main函数伪代码如下:
从sudoku函数内可以提取到数独
sudoku函数只在数值为0处填充解,所以把0处的解提取出来
再看serial2solve函数
清楚序列号转数独解的过程后,撸一份python解出flag即可
运行得到flag(下面整行都是)
吐槽:目前的flag都不是KCTF{}格式
int __cdecl main(int argc, const char **argv, const char **envp)
{
int len; // kr00_4
int v4; // ecx
char *v5; // esi
int v6; // edi
void (*v8)(void); // [esp+Ch] [ebp-2CCh]
int v9[22]; // [esp+10h] [ebp-2C8h] BYREF
int solve[128]; // [esp+68h] [ebp-270h] BYREF
__int128 v11; // [esp+268h] [ebp-70h] BYREF
char serial[92]; // [esp+278h] [ebp-60h] BYREF
printf("\t\t\t看雪CTF大赛\r\n");
printf("\t\t祝愿看雪CTF大赛越办越好\r\n");
printf("Serial: ");
scanf_s("%s", serial);
len = strlen(serial);
// 先检查序列号是否合法,检测合法则转换成数独的解,然后开始填数独
if ( len <= 64 && serial2solve(len, serial, solve) == 1 && sudoku((int)solve, len - 9) == 1 )
{
v11 = 0i64;
memset(v9, 0, sizeof(v9));
v9[5] = 0;
v9[4] = 0;
v9[0] = 0x67452301;
v9[1] = 0xEFCDAB89;
v9[2] = 0x98BADCFE;
v9[3] = 0x10325476;
sub_4014E0((int)serial, (int)v9, len); // 计算serial的hash,解密shellcode
sub_4015B0((int)&v11, (int)v9);
sub_401ED0(v4, (unsigned __int8 *)&v11);
v8 = (void (*)(void))VirtualAlloc(0, 0x620u, 0x1000u, 0x40u);
v5 = (char *)v8;
v6 = 98;
do
{
*(__m128i *)v5 = _mm_loadu_si128((const __m128i *)&v5[&unk_4181A0 - (_UNKNOWN *)v8]);
sub_4028B0((int)solve, v5);
v5 += 16;
--v6;
}
while ( v6 );
v8();
}
return 0;
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
int len; // kr00_4
int v4; // ecx
char *v5; // esi
int v6; // edi
void (*v8)(void); // [esp+Ch] [ebp-2CCh]
int v9[22]; // [esp+10h] [ebp-2C8h] BYREF
int solve[128]; // [esp+68h] [ebp-270h] BYREF
__int128 v11; // [esp+268h] [ebp-70h] BYREF
char serial[92]; // [esp+278h] [ebp-60h] BYREF
printf("\t\t\t看雪CTF大赛\r\n");
printf("\t\t祝愿看雪CTF大赛越办越好\r\n");
printf("Serial: ");
scanf_s("%s", serial);
len = strlen(serial);
// 先检查序列号是否合法,检测合法则转换成数独的解,然后开始填数独
if ( len <= 64 && serial2solve(len, serial, solve) == 1 && sudoku((int)solve, len - 9) == 1 )
{
v11 = 0i64;
memset(v9, 0, sizeof(v9));
v9[5] = 0;
v9[4] = 0;
v9[0] = 0x67452301;
v9[1] = 0xEFCDAB89;
v9[2] = 0x98BADCFE;
v9[3] = 0x10325476;
sub_4014E0((int)serial, (int)v9, len); // 计算serial的hash,解密shellcode
sub_4015B0((int)&v11, (int)v9);
sub_401ED0(v4, (unsigned __int8 *)&v11);
v8 = (void (*)(void))VirtualAlloc(0, 0x620u, 0x1000u, 0x40u);
v5 = (char *)v8;
v6 = 98;
do
{
*(__m128i *)v5 = _mm_loadu_si128((const __m128i *)&v5[&unk_4181A0 - (_UNKNOWN *)v8]);
sub_4028B0((int)solve, v5);
v5 += 16;
--v6;
}
while ( v6 );
v8();
}
return 0;
}
0,4,0,7,0,0,0,0,0
9,2,0,0,0,0,6,0,7
8,3,0,0,0,5,4,0,0
0,1,0,0,0,3,0,0,0
0,0,0,2,0,1,0,0,0
0,0,0,5,0,0,0,4,0
0,0,4,9,0,0,0,7,1
3,0,5,0,0,0,0,9,4
0,0,0,0,0,8,0,6,0
//懒得解(不会解)数独,直接求助度娘解出来
5,4,6,7,1,9,2,3,8
9,2,1,8,3,4,6,5,7
8,3,7,6,2,5,4,1,9
7,1,8,4,6,3,9,2,5
4,5,3,2,9,1,7,8,6
6,9,2,5,8,7,1,4,3
2,8,4,9,5,6,3,7,1
3,6,5,1,7,2,8,9,4
1,7,9,3,4,8,5,6,2
0,4,0,7,0,0,0,0,0
9,2,0,0,0,0,6,0,7
8,3,0,0,0,5,4,0,0
0,1,0,0,0,3,0,0,0
0,0,0,2,0,1,0,0,0
0,0,0,5,0,0,0,4,0
0,0,4,9,0,0,0,7,1
3,0,5,0,0,0,0,9,4
0,0,0,0,0,8,0,6,0
//懒得解(不会解)数独,直接求助度娘解出来
5,4,6,7,1,9,2,3,8
9,2,1,8,3,4,6,5,7
8,3,7,6,2,5,4,1,9
7,1,8,4,6,3,9,2,5
4,5,3,2,9,1,7,8,6
6,9,2,5,8,7,1,4,3
2,8,4,9,5,6,3,7,1
3,6,5,1,7,2,8,9,4
1,7,9,3,4,8,5,6,2
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
