首页
社区
课程
招聘
[原创]kctf2021 第二题
发表于: 2021-5-12 11:48 5623

[原创]kctf2021 第二题

2021-5-12 11:48
5623

逻辑很简单。
图片描述
主要是存在一个二维数组,根据输入得flag来实现位移,最后需要数组所有数非0.

扣代码,爆破。

打印结果如下:

最后获取flag GJ0V4LA4VKEVQZSVCNGJ00N

83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
0, 0, 0, 1, 0, 0, 1, 1, 0, 0,
83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
0, 0, 0, 1, 0, 0, 1, 1, 0, 0,
char char_table[64]= "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char hash_table[90] = {
    83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
    1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
    0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
    0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
    0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
    1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
    0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
    0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
    0, 0, 0, 1, 0, 0, 1, 1, 0, 0
};
char hash_table_bk[90] = {
    83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
    1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
    0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
    0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
    0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
    1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
    0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
    0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
    0, 0, 0, 1, 0, 0, 1, 1, 0, 0
};
 
 
int __cdecl main2(char* flag)
{
    char flag_ch; // al
    int flag_off=0; // esi
    int offset_in_char_table; // ecx
    int v7; // edx
    int v8; // eax
    unsigned int x1; // ecx
    int v10; // eax
    int is_even; // edx
    int v12; // eax
    char* v13; // eax
    char* v14; // eax
    int v15; // edx
    char* v16; // ecx
    int v17; // eax
    int v18; // eax
    int v19; // eax
    int v20; // [esp+1Ch] [ebp-60h]
    unsigned int y1; // [esp+20h] [ebp-5Ch]
    unsigned int v22; // [esp+24h] [ebp-58h]
    char v23; // [esp+2Bh] [ebp-51h]
    int v24; // [esp+2Ch] [ebp-50h]
 
 
    if (strlen(flag) <= 0x30)
    {
        flag_ch = flag[0];
        if (flag[0])
        {
            flag_off = 0;
            y1 = 0;
            v22 = 0;
            v24 = 36;
            v23 = char_table[0];
        LABEL_4:
            if (v24 > 0)
            {
                offset_in_char_table = 0;
                if (v23 == flag_ch)
                {
                LABEL_11:
                    v7 = (flag_off + offset_in_char_table / 6) % 6;
                    v8 = offset_in_char_table + flag_off;
                    x1 = v22;
                    v20 = v7;
                    v10 = 5 - v8 % 6;
                    for (is_even = 0; ; is_even = 1)
                    {
                        switch (v10)
                        {
                        case 1:
                            ++x1;
                            break;
                        case 2:
                            v17 = (y1++ & 1) == 0;
                            x1 += v17;
                            break;
                        case 3:
                            v12 = (y1++ & 1) != 0;
                            x1 -= v12;
                            break;
                        case 4:
                            --x1;
                            break;
                        case 5:
                            v19 = (y1-- & 1) != 0;
                            x1 -= v19;
                            break;
                        default:
                            v18 = (y1-- & 1) == 0;
                            x1 += v18;
                            break;
                        }
                        if (x1 > 9)
                            break;
                        if (y1 > 8)
                            break;
                        v13 = &hash_table[10 * y1 + x1];
                        if (*v13)
                            break;
                        *v13 = 1;
                        if (is_even == 1)
                        {
                            ++flag_off;
                            v22 = x1;
                            flag_ch = flag[flag_off];
                            if (flag_ch)
                                goto LABEL_4;
                            goto LABEL_19;
                        }
                        v10 = v20;
                    }
                }
                else
                {
                    while (v24 != ++offset_in_char_table)
                    {
                        if (char_table[offset_in_char_table] == flag_ch)
                            goto LABEL_11;
                    }
                }
            }
        }
        else
        {
        LABEL_19:
            //v14 = hash_table;
            //v15 = 0;
            //do
            //{
            //    v16 = v14 + 10;
            //    do
            //        v15 += *v14++ == 0;
            //    while (v16 != v14);
            //} while (&unk_4B70DA != (_UNKNOWN*)v16);
            //if (!v15)
            //{
            //    return v4;
            //}
            return flag_off;
        }
    }
    return flag_off;
}
 
