-
-
[原创]KCTF2021 春季赛 第四题 英雄救美 WP
-
发表于: 2021-5-15 01:23 6218
-
main函数伪代码如下:
从sudoku函数内可以提取到数独
sudoku函数只在数值为0处填充解,所以把0处的解提取出来
再看serial2solve函数
清楚序列号转数独解的过程后,撸一份python解出flag即可
运行得到flag(下面整行都是)
吐槽:目前的flag都不是KCTF{}格式
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
int
len
;
/
/
kr00_4
int
v4;
/
/
ecx
char
*
v5;
/
/
esi
int
v6;
/
/
edi
void (
*
v8)(void);
/
/
[esp
+
Ch] [ebp
-
2CCh
]
int
v9[
22
];
/
/
[esp
+
10h
] [ebp
-
2C8h
] BYREF
int
solve[
128
];
/
/
[esp
+
68h
] [ebp
-
270h
] BYREF
__int128 v11;
/
/
[esp
+
268h
] [ebp
-
70h
] BYREF
char serial[
92
];
/
/
[esp
+
278h
] [ebp
-
60h
] BYREF
printf(
"\t\t\t看雪CTF大赛\r\n"
);
printf(
"\t\t祝愿看雪CTF大赛越办越好\r\n"
);
printf(
"Serial: "
);
scanf_s(
"%s"
, serial);
len
=
strlen(serial);
/
/
先检查序列号是否合法,检测合法则转换成数独的解,然后开始填数独
if
(
len
<
=
64
&& serial2solve(
len
, serial, solve)
=
=
1
&& sudoku((
int
)solve,
len
-
9
)
=
=
1
)
{
v11
=
0i64
;
memset(v9,
0
, sizeof(v9));
v9[
5
]
=
0
;
v9[
4
]
=
0
;
v9[
0
]
=
0x67452301
;
v9[
1
]
=
0xEFCDAB89
;
v9[
2
]
=
0x98BADCFE
;
v9[
3
]
=
0x10325476
;
sub_4014E0((
int
)serial, (
int
)v9,
len
);
/
/
计算serial的
hash
,解密shellcode
sub_4015B0((
int
)&v11, (
int
)v9);
sub_401ED0(v4, (unsigned __int8
*
)&v11);
v8
=
(void (
*
)(void))VirtualAlloc(
0
,
0x620u
,
0x1000u
,
0x40u
);
v5
=
(char
*
)v8;
v6
=
98
;
do
{
*
(__m128i
*
)v5
=
_mm_loadu_si128((const __m128i
*
)&v5[&unk_4181A0
-
(_UNKNOWN
*
)v8]);
sub_4028B0((
int
)solve, v5);
v5
+
=
16
;
-
-
v6;
}
while
( v6 );
v8();
}
return
0
;
}
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
int
len
;
/
/
kr00_4
int
v4;
/
/
ecx
char
*
v5;
/
/
esi
int
v6;
/
/
edi
void (
*
v8)(void);
/
/
[esp
+
Ch] [ebp
-
2CCh
]
int
v9[
22
];
/
/
[esp
+
10h
] [ebp
-
2C8h
] BYREF
int
solve[
128
];
/
/
[esp
+
68h
] [ebp
-
270h
] BYREF
__int128 v11;
/
/
[esp
+
268h
] [ebp
-
70h
] BYREF
char serial[
92
];
/
/
[esp
+
278h
] [ebp
-
60h
] BYREF
printf(
"\t\t\t看雪CTF大赛\r\n"
);
printf(
"\t\t祝愿看雪CTF大赛越办越好\r\n"
);
printf(
"Serial: "
);
scanf_s(
"%s"
, serial);
len
=
strlen(serial);
/
/
先检查序列号是否合法,检测合法则转换成数独的解,然后开始填数独
