-
-
[原创]kctf2021 第二题
-
2021-5-12 11:48
-
逻辑很简单。
主要是存在一个二维数组,根据输入得flag来实现位移,最后需要数组所有数非0.
1 2 3 4 5 6 7 8 9 | 83, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, |
扣代码,爆破。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 | char char_table[64]= "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";char hash_table[90] = { 83, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0};char hash_table_bk[90] = { 83, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0};int __cdecl main2(char* flag){ char flag_ch; // al int flag_off=0; // esi int offset_in_char_table; // ecx int v7; // edx int v8; // eax unsigned int x1; // ecx int v10; // eax int is_even; // edx int v12; // eax char* v13; // eax char* v14; // eax int v15; // edx char* v16; // ecx int v17; // eax int v18; // eax int v19; // eax int v20; // [esp+1Ch] [ebp-60h] unsigned int y1; // [esp+20h] [ebp-5Ch] unsigned int v22; // [esp+24h] [ebp-58h] char v23; // [esp+2Bh] [ebp-51h] int v24; // [esp+2Ch] [ebp-50h] if (strlen(flag) <= 0x30) { flag_ch = flag[0]; if (flag[0]) { flag_off = 0; y1 = 0; v22 = 0; v24 = 36; v23 = char_table[0]; LABEL_4: if (v24 > 0) { offset_in_char_table = 0; if (v23 == flag_ch) { LABEL_11: v7 = (flag_off + offset_in_char_table / 6) % 6; v8 = offset_in_char_table + flag_off; x1 = v22; v20 = v7; v10 = 5 - v8 % 6; for (is_even = 0; ; is_even = 1) { switch (v10) { case 1: ++x1; break; case 2: v17 = (y1++ & 1) == 0; x1 += v17; break; case 3: v12 = (y1++ & 1) != 0; x1 -= v12; break; case 4: --x1; break; case 5: v19 = (y1-- & 1) != 0; x1 -= v19; break; default: v18 = (y1-- & 1) == 0; x1 += v18; break; } if (x1 > 9) break; if (y1 > 8) break; v13 = &hash_table[10 * y1 + x1]; if (*v13) break; *v13 = 1; if (is_even == 1) { ++flag_off; v22 = x1; flag_ch = flag[flag_off]; if (flag_ch) goto LABEL_4; goto LABEL_19; } v10 = v20; } } else { while (v24 != ++offset_in_char_table) { if (char_table[offset_in_char_table] == flag_ch) goto LABEL_11; } } } } else { LABEL_19: //v14 = hash_table; //v15 = 0; //do //{ // v16 = v14 + 10; // do // v15 += *v14++ == 0; // while (v16 != v14); //} while (&unk_4B70DA != (_UNKNOWN*)v16); //if (!v15) //{ // return v4; //} return flag_off; } } return flag_off;}void test2(char* flag,int pos) { char hash_table_tmp[90]; memcpy(hash_table_tmp, hash_table, 90); for (int i = 0; i < strlen(char_table); i++) { flag[pos] = char_table[i]; memcpy(hash_table, hash_table_bk, 90); int res = main2(flag); if (pos < res) { printf("%d %s\n", res, flag); test2(flag, pos + 1); } memcpy(hash_table, hash_table_tmp, 90); } flag[pos] = 0;}int main() { char flag[32] = "G1111111"; test2(flag,0); int i = 0; return 0;} |
打印结果如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 | 1 G11111112 G91111113 G90111114 G90J11115 G90JO1116 G90JOB117 G90JOB418 G90JOB4N9 G90JOB4NG10 G90JOB4NGB11 G90JOB4NGB26 G90JOL7 G90JOLK8 G90JOLKO9 G90JOLKOB10 G90JOLKOBA11 G90JOLKOBAE12 G90JOLKOBAEB13 G90JOLKOBAEBO14 G90JOLKOBAEBOZ6 G90JON7 G90JONL8 G90JONL22 GJ3 GJ04 GJ0V5 GJ0V46 GJ0V4L7 GJ0V4LA8 GJ0V4LA49 GJ0V4LA4V10 GJ0V4LA4VK11 GJ0V4LA4VKE12 GJ0V4LA4VKEB13 GJ0V4LA4VKEB414 GJ0V4LA4VKEB4N15 GJ0V4LA4VKEB4NG16 GJ0V4LA4VKEB4NGB17 GJ0V4LA4VKEB4NGB218 GJ0V4LA4VKEB4NGB2L19 GJ0V4LA4VKEB4NGB2LE20 GJ0V4LA4VKEB4NGB2LEX12 GJ0V4LA4VKEN13 GJ0V4LA4VKENL14 GJ0V4LA4VKENL212 GJ0V4LA4VKEV13 GJ0V4LA4VKEVQ14 GJ0V4LA4VKEVQZ15 GJ0V4LA4VKEVQZS16 GJ0V4LA4VKEVQZSV17 GJ0V4LA4VKEVQZSVC18 GJ0V4LA4VKEVQZSVCN19 GJ0V4LA4VKEVQZSVCNG20 GJ0V4LA4VKEVQZSVCNGJ21 GJ0V4LA4VKEVQZSVCNGJ022 GJ0V4LA4VKEVQZSVCNGJ0023 GJ0V4LA4VKEVQZSVCNGJ00N2 GX3 GX24 GX2J5 GX2JO6 GX2JON7 GX2JONQ8 GX2JONQ79 GX2JONQ7710 GX2JONQ77O8 GX2JONQJ9 GX2JONQJ010 GX2JONQJ0511 GX2JONQJ05912 GX2JONQJ059Q13 GX2JONQJ059QP14 GX2JONQJ059QPZ15 GX2JONQJ059QPZQ16 GX2JONQJ059QPZQ917 GX2JONQJ059QPZQ9E9 GX2JONQJG10 GX2JONQJGB11 GX2JONQJGBE |
最后获取flag GJ0V4LA4VKEVQZSVCNGJ00N
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
