BUUCTF-RE-[V&N2020 公开赛]strangeCpp

查壳

image-20200724222245350

运行程序

image-20200724222454101

它提示说cpu num是8 这个信息是有用的

搜索字符串

image-20200724222330342

也就这一块了。

flag{where_is_my_true_flag?}肯定是假的了。

image-20200724222650993

这一块就是提示cpu数值的。我们交叉引用看看。

image-20200724222747559

然后我们就能找到解题的关键函数了。

__int64 sub_140013580()
{
  __int64 *v0; // rdi
  signed __int64 i; // rcx
  __int64 result; // rax
  __int64 v3; // [rsp+0h] [rbp-20h]
  int v4; // [rsp+24h] [rbp+4h]
  int j; // [rsp+44h] [rbp+24h]
  __int64 v6; // [rsp+128h] [rbp+108h]

  v0 = &v3;
  for ( i = 82i64; i; --i )
  {
    *(_DWORD *)v0 = -858993460;
    v0 = (__int64 *)((char *)v0 + 4);
  }
  v6 = -2i64;
  sub_1400110AA((__int64)&unk_140027033);
  result = sub_140011384((unsigned int)dword_140021190);
  v4 = result;
  if ( (_DWORD)result == 607052314 && dword_140021190 <= 14549743 )
  {
    for ( j = 0; j < 17; ++j )
    {
      putchar((unsigned __int8)(dword_140021190 ^ *((_BYTE *)&qword_140021008 + j)));
      result = (unsigned int)(j + 1);
    }
  }
  return result;
}

putchar是输出函数,我们推测可能是flag了这里。然后16个字符串也比较符合常规。那我们首先要知道dword_140021190的值,进入sub_140011384

signed __int64 __fastcall sub_140013890(int a1)
{
  __int64 *v1; // rdi
  signed __int64 i; // rcx
  signed __int64 result; // rax
  __int64 v4; // [rsp+0h] [rbp-20h]
  int v5; // [rsp+24h] [rbp+4h]
  int v6; // [rsp+44h] [rbp+24h]
  unsigned int v7; // [rsp+64h] [rbp+44h]
  int v8; // [rsp+160h] [rbp+140h]

  v8 = a1;
  v1 = &v4;
  for ( i = 82i64; i; --i )
  {
    *(_DWORD *)v1 = -858993460;
    v1 = (__int64 *)((char *)v1 + 4);
  }
  sub_1400110AA((__int64)&unk_140027033);
  v5 = v8 >> 12;
  v6 = v8 << 8;
  v7 = (v8 << 8) ^ (v8 >> 12);
  v7 *= 291;
  if ( v7 )
    result = v7;
  else
    result = 987i64;
  return result;
}

结合上一个函数我们知道result == 607052314且dword_140021190 <= 14549743

经过sub_140011384操作过后的值等于607052314

我们算这个v7=607052314 我们要通过v7来推v8

然后我们写脚本把v8解出来 dword_140021190在sub_140011384里是a1也就是v8

v8解出来之后拿到外面跟qword_140021008数组做异或

注意小端

解题脚本

#include<stdio.h>
int main()
{
	int m,i;
	char flag[17];
	char str[17] = { 0x26,0x2C,0x21,0x27,0x3B,0x0D,0x04,0x75,0x68,0x34,0x28,0x25,0x0E,0x35,0x2D,0x69,0x3D };
for (i = 0; i < 14549743; i++) {
	m = (i >> 12) ^ (i << 8);
	if (m * 291 == 607052314) {
		printf_s("%d
",i);
		break;
	}
}

for (int j = 0; j < 17; j++) 
	putchar(str[j]^i);
return 0;
}

结果:

123456
flag{MD5(theNum)}

md5

import hashlib

print("
flag{"+hashlib.md5('123456'.encode(encoding='utf-8')).hexdigest()+'}')

flag{e10adc3949ba59abbe56e057f20f883e}

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/Nickyl07/p/13412963.html