|攻防世界 reverse Newbie_calculations】这种题目就要分析函数作用，简化，自己实现算法。
程序流程：

1 for ( i = 0; i < 32; ++i ) 2flag[i] = 1; 3v121 = 0; 4puts("Your flag is:"); 5v3 = mul_401100(flag, 0x3B9ACA00); 6v4 = sub_401220(v3, 0x3B9AC9CE); 7mul_401100(v4, 2); 8v5 = add_401000(&flag[1], 0x4C4B40); 9v6 = sub_401220(v5, 0x65B9AA); 10v7 = add_401000(v6, 1666666); 11v8 = add_401000(v7, 45); 12v9 = mul_401100(v8, 2); 13add_401000(v9, 5); 14v10 = mul_401100(&flag[2], 0x3B9ACA00); 15v11 = sub_401220(v10, 999999950); 16v12 = mul_401100(v11, 2); 17add_401000(v12, 2); 18v13 = add_401000(&flag[3], 55); 19v14 = sub_401220(v13, 3); 20v15 = add_401000(v14, 4); 21sub_401220(v15, 1); 22v16 = mul_401100(&flag[4], 100000000); 23v17 = sub_401220(v16, 99999950); 24v18 = mul_401100(v17, 2); 25add_401000(v18, 2); 26v19 = sub_401220(&flag[5], 1); 27v20 = mul_401100(v19, 1000000000); 28v21 = add_401000(v20, 55); 29sub_401220(v21, 3); 30v22 = mul_401100(&flag[6], 1000000); 31v23 = sub_401220(v22, 999975); 32mul_401100(v23, 4); 33v24 = add_401000(&flag[7], 55); 34v25 = sub_401220(v24, 33); 35v26 = add_401000(v25, 44); 36sub_401220(v26, 11); 37v27 = mul_401100(&flag[8], 10); 38v28 = sub_401220(v27, 5); 39v29 = mul_401100(v28, 8); 40add_401000(v29, 9); 41v30 = add_401000(&flag[9], 0); 42v31 = sub_401220(v30, 0); 43v32 = add_401000(v31, 11); 44v33 = sub_401220(v32, 11); 45add_401000(v33, 53); 46v34 = add_401000(&flag[10], 49); 47v35 = sub_401220(v34, 2); 48v36 = add_401000(v35, 4); 49sub_401220(v36, 2); 50v37 = mul_401100(&flag[11], 1000000); 51v38 = sub_401220(v37, 999999); 52v39 = mul_401100(v38, 4); 53add_401000(v39, 50); 54v40 = add_401000(&flag[12], 1); 55v41 = add_401000(v40, 1); 56v42 = add_401000(v41, 1); 57v43 = add_401000(v42, 1); 58v44 = add_401000(v43, 1); 59v45 = add_401000(v44, 1); 60v46 = add_401000(v45, 10); 61add_401000(v46, 32); 62v47 = mul_401100(&flag[13], 10); 63v48 = sub_401220(v47, 5); 64v49 = mul_401100(v48, 8); 65v50 = add_401000(v49, 9); 66add_401000(v50, 48); 67v51 = sub_401220(&flag[14], 1); 68v52 = mul_401100(v51, -294967296); 69v53 = add_401000(v52, 55); 70sub_401220(v53, 3); 71v54 = add_401000(&flag[15], 1); 72v55 = add_401000(v54, 2); 73v56 = add_401000(v55, 3); 74v57 = add_401000(v56, 4); 75v58 = add_401000(v57, 5); 76v59 = add_401000(v58, 6); 77v60 = add_401000(v59, 7); 78add_401000(v60, 20); 79v61 = mul_401100(&flag[16], 10); 80v62 = sub_401220(v61, 5); 81v63 = mul_401100(v62, 8); 82v64 = add_401000(v63, 9); 83add_401000(v64, 48); 84v65 = add_401000(&flag[17], 7); 85v66 = add_401000(v65, 6); 86v67 = add_401000(v66, 5); 87v68 = add_401000(v67, 4); 88v69 = add_401000(v68, 3); 89v70 = add_401000(v69, 2); 90v71 = add_401000(v70, 1); 91add_401000(v71, 20); 92v72 = add_401000(&flag[18], 7); 93v73 = add_401000(v72, 2); 94v74 = add_401000(v73, 4); 95v75 = add_401000(v74, 3); 96v76 = add_401000(v75, 6); 97v77 = add_401000(v76, 5); 98v78 = add_401000(v77, 1); 99add_401000(v78, 20); 100v79 = mul_401100(&flag[19], 1000000); 101v80 = sub_401220(v79, 999999); 102v81 = mul_401100(v80, 4); 103v82 = add_401000(v81, 50); 104sub_401220(v82, 1); 105v83 = sub_401220(&flag[20], 1); 106v84 = mul_401100(v83, -294967296); 107v85 = add_401000(v84, 49); 108sub_401220(v85, 1); 109v86 = sub_401220(&flag[21], 1); 110v87 = mul_401100(v86, 1000000000); 111v88 = add_401000(v87, 54); 112v89 = sub_401220(v88, 1); 113v90 = add_401000(v89, 1000000000); 114sub_401220(v90, 1000000000); 115v91 = add_401000(&flag[22], 49); 116v92 = sub_401220(v91, 1); 117v93 = add_401000(v92, 2); 118sub_401220(v93, 1); 119v94 = mul_401100(&flag[23], 10); 120v95 = sub_401220(v94, 5); 121v96 = mul_401100(v95, 8); 122v97 = add_401000(v96, 9); 123add_401000(v97, 48); 124v98 = add_401000(&flag[24], 1); 125v99 = add_401000(v98, 3); 126v100 = add_401000(v99, 3); 127v101 = add_401000(v100, 3); 128v102 = add_401000(v101, 6); 129v103 = add_401000(v102, 6); 130v104 = add_401000(v103, 6); 131add_401000(v104, 20); 132v105 = add_401000(&flag[25], 55); 133v106 = sub_401220(v105, 33); 134v107 = add_401000(v106, 44); 135v108 = sub_401220(v107, 11); 136add_401000(v108, 42); 137add_401000(&flag[26], flag[25]); 138add_401000(&flag[27], flag[12]); 139v109 = flag[27]; 140v110 = sub_401220(&flag[28], 1); 141v111 = add_401000(v110, v109); 142sub_401220(v111, 1); 143v112 = flag[23]; 144v113 = sub_401220(&flag[29], 1); 145v114 = mul_401100(v113, 1000000); 146add_401000(v114, v112); 147v115 = flag[27]; 148v116 = add_401000(&flag[30], 1); 149mul_401100(v116, v115); 150add_401000(&flag[31], flag[30]); 151print_401C7F("CTF{"); 152for ( j = 0; j < 32; ++j ) 153print_401C7F("%c", SLOBYTE(flag[j])); 154print_401C7F("}\n"); 155return 0; 156 }

