几个关键验证

flag长度为10:

1	`if` `( strlen(buf) !=` `10` `)`

每个字符为0-9或A-F:

1 2	`if` `( (unsigned __int8)(v9` `-` `'A') >` `5u` `)` `return` `0LL;`

10个字符两两分为5组转为16进制保存在hex中:

1	`(unsigned` `int)sub_401CE0((__int64)Format, (__int64)buf, (__int64)hex, (__int64)buf,` `10) !=` `5`

hex中前两个和后3个分别组成两个浮点数:

HIWORD(v18[0]) = *(_WORD *)hex;
v18[2] = v18[0];
*(_WORD *)((char *)&v18[1] + 5) = *(_WORD *)&hex[2];
HIBYTE(v18[1]) = hex[4];
v18[3] = v18[1];

两个浮点数范围(1.0,10.0):

1	`if` `( v17 <=` `1.0` `\|\| v17 >=` `10.0` `\|\| (v18` `=` `v8[3], v18 <=` `1.0) \|\| v18 >=` `10.0` `)`

第六个字符为0:

1	`if` `( sub_403360((__int64)Format, (__int64)buf, (double)(buf[0]` `-` `48)` `` `(double)(buf[0]` `-` `48)` `+` `(double)(buf[2]` `-` `48)` `` `(double)(buf[2]` `-` `48)` `+` `v12, v12) <=` `15.5` `\|\|` `hex[2] &` `0xF` `)`

double类型的表示

double类型用二进制的科学记数法来表示。
共有64位。
最高位(第0位)是符号位，1为负，0为正。
1-11位为1023+2的指数。
后面的12-63位保存具体的数值(去掉了开头的1，这样能多1位的精度)

穷举代码

一开始没有考虑到整数部分为1的情况，不想合并重新跑。就分了4种情况。全部穷举完要3个小时。

from subprocess import *
 
path = r'\Desktop\kanxueCTF2018\13\NNCrackme\NN.exe'
def f():
    for i1 in range(0x24):
        s1 = hex(i1)[2:].rjust(2,'0')
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(0x24):
                s3 = hex(i3)[2:].rjust(2,'0')
                s = (s1 + '40' + s2 + '0' + s3 + '40').upper()
 
                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return
 
def f1():
    for i1 in range(1,16):
        s1 = hex(i1)[2:]
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(1,16):
                s3 = hex(i3)[2:]
                s = ('f' + s1 + '3f' + s2 + '0' + 'f' + s3 + '3f').upper()
 
                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return
 
def f2():
    for i1 in range(0x24):
        s1 = hex(i1)[2:].rjust(2,'0')
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(1,16):
                s3 = hex(i3)[2:]
                s = (s1 + '40' + s2 + '0' + 'f' + s3 + '3f').upper()
 
                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return
 
def f3():
    for i1 in range(1,16):
        s1 = hex(i1)[2:]
        for i2 in range(16):
            s2 = hex(i2)[2:]
            for i3 in range(0x24):
                s3 = hex(i3)[2:].rjust(2,'0')
                s = ('f' + s1 + '3f' + s2 + '0' + s3 + '40').upper()
 
                p = Popen(path,stdin=PIPE,stdout=PIPE)
                output = p.communicate(input = s.encode())
                print(s,':',output)
                if b'Con' in output[0]:
                    print('!!!')
                    return
 
 
#f()
#f1()
#f2()
f3()