if
(
len
<
=
64
&& serial2solve(
len
, serial, solve)
=
=
1
&& sudoku((
int
)solve,
len
-
9
)
=
=
1
)
{
v11
=
0i64
;
memset(v9,
0
, sizeof(v9));
v9[
5
]
=
0
;
v9[
4
]
=
0
;
v9[
0
]
=
0x67452301
;
v9[
1
]
=
0xEFCDAB89
;
v9[
2
]
=
0x98BADCFE
;
v9[
3
]
=
0x10325476
;
sub_4014E0((
int
)serial, (
int
)v9,
len
);
/
/
计算serial的
hash
,解密shellcode
sub_4015B0((
int
)&v11, (
int
)v9);
sub_401ED0(v4, (unsigned __int8
*
)&v11);
v8
=
(void (
*
)(void))VirtualAlloc(
0
,
0x620u
,
0x1000u
,
0x40u
);
v5
=
(char
*
)v8;
v6
=
98
;
do
{
*
(__m128i
*
)v5
=
_mm_loadu_si128((const __m128i
*
)&v5[&unk_4181A0
-
(_UNKNOWN
*
)v8]);
sub_4028B0((
int
)solve, v5);
v5
+
=
16
;
-
-
v6;
}
while
( v6 );
v8();
}
return
0
;
}
0
,
4
,
0
,
7
,
0
,
0
,
0
,
0
,
0
9
,
2
,
0
,
0
,
0
,
0
,
6
,
0
,
7
8
,
3
,
0
,
0
,
0
,
5
,
4
,
0
,
0
0
,
1
,
0
,
0
,
0
,
3
,
0
,
0
,
0
0
,
0
,
0
,
2
,
0
,
1
,
0
,
0
,
0
0
,
0
,
0
,
5
,
0
,
0
,
0
,
4
,
0
0
,
0
,
4
,
9
,
0
,
0
,
0
,
7
,
1
3
,
0
,
5
,
0
,
0
,
0
,
0
,
9
,
4
0
,
0
,
0
,
0
,
0
,
8
,
0
,
6
,
0
/
/
懒得解(不会解)数独,直接求助度娘解出来
5
,
4
,
6
,
7
,
1
,
9
,
2
,
3
,
8
9
,
2
,
1
,
8
,
3
,
4
,
6
,
5
,
7
8
,
3
,
7
,
6
,
2
,
5
,
4
,
1
,
9
7
,
1
,
8
,
4
,
6
,
3
,
9
,
2
,
5
4
,
5
,
3
,
2
,
9
,
1
,
7
,
8
,
6
6
,
9
,
2
,
5
,
8
,
7
,
1
,
4
,
3
2
,
8
,
4
,
9
,
5
,
6
,
3
,
7
,
1
3
,
6
,
5
,
1
,
7
,
2
,
8
,
9
,
4
1
,
7
,
9
,
3
,
4
,
8
,
5
,
6
,
2
0
,
4
,
0
,
7
,
0
,
0
,
0
,
0
,
0
9
,
2
,
0
,
0
,
0
,
0
,
6
,
0
,
7
8
,
3
,
0
,
0
,
0
,
5
,
4
,
0
,
0
0
,
1
,
0
,
0
,
0
,
3
,
0
,
0
,
0
0
,
0
,
0
,
2
,
0
,
1
,
0
,
0
,
0
0
,
0
,
0
,
5
,
0
,
0
,
0
,
4
,
0
0
,
0
,
4
,
9
,
0
,
0
,
0
,
7
,
1
3
,
0
,
5
,
0
,
0
,
0
,
0
,
9
,
4
0
,
0
,
0
,
0
,
0
,
8
,
0
,
6
,
0
/
/
懒得解(不会解)数独,直接求助度娘解出来
5
,
4
,
6
,
7
,
1
,
9
,
2
,
3
,
8
9
,
2
,
1
,
8
,
3
,
4
,
6
,
5
,
7
8
,
3
,
7
,
6
,
2
,
5
,
4
,
1
,
9
7
,
1
,
8
,
4
,
6
,
3
,
9
,
2
,
5
4
,
5
,
3
,
2
,
9
,
1
,
7
,
8
,
6
6
,
9
,
2
,
5
,
8
,
7
,
1
,
4
,
3
2
,
8
,
4
,
9
,
5
,
6
,
3
,
7
,
1
3
,
6
,
5
,
1
,
7
,
2
,
8
,
9
,
4
1
,
7
,
9
,
3
,
4
,
8
,
5
,
6
,
2
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: