sn长度8~20, (字符1~9)
.text:00401048 push 104h ; int
.text:0040104D push eax ; char *
.text:0040104E call _fgets
.text:00401053 lea edi, [esp+4150h+sn]
.text:00401057 or ecx, 0FFFFFFFFh
.text:0040105A xor eax, eax
.text:0040105C add esp, 18h
.text:0040105F repne scasb
.text:00401061 not ecx
.text:00401063 add ecx, 0FFFFFFFEh
.text:00401066 cmp ecx, 8
.text:00401069 jl loc_40127A
.text:0040106F cmp ecx, 14h
.text:00401072 jg loc_40127A
.text:00401078 xor esi, esi
.text:0040107A xor edx, edx
.text:0040107C test ecx, ecx
.text:0040107E mov [esp+ecx+4138h+sn], al
.text:00401082 jle short loc_4010AC
.text:00401084 mov al, [esp+edx+4138h+sn]
.text:00401088 cmp al, 30h
.text:0040108A jle short loc_401090
.text:0040108C cmp al, 39h
.text:0040108E jle short loc_401091
.text:00401090
输入的sn逆序存储为10进制数字, 记为k, x=k*9
.text:004010B8 lea ecx, [esp+4138h+sn]
.text:004010BC mov [esp+4138h+var_4], 0
.text:004010C7 push ecx ; sn
.text:004010C8 lea ecx, [esp+413Ch+anonymous_0] ; this
.text:004010CF call decimal_store
.text:004010D4 lea ecx, [esp+4138h+anonymous_0]
.text:004010DB call nullsub_1
.text:004010E0 push 9
.text:004010E2 lea ecx, [esp+413Ch+anonymous_0]
.text:004010E9 call decimal_mul_int
a=x
a*=x;
a的长度必须为奇数
.text:0040110B lea eax, [esp+211Ch]
.text:00401112 lea ecx, [esp+4138h+anonymous_0]
.text:00401119 push eax
.text:0040111A mov byte ptr [esp+413Ch+var_4], 1
.text:00401122 call decimal_mul_decimal
.text:00401127 push 9
.text:00401129 lea ecx, [esp+413Ch+anonymous_0]
.text:00401130 mov esi, eax
.text:00401132 call decimal_mul_int
.text:00401137 lea ecx, [esp+4138h+anonymous_0]
.text:0040113E add esi, eax
.text:00401140 call nullsub_1
.text:00401145 test esi, esi
.text:00401147 jnz loc_401215
.text:0040114D lea ecx, [esp+4138h+anonymous_0]
.text:00401154 call decimal_len
.text:00401159 and eax, 80000001h
.text:0040115E jns short loc_401165
.text:00401160 dec eax
.text:00401161 or eax, 0FFFFFFFEh
.text:00401164 inc eax
.text:00401165 cmp eax, 1
.text:00401168 jnz loc_401215
sn[0] == (str(a))[mid]
.text:0040116E lea ecx, [esp+4138h+anonymous_0]
.text:00401175 call decimal_len
.text:0040117A sar eax, 1
.text:0040117C push eax
.text:0040117D lea ecx, [esp+413Ch+anonymous_0]
.text:00401184 call decimal_char_at
.text:00401189 push 0
.text:0040118B lea ecx, [esp+2120h]
.text:00401192 mov edi, eax
.text:00401194 call decimal_char_at
.text:00401199 cmp edi, eax
.text:0040119B lea ecx, [esp+211Ch]
.text:004011A2 jnz short loc_40121C
s1=sn[1:]
s2=reverse(s1)
str(a)以s2开头, 以s1结尾
.text:004011A4 push 0
.text:004011A6 call decimal_len
.text:004011AB dec eax
.text:004011AC lea ecx, [esp+2120h]
.text:004011B3 push eax
.text:004011B4 push 1
.text:004011B6 call decimal_len
.text:004011BB mov esi, 1
.text:004011C0 lea ecx, [esp+4144h+anonymous_0]
.text:004011C7 sub esi, eax
.text:004011C9 call decimal_len
.text:004011CE add esi, eax
.text:004011D0 lea ecx, [esp+2128h]
.text:004011D7 push esi
.text:004011D8 push ecx
.text:004011D9 lea ecx, [esp+414Ch+anonymous_0]
.text:004011E0 call decimal_compare
.text:004011E5 push 1
.text:004011E7 lea ecx, [esp+2120h]
.text:004011EE mov esi, eax
.text:004011F0 call decimal_len
.text:004011F5 dec eax
.text:004011F6 lea edx, [esp+2120h]
.text:004011FD push eax
.text:004011FE push 1
.text:00401200 push 0
.text:00401202 push edx
.text:00401203 lea ecx, [esp+414Ch+anonymous_0]
.text:0040120A call decimal_compare
.text:0040120F add esi, eax
.text:00401211 jz short loc_401257
import itertools
def solve():
start=11111111
end=99999999999999999999
for i in itertools.count(0):
k=start+i
ks=str(k)
if (ks.find('0')!=-1):
continue
x=k*9
a=x
tail=''
head=''
sn=str(k)[::-1]
for i in range(1):
a*=x
s=str(a)
if ((len(s)&1)==0):
continue
mid=int((len(s)-1)/2)
tail=sn[1:]
head=tail[::-1]
if (s[mid]==sn[0]):
break
if ((tail!='') and s.startswith(head) and s.endswith(tail)):
print(sn)
return
solve()
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界