首页
社区
课程
招聘
[原创]KCTF2021 春季赛 第四题 英雄救美 WP
发表于: 2021-5-15 01:23 6218

[原创]KCTF2021 春季赛 第四题 英雄救美 WP

2021-5-15 01:23
6218

main函数伪代码如下:

从sudoku函数内可以提取到数独

sudoku函数只在数值为0处填充解,所以把0处的解提取出来

再看serial2solve函数

清楚序列号转数独解的过程后,撸一份python解出flag即可

运行得到flag(下面整行都是)

吐槽:目前的flag都不是KCTF{}格式

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int len; // kr00_4
  int v4; // ecx
  char *v5; // esi
  int v6; // edi
  void (*v8)(void); // [esp+Ch] [ebp-2CCh]
  int v9[22]; // [esp+10h] [ebp-2C8h] BYREF
  int solve[128]; // [esp+68h] [ebp-270h] BYREF
  __int128 v11; // [esp+268h] [ebp-70h] BYREF
  char serial[92]; // [esp+278h] [ebp-60h] BYREF
 
  printf("\t\t\t看雪CTF大赛\r\n");
  printf("\t\t祝愿看雪CTF大赛越办越好\r\n");
  printf("Serial: ");
  scanf_s("%s", serial);
  len = strlen(serial);
  // 先检查序列号是否合法,检测合法则转换成数独的解,然后开始填数独
  if ( len <= 64 && serial2solve(len, serial, solve) == 1 && sudoku((int)solve, len - 9) == 1 )
  {
    v11 = 0i64;
    memset(v9, 0, sizeof(v9));
    v9[5] = 0;
    v9[4] = 0;
    v9[0] = 0x67452301;
    v9[1] = 0xEFCDAB89;
    v9[2] = 0x98BADCFE;
    v9[3] = 0x10325476;
    sub_4014E0((int)serial, (int)v9, len);      // 计算serial的hash,解密shellcode
    sub_4015B0((int)&v11, (int)v9);
    sub_401ED0(v4, (unsigned __int8 *)&v11);
    v8 = (void (*)(void))VirtualAlloc(0, 0x620u, 0x1000u, 0x40u);
    v5 = (char *)v8;
    v6 = 98;
    do
    {
      *(__m128i *)v5 = _mm_loadu_si128((const __m128i *)&v5[&unk_4181A0 - (_UNKNOWN *)v8]);
      sub_4028B0((int)solve, v5);
      v5 += 16;
      --v6;
    }
    while ( v6 );
    v8();
  }
  return 0;
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int len; // kr00_4
  int v4; // ecx
  char *v5; // esi
  int v6; // edi
  void (*v8)(void); // [esp+Ch] [ebp-2CCh]
  int v9[22]; // [esp+10h] [ebp-2C8h] BYREF
  int solve[128]; // [esp+68h] [ebp-270h] BYREF
  __int128 v11; // [esp+268h] [ebp-70h] BYREF
  char serial[92]; // [esp+278h] [ebp-60h] BYREF
 
  printf("\t\t\t看雪CTF大赛\r\n");
  printf("\t\t祝愿看雪CTF大赛越办越好\r\n");
  printf("Serial: ");
  scanf_s("%s", serial);
  len = strlen(serial);
  // 先检查序列号是否合法,检测合法则转换成数独的解,然后开始填数独
  if ( len <= 64 && serial2solve(len, serial, solve) == 1 && sudoku((int)solve, len - 9) == 1 )
  {
    v11 = 0i64;
    memset(v9, 0, sizeof(v9));
    v9[5] = 0;
    v9[4] = 0;
    v9[0] = 0x67452301;
    v9[1] = 0xEFCDAB89;
    v9[2] = 0x98BADCFE;
    v9[3] = 0x10325476;
    sub_4014E0((int)serial, (int)v9, len);      // 计算serial的hash,解密shellcode
    sub_4015B0((int)&v11, (int)v9);
    sub_401ED0(v4, (unsigned __int8 *)&v11);
    v8 = (void (*)(void))VirtualAlloc(0, 0x620u, 0x1000u, 0x40u);
    v5 = (char *)v8;
    v6 = 98;
    do
    {
      *(__m128i *)v5 = _mm_loadu_si128((const __m128i *)&v5[&unk_4181A0 - (_UNKNOWN *)v8]);
      sub_4028B0((int)solve, v5);
      v5 += 16;
      --v6;
    }
    while ( v6 );
    v8();
  }
  return 0;
}
0,4,0,7,0,0,0,0,0
9,2,0,0,0,0,6,0,7
8,3,0,0,0,5,4,0,0
0,1,0,0,0,3,0,0,0
0,0,0,2,0,1,0,0,0
0,0,0,5,0,0,0,4,0
0,0,4,9,0,0,0,7,1
3,0,5,0,0,0,0,9,4
0,0,0,0,0,8,0,6,0
//懒得解(不会解)数独,直接求助度娘解出来
5,4,6,7,1,9,2,3,8
9,2,1,8,3,4,6,5,7
8,3,7,6,2,5,4,1,9
7,1,8,4,6,3,9,2,5
4,5,3,2,9,1,7,8,6
6,9,2,5,8,7,1,4,3
2,8,4,9,5,6,3,7,1
3,6,5,1,7,2,8,9,4
1,7,9,3,4,8,5,6,2
0,4,0,7,0,0,0,0,0
9,2,0,0,0,0,6,0,7
8,3,0,0,0,5,4,0,0
0,1,0,0,0,3,0,0,0
0,0,0,2,0,1,0,0,0
0,0,0,5,0,0,0,4,0
0,0,4,9,0,0,0,7,1
3,0,5,0,0,0,0,9,4
0,0,0,0,0,8,0,6,0
//懒得解(不会解)数独,直接求助度娘解出来
5,4,6,7,1,9,2,3,8
9,2,1,8,3,4,6,5,7
8,3,7,6,2,5,4,1,9
7,1,8,4,6,3,9,2,5
4,5,3,2,9,1,7,8,6
6,9,2,5,8,7,1,4,3
2,8,4,9,5,6,3,7,1
3,6,5,1,7,2,8,9,4
1,7,9,3,4,8,5,6,2

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//