-
-
[原创]kctf2021 第二题
-
发表于: 2021-5-12 11:48
-
逻辑很简单。
主要是存在一个二维数组,根据输入得flag来实现位移,最后需要数组所有数非0.
扣代码,爆破。
打印结果如下:
最后获取flag GJ0V4LA4VKEVQZSVCNGJ00N
83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
0, 0, 0, 1, 0, 0, 1, 1, 0, 0,
83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
0, 0, 0, 1, 0, 0, 1, 1, 0, 0,
char char_table[64]= "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char hash_table[90] = {
83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
0, 0, 0, 1, 0, 0, 1, 1, 0, 0
};char hash_table_bk[90] = {
83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
0, 0, 0, 1, 0, 0, 1, 1, 0, 0
};int __cdecl main2(char* flag)
{ char flag_ch; // al
int flag_off=0; // esi
int offset_in_char_table; // ecx
int v7; // edx
int v8; // eax
unsigned int x1; // ecx
int v10; // eax
int is_even; // edx
int v12; // eax
char* v13; // eax
char* v14; // eax
int v15; // edx
char* v16; // ecx
int v17; // eax
int v18; // eax
int v19; // eax
int v20; // [esp+1Ch] [ebp-60h]
unsigned int y1; // [esp+20h] [ebp-5Ch]
unsigned int v22; // [esp+24h] [ebp-58h]
char v23; // [esp+2Bh] [ebp-51h]
int v24; // [esp+2Ch] [ebp-50h]
if (strlen(flag) <= 0x30)
{
flag_ch = flag[0];
if (flag[0])
{
flag_off = 0;
y1 = 0;
v22 = 0;
v24 = 36;
v23 = char_table[0];
LABEL_4:
if (v24 > 0)
{
offset_in_char_table = 0;
if (v23 == flag_ch)
{
LABEL_11:
v7 = (flag_off + offset_in_char_table / 6) % 6;
v8 = offset_in_char_table + flag_off;
x1 = v22;
v20 = v7;
v10 = 5 - v8 % 6;
for (is_even = 0; ; is_even = 1)
{
switch (v10)
{
case 1:
++x1;
break;
case 2:
v17 = (y1++ & 1) == 0;
x1 += v17;
break;
case 3:
v12 = (y1++ & 1) != 0;
x1 -= v12;
break;
case 4:
--x1;
break;
case 5:
v19 = (y1-- & 1) != 0;
x1 -= v19;
break;
default:
v18 = (y1-- & 1) == 0;
x1 += v18;
break;
}
if (x1 > 9)
break;
if (y1 > 8)
break;
v13 = &hash_table[10 * y1 + x1];
if (*v13)
break;
*v13 = 1;
if (is_even == 1)
{
++flag_off;
v22 = x1;
flag_ch = flag[flag_off];
if (flag_ch)
goto LABEL_4;
goto LABEL_19;
}
v10 = v20;
}
}
else
{
while (v24 != ++offset_in_char_table)
{
if (char_table[offset_in_char_table] == flag_ch)
goto LABEL_11;
}
}
}
}
else
{
LABEL_19:
//v14 = hash_table;
//v15 = 0;
//do
//{
// v16 = v14 + 10;
// do
// v15 += *v14++ == 0;
// while (v16 != v14);
//} while (&unk_4B70DA != (_UNKNOWN*)v16);
//if (!v15)
//{
// return v4;
//}
return flag_off;
}
}
return flag_off;
}void test2(char* flag,int pos) {
char hash_table_tmp[90];
memcpy(hash_table_tmp, hash_table, 90);
for (int i = 0; i < strlen(char_table); i++) {
flag[pos] = char_table[i];
memcpy(hash_table, hash_table_bk, 90);
int res = main2(flag);
if (pos < res) {
printf("%d %s\n", res, flag);
test2(flag, pos + 1);
}
memcpy(hash_table, hash_table_tmp, 90);
}
flag[pos] = 0;
}int main() {
char flag[32] = "G1111111";
test2(flag,0);
int i = 0;
return 0;
}char char_table[64]= "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char hash_table[90] = {
83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
0, 0, 0, 1, 0, 0, 1, 1, 0, 0
};char hash_table_bk[90] = {
83, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 1, 1, 1, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 0, 0,
0, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 0, 1, 1, 1, 0, 1, 0, 1,
0, 0, 1, 1, 1, 1, 0, 1, 0, 1,
0, 1, 1, 0, 0, 1, 0, 1, 0, 1,
0, 0, 0, 1, 0, 0, 1, 1, 0, 0
};int __cdecl main2(char* flag)
{ char flag_ch; // al
int flag_off=0; // esi
int offset_in_char_table; // ecx
int v7; // edx
int v8; // eax
unsigned int x1; // ecx
int v10; // eax
int is_even; // edx
int v12; // eax
char* v13; // eax
char* v14; // eax
int v15; // edx
char* v16; // ecx
int v17; // eax
int v18; // eax
int v19; // eax
int v20; // [esp+1Ch] [ebp-60h]
unsigned int y1; // [esp+20h] [ebp-5Ch]
unsigned int v22; // [esp+24h] [ebp-58h]
char v23; // [esp+2Bh] [ebp-51h]
int v24; // [esp+2Ch] [ebp-50h]
if (strlen(flag) <= 0x30)
{
flag_ch = flag[0];
if (flag[0])
{
flag_off = 0;
y1 = 0;
v22 = 0;
v24 = 36;
v23 = char_table[0];
LABEL_4:
if (v24 > 0)
{
offset_in_char_table = 0;
if (v23 == flag_ch)
{
LABEL_11:
v7 = (flag_off + offset_in_char_table / 6) % 6;
v8 = offset_in_char_table + flag_off;
x1 = v22;
v20 = v7;
v10 = 5 - v8 % 6;
for (is_even = 0; ; is_even = 1)
{
switch (v10)
{
case 1:
++x1;
break;
case 2:
v17 = (y1++ & 1) == 0;
x1 += v17;
break;
case 3:
v12 = (y1++ & 1) != 0;
x1 -= v12;
break;
case 4:
--x1;
break;
case 5:
v19 = (y1-- & 1) != 0;
x1 -= v19;
break;
default:
v18 = (y1-- & 1) == 0;
x1 += v18;
break;
}
if (x1 > 9)
break;
if (y1 > 8)
break;
v13 = &hash_table[10 * y1 + x1];
if (*v13)
break;
*v13 = 1;
if (is_even == 1)
{
++flag_off;
v22 = x1;
flag_ch = flag[flag_off];
if (flag_ch)
goto LABEL_4;
goto LABEL_19;
}
v10 = v20;
}
}
else
{
while (v24 != ++offset_in_char_table)
{
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
