re刷題第八天
0x00 Reversing-x64Elf-100
載入IDA,找到關鍵代碼
__int64 __fastcall sub_4006FD(__int64 a1)
{
int i; // [rsp+14h] [rbp-24h]
const char *v3; // [rsp+18h] [rbp-20h]
const char *v4; // [rsp+20h] [rbp-18h]
const char *v5; // [rsp+28h] [rbp-10h]
v3 = "Dufhbmf";
v4 = "pG`imos";
v5 = "ewUglpt";
for ( i = 0; i <= 11; ++i )
{
if ( (&v3)[i % 3][2 * (i / 3)] - *(i + a1) != 1 )
return 1LL;
}
return 0LL;
}
發現是一個二維數組,稍微看一下字符的順序就知道是每隔一列按照從上到下排列,寫出腳本即可得到flag
cipher = 'Dpef`Ubmlfst'
flag = ''
for i in range(len(cipher)):
flag += chr(ord(cipher[i]) - 1)
print flag
0x01 zorropub
int __fastcall main(__int64 a1, char **a2, char **a3)
{
size_t v3; // rax
int v5; // [rsp+1Ch] [rbp-104h]
int v6; // [rsp+20h] [rbp-100h]
int i; // [rsp+24h] [rbp-FCh]
unsigned int seed; // [rsp+28h] [rbp-F8h]
unsigned int v9; // [rsp+2Ch] [rbp-F4h]
char v10; // [rsp+30h] [rbp-F0h]
char v11[16]; // [rsp+90h] [rbp-90h]
char v12[32]; // [rsp+A0h] [rbp-80h]
char s; // [rsp+C0h] [rbp-60h]
char s1[40]; // [rsp+E0h] [rbp-40h]
unsigned __int64 v15; // [rsp+108h] [rbp-18h]
v15 = __readfsqword(0x28u);
seed = 0;
puts("Welcome to Pub Zorro!!");
printf("Straight to the point. How many drinks you want?");
__isoc99_scanf("%d", &v5);
if ( v5 <= 0 )
{
printf("You are too drunk!! Get Out!!");
exit(-1);
}
printf("OK. I need details of all the drinks. Give me %d drink ids:", (unsigned int)v5);
for ( i = 0; i < v5; ++i )
{
__isoc99_scanf("%d", &v6);
if ( v6 <= 16 || v6 > 0xFFFF )
{
puts("Invalid Drink Id.");
printf("Get Out!!");
exit(-1);
}
seed ^= v6;
}
i = seed;
v9 = 0;
while ( i )
{
++v9;
i &= i - 1;
}
if ( v9 != 10 )
{
puts("Looks like its a dangerous combination of drinks right there.");
puts("Get Out, you will get yourself killed");
exit(-1);
}
srand(seed);
MD5_Init((__int64)&v10);
for ( i = 0; i <= 29; ++i )
{
v9 = rand() % 1000;
sprintf(&s, "%d", v9);
v3 = strlen(&s);
MD5_Update(&v10, &s, v3);
v12[i] = v9 ^ LOBYTE(dword_6020C0[i]);
}
v12[i] = 0;
MD5_Final((__int64)v11, (__int64)&v10);
for ( i = 0; i <= 15; ++i )
sprintf(&s1[2 * i], "%02x", (unsigned __int8)v11[i]);
if ( strcmp(s1, "5eba99aff105c9ff6a1a913e343fec67") )
{
puts("Try different mix, This mix is too sloppy");
exit(-1);
}
return printf("\nYou choose right mix and here is your reward: The flag is nullcon{%s}\n", v12);
}
邏輯還是很清晰的,首先讓輸入drunk
的個數,個數沒有要求,然後n個drunk
的id
,將id異或到一起爲seed
,id要求大於16小於等於65535。並且send
經過下邊的運算需要滿足v9>=10
while ( i )
{
++v9;
i &= i - 1;
}
if ( v9 != 10 )
將seed作爲種子,隨機取餘1000,循環30次,將循環30次的結果拼接到一起做md5
,與5eba99aff105c9ff6a1a913e343fec67
做比較,驗證通過即可得到flag
分析完算法,感覺這題只能用爆破了,我這裏是用的pwntools
爆破的,看了下網上師傅們的爆破腳本,受益頗多
from pwn import *
num = []
for i in range(65535):
tmp = i
j = 0
while i:
i = i & (i-1)
j = j + 1
if j == 10:
num.append(tmp)
context.arch='amd64'
i = 0
while(1):
p = process('./3a')
p.recv()
p.sendline('1')
p.sendline(str(num[i]))
ret = p.recv()
if 'flag' in ret:
print 'ids: '+str(num[i])
raw_input()
i = i + 1
p.close()
0x03 Refer
https://github.com/ctfs/write-ups-2016/tree/master/nullcon-hackim-2016/re/zorropub-100