这道题目的关键就在于如何识别出上面这些函数的作用

1 _DWORD *__cdecl mul_401100(_DWORD *a1, int a2) 2 { 3int v2; // ST20_4 4signed int v4; // [esp+Ch] [ebp-1Ch] 5int v5; // [esp+14h] [ebp-14h] 6int v6; // [esp+18h] [ebp-10h] 7int v7; // [esp+1Ch] [ebp-Ch] 8int v8; // [esp+20h] [ebp-8h] 9 10v5 = *a1; 11v6 = a2; 12v4 = -1; 13v8 = 0; 14v7 = a2 * v5; 15while ( a2 )// a1累加a2次相当于a1*a2 16{ 17v2 = v7 * v5; 18add_401000(&v8, *a1); 19++v7; 20--a2; 21v6 = v2 - 1; 22} 23while ( v4 )// 循环结束a1=a1-1 24{ 25++v7; 26++*a1; 27--v4; 28--v6; 29} 30++*a1; 31*a1 = v8; 32return a1; 33 }

1 int *__cdecl add_401000(int *a1, int a2) 2 { 3int v2; // edx 4int v4; // [esp+Ch] [ebp-18h] 5int v5; // [esp+10h] [ebp-14h] 6int v6; // [esp+18h] [ebp-Ch] 7signed int v7; // [esp+1Ch] [ebp-8h] 8 9v5 = -1; 10v4 = -1 - a2 + 1; 11v7 = 1231; 12v2 = *a1; 13v6 = a2 + 1231; 14while ( v4 )15// 循环结束 a1=a1+a2 16{ 17++v7; 18--*a1; //循环-相当于-（-a2)+a2 19--v4; 20--v6; 21} 22while ( v5 ) 23{ 24--v6; 25++*a1; 26--v5; 27} 28++*a1; // a1在上面的循环中-1，现在+1，还是原值 29return a1; 30 }

