首页
社区
课程
招聘
[原创]2018看雪CTF第十三题WP
2018-7-12 07:51 2031

[原创]2018看雪CTF第十三题WP

2018-7-12 07:51
2031

几个关键验证

flag长度为10:

if ( strlen(buf) != 10 )

每个字符为0-9或A-F:

if ( (unsigned __int8)(v9 - 'A') > 5u )
    return 0LL;

10个字符两两分为5组转为16进制保存在hex中:

(unsigned int)sub_401CE0((__int64)Format, (__int64)buf, (__int64)hex, (__int64)buf, 10) != 5

hex中前两个和后3个分别组成两个浮点数:

HIWORD(v18[0]) = *(_WORD *)hex;
v18[2] = v18[0];
*(_WORD *)((char *)&v18[1] + 5) = *(_WORD *)&hex[2];
HIBYTE(v18[1]) = hex[4];
v18[3] = v18[1];

两个浮点数范围(1.0,10.0):

if ( v17 <= 1.0 || v17 >= 10.0 || (v18 = v8[3], v18 <= 1.0) || v18 >= 10.0 )

第六个字符为0:

if ( sub_403360((__int64)Format, (__int64)buf, (double)(buf[0] - 48) * (double)(buf[0] - 48) + (double)(buf[2] - 48) * (double)(buf[2] - 48) + v12, v12) <= 15.5 || hex[2] & 0xF )

double类型的表示

double类型用二进制的科学记数法来表示。
共有64位。
最高位(第0位)是符号位,1为负,0为正。
1-11位为1023+2的指数。
后面的12-63位保存具体的数值(去掉了开头的1,这样能多1位的精度)

穷举代码

一开始没有考虑到整数部分为1的情况,不想合并重新跑。就分了4种情况。全部穷举完要3个小时。

from subprocess import *

path = r'\Desktop\kanxueCTF2018\13\NNCrackme\NN.exe'
def f():
    for i1 in range(0x24):
        s1 = hex(i1)[2:].rjust(2,'0')
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(0x24):
                s3 = hex(i3)[2:].rjust(2,'0')
                s = (s1 + '40' + s2 + '0' + s3 + '40').upper()

                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return

def f1():
    for i1 in range(1,16):
        s1 = hex(i1)[2:]
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(1,16):
                s3 = hex(i3)[2:]
                s = ('f' + s1 + '3f' + s2 + '0' + 'f' + s3 + '3f').upper()

                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return

def f2():
    for i1 in range(0x24):
        s1 = hex(i1)[2:].rjust(2,'0')
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(1,16):
                s3 = hex(i3)[2:]
                s = (s1 + '40' + s2 + '0' + 'f' + s3 + '3f').upper()

                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return

def f3():
    for i1 in range(1,16):
        s1 = hex(i1)[2:]
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(0x24):
                s3 = hex(i3)[2:].rjust(2,'0')
                s = ('f' + s1 + '3f' + s2 + '0' + s3 + '40').upper()

                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return


#f()
#f1()
#f2()
f3()

跑出来的flag为F13FE02140


[培训]《安卓高级研修班(网课)》月薪三万计划

最后于 2018-7-12 08:04 被mratlatsn编辑 ,原因:
收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回