[原创]2022KCTF春季赛-第七题-一触即发-Writeup-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]2022KCTF春季赛-第七题-一触即发-Writeup

发表于: 2022-5-23 14:06 8772

[原创]2022KCTF春季赛-第七题-一触即发-Writeup

wx_孤城

2022-5-23 14:06

8772

1、定位到逻辑在fmt_Fprintln_0中(0xF932E0)
分析逻辑

2、把代码扒下来

3、直接爆破7位数字

flag : 4224131

代码如下

#include <windows.h>
#include <iostream>
 
//{ 3, 1, 1, 3, 2, 3, 4, 4, 2 };
#define _QWORD unsigned long long
 
unsigned long long arr_1111111 = 3;

unsigned long long arr_2222222 = 1;

unsigned long long arr_3333333 = 1;

unsigned long long arr_4444444 = 3;

unsigned long long arr_5555555 = 2;

unsigned long long arr_6666666 = 3;

unsigned long long arr_7777777 = 4;

unsigned long long arr_8888888 = 4;

unsigned long long arr_9999999 = 2;
 
bool func1(unsigned long long *arr)
{

    unsigned long long key_1 = arr[0];

    unsigned long long key_2 = arr[1];

    unsigned long long key_3 = arr[2];

    unsigned long long key_4 = arr[3];

    unsigned long long key_5 = arr[4];

    unsigned long long key_6 = arr[5];

    unsigned long long key_7 = arr[6];
 
    int v13; // edi

    __int64 v14; // r8

    __int64 result; // ra

    __int64 v58; // [rsp+80h] [rbp-58h] BYREF

    __int64 v59; // [rsp+88h] [rbp-50h]

    bool v12; // rsi
 
    v59 = arr_1111111 + key_1;

    v58 = key_2;

    v12 = key_2 + arr_2222222 + arr_1111111 + key_1 == 0xA;

    if (arr_4444444 + key_4 + key_3 + arr_3333333 != 0xA)

        v12 = 0LL;

    if (arr_7777777 + arr_6666666 + key_5 + arr_5555555 != 0xA)

        v12 = 0LL;

    v13 = arr_8888888;

    if (key_7 + arr_9999999 + arr_8888888 + key_6 != 0xA)

        v12 = 0LL;

    if (key_6 + arr_5555555 + arr_3333333 + key_1 != 0xA)

        v12 = 0LL;

    if (arr_8888888 + key_5 + key_3 + arr_1111111 != 0xA)

        v12 = 0LL;

    if (arr_9999999 + arr_6666666 + key_4 + arr_2222222 != 0xA)

        v12 = 0LL;

    if (key_7 + arr_7777777 + arr_4444444 + v58 != 0xA)

        v12 = 0LL;

    v14 = key_3 + v59 + arr_3333333;

    if (v14 != 0xA)

        v12 = 0LL;

    if (arr_4444444 + key_4 + arr_2222222 + v58 != 0xA)

        v12 = 0LL;

    if (arr_8888888 + key_6 + key_5 + arr_5555555 != 0xA)

        v12 = 0LL;

    result = key_7 + arr_9999999 + arr_7777777 + arr_6666666;

    if (result != 0xA)

        v12 = 0LL;
 
    return v12;
}
 
int main()
{

    unsigned long long text[] = { 0,1,2,3,4,5,6,7,8,9 };
 
    unsigned long long arr[7] = { 0 };

    for (int i1 = 0; i1 < _countof(text); i1++)

    {

        arr[0] = text[i1];

        for (int i2 = 0; i2 < _countof(text); i2++)

        {

            arr[1] = text[i2];

            for (int i3 = 0; i3 < _countof(text); i3++)

            {

                arr[2] = text[i3];

                for (int i4 = 0; i4 < _countof(text); i4++)

                {

                    arr[3] = text[i4];

                    for (int i5 = 0; i5 < _countof(text); i5++)

                    {

                        arr[4] = text[i5];

                        for (int i6 = 0; i6 < _countof(text); i6++)

                        {

                            arr[5] = text[i6];

                            for (int i7 = 0; i7 < _countof(text); i7++)

                            {

                                arr[6] = text[i7];

                                if (func1(arr))

                                {

                                    std::cout << arr[0];

                                    std::cout << arr[1];

                                    std::cout << arr[2];

                                    std::cout << arr[3];

                                    std::cout << arr[4];

                                    std::cout << arr[5];

                                    std::cout << arr[6];

                                    std::cout << "\n";

                                }

                            }

                        }

                    }

                }

            }

        }

    }

    system("pause");

    return 0;
}