1 _DWORD *__cdecl sub_401220(_DWORD *a1, int a2) 2 { 3int v3; // [esp+8h] [ebp-10h] 4signed int v4; // [esp+Ch] [ebp-Ch] 5signed int v5; // [esp+14h] [ebp-4h] 6int v6; // [esp+14h] [ebp-4h] 7 8v4 = -1; 9v3 = -1 - a2 + 1; 10v5 = -1; 11while ( v3 )// -a2 12{ 13++*a1; // 循环结束，相当于 a1=a1-a2 14--v3; 15--v5; 16} 17v6 = v5 * v5; 18while ( v4 )// 这个循环后a1=a1-1 19{ 20v6 *= 123; 21++*a1; 22--v4; 23} 24++*a1; // a1+=1,恢复上一个循环前的值 25return a1; 26 }

wp:

1 def mul_401100(a,b): 2return a*b 3 def sub_401220(a,b): 4return a-b 5 def add_401000(a,b): 6return a+b 7 flag=[1 for i in range(32)] 8 v121 = 0 9 print("Your flag is:") 10 v3 = mul_401100(flag[0], 0x3B9ACA00) 11 v4 = sub_401220(v3, 0x3B9AC9CE) 12 flag[0]=mul_401100(v4, 2) 13 v5 = add_401000(flag[1], 0x4C4B40) 14 v6 = sub_401220(v5, 0x65B9AA) 15 v7 = add_401000(v6, 1666666) 16 v8 = add_401000(v7, 45) 17 v9 = mul_401100(v8, 2) 18 flag[1]=add_401000(v9, 5) 19 v10 = mul_401100(flag[2], 0x3B9ACA00) 20 v11 = sub_401220(v10, 999999950) 21 v12 = mul_401100(v11, 2) 22 flag[2]=add_401000(v12, 2) 23 v13 = add_401000(flag[3], 55) 24 v14 = sub_401220(v13, 3) 25 v15 = add_401000(v14, 4) 26 flag[3]=sub_401220(v15, 1) 27 v16 = mul_401100(flag[4], 100000000) 28 v17 = sub_401220(v16, 99999950) 29 v18 = mul_401100(v17, 2) 30 flag[4]=add_401000(v18, 2) 31 v19 = sub_401220(flag[5], 1) 32 v20 = mul_401100(v19, 1000000000) 33 v21 = add_401000(v20, 55) 34 flag[5]=sub_401220(v21, 3) 35 v22 = mul_401100(flag[6], 1000000) 36 v23 = sub_401220(v22, 999975) 37 flag[6]=mul_401100(v23, 4) 38 v24 = add_401000(flag[7], 55) 39 v25 = sub_401220(v24, 33) 40 v26 = add_401000(v25, 44) 41 flag[7]=sub_401220(v26, 11) 42 v27 = mul_401100(flag[8], 10) 43 v28 = sub_401220(v27, 5) 44 v29 = mul_401100(v28, 8) 45 flag[8]=add_401000(v29, 9) 46 v30 = add_401000(flag[9], 0) 47 v31 = sub_401220(v30, 0) 48 v32 = add_401000(v31, 11) 49 v33 = sub_401220(v32, 11) 50 flag[9]=add_401000(v33, 53) 51 v34 = add_401000(flag[10], 49) 52 v35 = sub_401220(v34, 2) 53 v36 = add_401000(v35, 4) 54 flag[10]=sub_401220(v36, 2) 55 v37 = mul_401100(flag[11], 1000000) 56 v38 = sub_401220(v37, 999999) 57 v39 = mul_401100(v38, 4) 58 flag[11]=add_401000(v39, 50) 59 v40 = add_401000(flag[12], 1) 60 v41 = add_401000(v40, 1) 61 v42 = add_401000(v41, 1) 62 v43 = add_401000(v42, 1) 63 v44 = add_401000(v43, 1) 64 v45 = add_401000(v44, 1) 65 v46 = add_401000(v45, 10) 66 flag[12]=add_401000(v46, 32) 67 v47 = mul_401100(flag[13], 10) 68 v48 = sub_401220(v47, 5) 69 v49 = mul_401100(v48, 8) 70 v50 = add_401000(v49, 9) 71 flag[13]=add_401000(v50, 48) 72 v51 = sub_401220(flag[14], 1) 73 v52 = mul_401100(v51, -294967296) 74 v53 = add_401000(v52, 55) 75 flag[14]=sub_401220(v53, 3) 76 v54 = add_401000(flag[15], 1) 77 v55 = add_401000(v54, 2) 78 v56 = add_401000(v55, 3) 79 v57 = add_401000(v56, 4) 80 v58 = add_401000(v57, 5) 81 v59 = add_401000(v58, 6) 82 v60 = add_401000(v59, 7) 83 flag[15]=add_401000(v60, 20) 84 v61 = mul_401100(flag[16], 10) 85 v62 = sub_401220(v61, 5) 86 v63 = mul_401100(v62, 8) 87 v64 = add_401000(v63, 9) 88 flag[16]=add_401000(v64, 48) 89 v65 = add_401000(flag[17], 7) 90 v66 = add_401000(v65, 6) 91 v67 = add_401000(v66, 5) 92 v68 = add_401000(v67, 4) 93 v69 = add_401000(v68, 3) 94 v70 = add_401000(v69, 2) 95 v71 = add_401000(v70, 1) 96 flag[17]=add_401000(v71, 20) 97 v72 = add_401000(flag[18], 7) 98 v73 = add_401000(v72, 2) 99 v74 = add_401000(v73, 4) 100 v75 = add_401000(v74, 3) 101 v76 = add_401000(v75, 6) 102 v77 = add_401000(v76, 5) 103 v78 = add_401000(v77, 1) 104 flag[18]=add_401000(v78, 20) 105 v79 = mul_401100(flag[19], 1000000) 106 v80 = sub_401220(v79, 999999) 107 v81 = mul_401100(v80, 4) 108 v82 = add_401000(v81, 50) 109 flag[19]=sub_401220(v82, 1) 110 v83 = sub_401220(flag[20], 1) 111 v84 = mul_401100(v83, -294967296) 112 v85 = add_401000(v84, 49) 113 flag[20]=sub_401220(v85, 1) 114 v86 = sub_401220(flag[21], 1) 115 v87 = mul_401100(v86, 1000000000) 116 v88 = add_401000(v87, 54) 117 v89 = sub_401220(v88, 1) 118 v90 = add_401000(v89, 1000000000) 119 flag[21]=sub_401220(v90, 1000000000) 120 v91 = add_401000(flag[22], 49) 121 v92 = sub_401220(v91, 1) 122 v93 = add_401000(v92, 2) 123 flag[22]=sub_401220(v93, 1) 124 v94 = mul_401100(flag[23], 10) 125 v95 = sub_401220(v94, 5) 126 v96 = mul_401100(v95, 8) 127 v97 = add_401000(v96, 9) 128 flag[23]=add_401000(v97, 48) 129 v98 = add_401000(flag[24], 1) 130 v99 = add_401000(v98, 3) 131 v100 = add_401000(v99, 3) 132 v101 = add_401000(v100, 3) 133 v102 = add_401000(v101, 6) 134 v103 = add_401000(v102, 6) 135 v104 = add_401000(v103, 6) 136 flag[24]=add_401000(v104, 20) 137 v105 = add_401000(flag[25], 55) 138 v106 = sub_401220(v105, 33) 139 v107 = add_401000(v106, 44) 140 v108 = sub_401220(v107, 11) 141 flag[25]=add_401000(v108, 42) 142 flag[26]=add_401000(flag[26], flag[25]) 143 flag[27]=add_401000(flag[27], flag[12]) 144 v109 = flag[27] 145 v110 = sub_401220(flag[28], 1) 146 v111 = add_401000(v110, v109) 147 flag[28]=sub_401220(v111, 1) 148 v112 = flag[23] 149 v113 = sub_401220(flag[29], 1) 150 v114 = mul_401100(v113, 1000000) 151 flag[29]=add_401000(v114, v112) 152 v115 = flag[27] 153 v116 = add_401000(flag[30], 1) 154 flag[30]=mul_401100(v116, v115) 155 flag[31]=add_401000(flag[31], flag[30]) 156 print("CTF{"+''.join(map(chr,flag))+"}")

Your flag is:
CTF{daf8f4d816261a41a115052a1bc21ade}

转载于:https://www.cnblogs.com/DirWang/p/11586159.html