 
 
 
 
void test2(char* flag,int pos) {
    char hash_table_tmp[90];
    memcpy(hash_table_tmp, hash_table, 90);
    for (int i = 0; i < strlen(char_table); i++) {
        flag[pos] = char_table[i];
        memcpy(hash_table, hash_table_bk, 90);
        int res = main2(flag);
        if (pos < res) {
            printf("%d %s\n", res, flag);
            test2(flag, pos + 1);
        }
        memcpy(hash_table, hash_table_tmp, 90);
    }
    flag[pos] = 0;
}
 
int main() {
    char flag[32] = "G1111111";
    test2(flag,0);
    int i = 0;
    return 0;
}
char char_table[64]= "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char hash_table[90] = {
    83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
    1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
    0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
    0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
    0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
    1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
    0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
    0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
    0, 0, 0, 1, 0, 0, 1, 1, 0, 0
};
char hash_table_bk[90] = {
    83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
    1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
    0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
    0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
    0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
    1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
    0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
    0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
    0, 0, 0, 1, 0, 0, 1, 1, 0, 0
};
 
 
int __cdecl main2(char* flag)
{
    char flag_ch; // al
    int flag_off=0; // esi
    int offset_in_char_table; // ecx
    int v7; // edx
    int v8; // eax
    unsigned int x1; // ecx
    int v10; // eax
    int is_even; // edx
    int v12; // eax
    char* v13; // eax
    char* v14; // eax
    int v15; // edx
    char* v16; // ecx
    int v17; // eax
    int v18; // eax
    int v19; // eax
    int v20; // [esp+1Ch] [ebp-60h]
    unsigned int y1; // [esp+20h] [ebp-5Ch]
    unsigned int v22; // [esp+24h] [ebp-58h]
    char v23; // [esp+2Bh] [ebp-51h]
    int v24; // [esp+2Ch] [ebp-50h]
 
 
    if (strlen(flag) <= 0x30)
    {
        flag_ch = flag[0];
        if (flag[0])
        {
            flag_off = 0;
            y1 = 0;
            v22 = 0;
            v24 = 36;
            v23 = char_table[0];
        LABEL_4:
            if (v24 > 0)
            {
                offset_in_char_table = 0;
                if (v23 == flag_ch)
                {
                LABEL_11:
                    v7 = (flag_off + offset_in_char_table / 6) % 6;
                    v8 = offset_in_char_table + flag_off;
                    x1 = v22;
                    v20 = v7;
                    v10 = 5 - v8 % 6;
                    for (is_even = 0; ; is_even = 1)
                    {
                        switch (v10)
                        {
                        case 1:
                            ++x1;
                            break;
                        case 2:
                            v17 = (y1++ & 1) == 0;
                            x1 += v17;
                            break;
                        case 3:
                            v12 = (y1++ & 1) != 0;
                            x1 -= v12;
                            break;
                        case 4:
                            --x1;
                            break;
                        case 5:
                            v19 = (y1-- & 1) != 0;
                            x1 -= v19;
                            break;
                        default:
                            v18 = (y1-- & 1) == 0;
                            x1 += v18;
                            break;
                        }
                        if (x1 > 9)
                            break;
                        if (y1 > 8)
                            break;
                        v13 = &hash_table[10 * y1 + x1];
                        if (*v13)
                            break;
                        *v13 = 1;
                        if (is_even == 1)
                        {
                            ++flag_off;
                            v22 = x1;
                            flag_ch = flag[flag_off];
                            if (flag_ch)
                                goto LABEL_4;
                            goto LABEL_19;
                        }
                        v10 = v20;
                    }
                }
                else
                {
                    while (v24 != ++offset_in_char_table)
                    {

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 2
支持
分享
最新回复 (1)
雪    币: 8209
活跃值: (4518)
能力值: ( LV15,RANK:2473 )
在线值:
发帖
回帖
粉丝
2
爆破我喜欢
2021-5-12 12:34
0
游客
登录 | 注册 方可回帖
返回
//