几个关键验证

flag长度为10:

if ( strlen(buf) != 10 )

每个字符为0-9或A-F:

if ( (unsigned __int8)(v9 - 'A') > 5u )
    return 0LL;

10个字符两两分为5组转为16进制保存在hex中:

(unsigned int)sub_401CE0((__int64)Format, (__int64)buf, (__int64)hex, (__int64)buf, 10) != 5

hex中前两个和后3个分别组成两个浮点数:

HIWORD(v18[0]) = *(_WORD *)hex;
v18[2] = v18[0];
*(_WORD *)((char *)&v18[1] + 5) = *(_WORD *)&hex[2];
HIBYTE(v18[1]) = hex[4];
v18[3] = v18[1];

两个浮点数范围(1.0,10.0):

if ( v17 <= 1.0 || v17 >= 10.0 || (v18 = v8[3], v18 <= 1.0) || v18 >= 10.0 )

第六个字符为0:

if ( sub_403360((__int64)Format, (__int64)buf, (double)(buf[0] - 48) * (double)(buf[0] - 48) + (double)(buf[2] - 48) * (double)(buf[2] - 48) + v12, v12) <= 15.5 || hex[2] & 0xF )

double类型的表示

double类型用二进制的科学记数法来表示。
共有64位。
最高位(第0位)是符号位，1为负，0为正。
1-11位为1023+2的指数。
后面的12-63位保存具体的数值(去掉了开头的1，这样能多1位的精度)

穷举代码

一开始没有考虑到整数部分为1的情况，不想合并重新跑。就分了4种情况。全部穷举完要3个小时。

from subprocess import *

path = r'\Desktop\kanxueCTF2018\13\NNCrackme\NN.exe'
def f():
    for i1 in range(0x24):
        s1 = hex(i1)[2:].rjust(2,'0')
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(0x24):
                s3 = hex(i3)[2:].rjust(2,'0')
                s = (s1 + '40' + s2 + '0' + s3 + '40').upper()

                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return

def f1():
    for i1 in range(1,16):
        s1 = hex(i1)[2:]
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(1,16):
                s3 = hex(i3)[2:]
                s = ('f' + s1 + '3f' + s2 + '0' + 'f' + s3 + '3f').upper()

                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return

def f2():
    for i1 in range(0x24):
        s1 = hex(i1)[2:].rjust(2,'0')
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(1,16):
                s3 = hex(i3)[2:]
                s = (s1 + '40' + s2 + '0' + 'f' + s3 + '3f').upper()

                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return

def f3():
    for i1 in range(1,16):
        s1 = hex(i1)[2:]
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(0x24):
                s3 = hex(i3)[2:].rjust(2,'0')
                s = ('f' + s1 + '3f' + s2 + '0' + s3 + '40').upper()

                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return


#f()
#f1()
#f2()
f3()

跑出来的flag为F13FE02140

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

最后于 2018-7-12 08:04 被mratlatsn编辑，原因：

收藏・0

免费・0

支持