首页
社区
课程
招聘
[原创]KCTF2022春季赛第2题 末日邀请
发表于: 2022-5-12 16:52 10846

[原创]KCTF2022春季赛第2题 末日邀请

2022-5-12 16:52
10846

with Avalon

主函数第一部分:

可以发现 flag 最长为41
下一段是计算 v5last_rnd_v10 并赋值 magic_arr 为一个固定值
下一部分:

首先是进行一个数字和字符的无差别转换,然后是一个冰雹猜想,接着验证前三位
接下来验证中间四个字符,显然是 KCTF
接着是一段拼凑成数字并排序的验证:

首先通过排序部分,猜测出关键数字 v19 == 9,然后逆向上面的,发现是将 flag 的从低到高位拼凑成一个 9 位的十进制数并满足要求,直接 z3 求解:

拿到之后发现 v20 == 0 于是想构造一个 16 位的输入,那就直接爆前三位:

拿到一个满足条件的 flag == 421KCTF381654729

 
printf(
  "%s\n 而你,作为一个操控韩立的人,千万不要让韩立 GAME OVER 了.\n现在,输入你的操作ID吧:",
  asc_7E55C0);
scanf("%s", flag);
printf("\n现在,你就是韩立,韩立就是你,如遇绝境,吼:男人至死是少年!");
flag[41] = 0;                                 // allocation == 42
flag_len = strlen(flag);
v5 = 0;
v38 = flag_len;
v6 = flag_len;
last_rnd_v10 = 0;
if ( flag_len )
{
  v7 = flag;
  do
  {
    v5 ^= *v7;
    --v6;                                     // length decreaser
    ++v7;                                     // input increaser
    v8 = 8;
    do
    {
      v9 = 2 * v5;
      v10 = v9 ^ 7;                           // xor(v9, 0b111) seems not executable?
      if ( v9 >= 0 )
        v10 = v9;
      v5 = v10;
      --v8;
    }
    while ( v8 );                             // 8 rounds
  }
  while ( v6 );
  flag_len = v38;
  last_rnd_v10 = v10;
}
assign_magic_arr();
v11 = 0xFFFFFFFF;
for ( i = 0; i < flag_len; ++i )
  v11 = magic_arr[(unsigned __int8)(v11 ^ flag[i])] ^ (v11 >> 8);
res = ~v11;
printf(
  "%s\n 而你,作为一个操控韩立的人,千万不要让韩立 GAME OVER 了.\n现在,输入你的操作ID吧:",
  asc_7E55C0);
scanf("%s", flag);
printf("\n现在,你就是韩立,韩立就是你,如遇绝境,吼:男人至死是少年!");
flag[41] = 0;                                 // allocation == 42
flag_len = strlen(flag);
v5 = 0;
v38 = flag_len;
v6 = flag_len;
last_rnd_v10 = 0;
if ( flag_len )
{
  v7 = flag;
  do
  {
    v5 ^= *v7;
    --v6;                                     // length decreaser
    ++v7;                                     // input increaser
    v8 = 8;
    do
    {
      v9 = 2 * v5;
      v10 = v9 ^ 7;                           // xor(v9, 0b111) seems not executable?
      if ( v9 >= 0 )
        v10 = v9;
      v5 = v10;
      --v8;
    }
    while ( v8 );                             // 8 rounds
  }
  while ( v6 );
  flag_len = v38;
  last_rnd_v10 = v10;
}
assign_magic_arr();
v11 = 0xFFFFFFFF;
for ( i = 0; i < flag_len; ++i )
  v11 = magic_arr[(unsigned __int8)(v11 ^ flag[i])] ^ (v11 >> 8);
res = ~v11;
convert_base(flag, flag_len);
v13 = last_rnd_v10;
v36 = 1;
v35 = last_rnd_v10 + 1;
v14 = v35;
do
{
  v15 = v13;
  for ( j = 1; j < 200; ++j )
  {
    if ( (v15 & 1) != 0 )                     // odd
      v15 = 3 * v15 + 1;
    else                                      // even
      v15 >>= 1;
    v33[j] = v15;
  }
  ++v13;
}
while ( v13 < v14 );
v17 = v33[198] | v33[197] | v33[196];
v18 = v38;
if ( v17 != (flag[2] ^ flag[1] ^ flag[0]) )   // 前三位可爆
convert_base(flag, flag_len);
v13 = last_rnd_v10;
v36 = 1;
v35 = last_rnd_v10 + 1;
v14 = v35;
do
{
  v15 = v13;
  for ( j = 1; j < 200; ++j )
  {
    if ( (v15 & 1) != 0 )                     // odd
      v15 = 3 * v15 + 1;
    else                                      // even
      v15 >>= 1;
    v33[j] = v15;
  }
  ++v13;
}
while ( v13 < v14 );
v17 = v33[198] | v33[197] | v33[196];
v18 = v38;
if ( v17 != (flag[2] ^ flag[1] ^ flag[0]) )   // 前三位可爆
v21 = 0;
  v38 = 0;
  if ( v19 > 0 )
  {
    v22 = 1;
    do
    {
      v23 = flag[v22 + 6] + 10 * v37;
      v24 = v23 - 0x37373737;                   // '7777'
      if ( v23 <= 0x4B435445 )                  // 'KCTE'
        v24 = v23;
      v37 = v24;
      if ( v24 % v36 )
        goto LABEL_50;
      v21 = v38 + 1;
      v22 = v36 + 1;
      v38 = v21;
      ++v36;
    }
    while ( v21 < v19 );
  }
 
......
 
  v25 = v19 - 1;
  if ( v19 - 1 > 0 )                            // bubble sort
  {
    v26 = v19 - 1;
    do
    {
      v27 = 0;
      if ( v25 > 0 )
      {
        do
        {
          v28 = flag[v27 + 7];
          v29 = flag[v27 + 8];
          if ( v28 > v29 )
          {
            flag[v27 + 7] = v29;
            flag[v27 + 8] = v28;
          }
          ++v27;
        }
        while ( v27 < v25 );
        no_0 = 0;
      }
      --v25;
      --v26;
    }
    while ( v26 );
  }
  convert_base(charset, v19);
  v30 = 0;
  if ( v19 > 0 )
  {
    while ( charset[v30] == flag[v30 + 7] )     // v19 = 9
    {
      if ( ++v30 >= v19 )
        goto LABEL_41;
    }
    goto LABEL_49;
  }
v21 = 0;
  v38 = 0;
  if ( v19 > 0 )
  {
    v22 = 1;
    do
    {
      v23 = flag[v22 + 6] + 10 * v37;
      v24 = v23 - 0x37373737;                   // '7777'
      if ( v23 <= 0x4B435445 )                  // 'KCTE'
        v24 = v23;
      v37 = v24;
      if ( v24 % v36 )
        goto LABEL_50;
      v21 = v38 + 1;
      v22 = v36 + 1;
      v38 = v21;
      ++v36;
    }
    while ( v21 < v19 );
  }
 
......
 
  v25 = v19 - 1;
  if ( v19 - 1 > 0 )                            // bubble sort
  {
    v26 = v19 - 1;
    do
    {
      v27 = 0;
      if ( v25 > 0 )
      {
        do
        {
          v28 = flag[v27 + 7];
          v29 = flag[v27 + 8];
          if ( v28 > v29 )

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-5-15 13:48 被trackL编辑 ,原因:
收藏
免费 3
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//