SimpleRev
程序流程很清晰
1 int __cdecl __noreturn main(int argc, const char **argv, const char **envp) 2 { 3 int v3; // eax 4 char v4; // [rsp+Fh] [rbp-1h] 5 6 while ( 1 ) 7 { 8 while ( 1 ) 9 { 10 printf("Welcome to CTF game! Please input d/D to start or input q/Q to quit this program: ", argv, envp); 11 v4 = getchar(); 12 if ( v4 != 'd' && v4 != 'D' ) 13 break; 14 Decry(); 15 } 16 if ( v4 == 'q' || v4 == 'Q' ) 17 Exit(); 18 puts("Input fault format!"); 19 v3 = getchar(); 20 putchar(v3); 21 } 22 }
关键处理在Decry()中
1 unsigned __int64 Decry() 2 { 3 char c; // [rsp+Fh] [rbp-51h] 4 int j; // [rsp+10h] [rbp-50h] 5 int index; // [rsp+14h] [rbp-4Ch] 6 int i; // [rsp+18h] [rbp-48h] 7 int v5; // [rsp+1Ch] [rbp-44h] 8 char src[8]; // [rsp+20h] [rbp-40h] 9 __int64 v7; // [rsp+28h] [rbp-38h] 10 int v8; // [rsp+30h] [rbp-30h] 11 __int64 v9; // [rsp+40h] [rbp-20h] 12 __int64 v10; // [rsp+48h] [rbp-18h] 13 int v11; // [rsp+50h] [rbp-10h] 14 unsigned __int64 v12; // [rsp+58h] [rbp-8h] 15 16 v12 = __readfsqword(0x28u); 17 *(_QWORD *)src = 'SLCDN'; // NDCLS 18 v7 = 0LL; 19 v8 = 0; 20 v9 = 'wodah'; // hadow 21 v10 = 0LL; 22 v11 = 0; 23 text = (char *)join(key3, &v9); // text=killshadow 24 strcpy(key, key1); // ADSFK 25 strcat(key, src); // key=ADSFKNDCLS 26 j = 0; 27 index = 0; 28 getchar(); 29 v5 = strlen(key); 30 for ( i = 0; i < v5; ++i ) 31 { 32 if ( key[index % v5] > '@' && key[index % v5] <= 'Z' ) 33 key[i] = key[index % v5] + 32; // key大写转小写 34 ++index; 35 } 36 printf("Please input your flag:", src); 37 while ( 1 ) 38 { 39 c = getchar(); 40 if ( c == ' ' ) 41 break; 42 if ( c == ' ' ) 43 { 44 ++j; 45 } 46 else 47 { 48 if ( c <= 96 || c > 'z' ) 49 { 50 if ( c > 64 && c <= 'Z' ) // 大写字母 51 str2[j] = (c - 39 - key[index++ % v5] + 97) % 26 + 97;// key=adsfkndcls 52 } 53 else // 小写字母 54 { 55 str2[j] = (c - 39 - key[index++ % v5] + 97) % 26 + 97; 56 } 57 if ( !(index % v5) ) 58 putchar(' '); 59 ++j; 60 } 61 } 62 if ( !strcmp(text, str2) ) // killshadow 63 puts("Congratulation! "); 64 else 65 puts("Try again! "); 66 return __readfsqword(0x28u) ^ v12; 67 }
wp:
1 lt='ABCDEFGHIJKLMNOPQRSTUVWXYZ' 2 key=list('ADSFKNDCLS'.lower()) 3 klens=len(key) 4 5 text='killshadow' 6 flag='' 7 for i in range(len(text)): 8 str2=text[i] 9 for c in lt: 10 if str2== chr((ord(c) - 39 - ord(key[i % klens]) + 97) % 26 + 97): 11 flag+=c 12 print('flag{'+flag+'}')
flag{KLDQCUDFZO}
输入的大小写字母操作是一样的,按我理解这题多解,爆破时输入是大小写都可以,但这里只考虑了大写。本想linux下运行看看,结果提示 :段错误(核心已转储)。0.0
1 popk@popk-virtual-machine:~$ ulimit -c unlimited 2 popk@popk-virtual-machine:~$ gdb ./SimpleRev core 3 GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git 4 Copyright (C) 2018 Free Software Foundation, Inc. 5 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> 6 This is free software: you are free to change and redistribute it. 7 There is NO WARRANTY, to the extent permitted by law. Type "show copying" 8 and "show warranty" for details. 9 This GDB was configured as "x86_64-linux-gnu". 10 Type "show configuration" for configuration details. 11 For bug reporting instructions, please see: 12 <http://www.gnu.org/software/gdb/bugs/>. 13 Find the GDB manual and other documentation resources online at: 14 <http://www.gnu.org/software/gdb/documentation/>. 15 For help, type "help". 16 Type "apropos word" to search for commands related to "word"... 17 Reading symbols from ./SimpleRev...(no debugging symbols found)...done. 18 [New LWP 2376] 19 Core was generated by `./SimpleRev'. 20 Program terminated with signal SIGSEGV, Segmentation fault. 21 #0 0x0000000000000000 in ?? () 22 (gdb)