v5 = mirvar(0);
v4 = mirvar(0);
v2 = mirvar(0);
v3 = mirvar(0);
cinstr((int)v2, (int)a32323232333366);
cinstr((int)v5, (int)&v6);
cinstr((int)v4, (int)"3e9");
if ( mr_compare(v2, v5) != -1 )
return 0;
powmod((int)v2, (int)v4, (int)v5, (int)v3);
big_to_bytes(0, v3, &v75, 0);
cleanup((int)v5);
cleanup((int)v4);
cleanup((int)v2);
cleanup((int)v3);
sub_409CC0();
v0 = strlen(&v75);
sub_40100F((int)&v75, (int)&v71, v0);
return strcmp(&v79, &v71) == 0;
这对应的是RSA加密逻辑(input是输入字符串第四位开始到最后)
mod(pow(input, e), n) == v79
将明文rsa加密的结果与目标结果比较
调试得到
n = 7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585
密文c = 208CBB7CD6ECC64516D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304
3e9是常见rsa的e值
把n丢给factordb.com得到
p = 273086345401562743300402731618892888991
q = 208096057845685678782766058500526476379
用这套代码取模逆https://gist.github.com/ofaurax/6103869014c246f962ab30a513fb5b49得到d
在这里用n d e解密密文c http://extranet.cryptomathic.com/rsacalc/index
得到明文iamahandsomeguyhaha1(flag的后几位)
rsa部分结束看后面:
看sub_402FC0:简单的判断了一下输入前三位是不是数字
sub_402D60通过输入内容运算,返回值判断是否成功
因为三位数字最多也就1000种可能性,直接注入dll暴力算
dll代码:
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
{
int(*sub_402D60)(char *a1);
*(uintptr_t*)&sub_402D60 = (uintptr_t)GetModuleHandleW(0) + 0x2D60;
char test[4] = { "000" };
for (; test[0] <= '9'; test[0]++) {
for (; test[1] <= '9'; test[1]++) {
for (; test[2] <= '9'; test[2]++) {
if (sub_402D60(test)) {
MessageBoxA(0, test, 0, 0);
break;
}
}
test[2] = '0';
}
test[1] = '0';
}
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
得到前三位520
最终结果:
520iamahandsomeguyhaha1
PS1:PWN占比好高啊
PS2:老了,加班+解题肝不动了