首页
社区
课程
招聘
[原创]2022KCTF春季赛-第七题-一触即发-Writeup
发表于: 2022-5-23 14:06 8783

[原创]2022KCTF春季赛-第七题-一触即发-Writeup

2022-5-23 14:06
8783

1、定位到逻辑在fmt_Fprintln_0中(0xF932E0)
分析逻辑

2、把代码扒下来

3、直接爆破7位数字

flag : 4224131

代码如下

 
 
 
 
#include <windows.h>
#include <iostream>
 
 
//{ 3, 1, 1, 3, 2, 3, 4, 4, 2 };
#define _QWORD unsigned long long
 
unsigned long long arr_1111111 = 3;
unsigned long long arr_2222222 = 1;
unsigned long long arr_3333333 = 1;
unsigned long long arr_4444444 = 3;
unsigned long long arr_5555555 = 2;
unsigned long long arr_6666666 = 3;
unsigned long long arr_7777777 = 4;
unsigned long long arr_8888888 = 4;
unsigned long long arr_9999999 = 2;
 
bool func1(unsigned long long *arr)
{
    unsigned long long key_1 = arr[0];
    unsigned long long key_2 = arr[1];
    unsigned long long key_3 = arr[2];
    unsigned long long key_4 = arr[3];
    unsigned long long key_5 = arr[4];
    unsigned long long key_6 = arr[5];
    unsigned long long key_7 = arr[6];
 
    int v13; // edi
    __int64 v14; // r8
    __int64 result; // ra
    __int64 v58; // [rsp+80h] [rbp-58h] BYREF
    __int64 v59; // [rsp+88h] [rbp-50h]
    bool v12; // rsi
 
    v59 = arr_1111111 + key_1;
    v58 = key_2;
    v12 = key_2 + arr_2222222 + arr_1111111 + key_1 == 0xA;
    if (arr_4444444 + key_4 + key_3 + arr_3333333 != 0xA)
        v12 = 0LL;
    if (arr_7777777 + arr_6666666 + key_5 + arr_5555555 != 0xA)
        v12 = 0LL;
    v13 = arr_8888888;
    if (key_7 + arr_9999999 + arr_8888888 + key_6 != 0xA)
        v12 = 0LL;
    if (key_6 + arr_5555555 + arr_3333333 + key_1 != 0xA)
        v12 = 0LL;
    if (arr_8888888 + key_5 + key_3 + arr_1111111 != 0xA)
        v12 = 0LL;
    if (arr_9999999 + arr_6666666 + key_4 + arr_2222222 != 0xA)
        v12 = 0LL;
    if (key_7 + arr_7777777 + arr_4444444 + v58 != 0xA)
        v12 = 0LL;
    v14 = key_3 + v59 + arr_3333333;
    if (v14 != 0xA)
        v12 = 0LL;
    if (arr_4444444 + key_4 + arr_2222222 + v58 != 0xA)
        v12 = 0LL;
    if (arr_8888888 + key_6 + key_5 + arr_5555555 != 0xA)
        v12 = 0LL;
    result = key_7 + arr_9999999 + arr_7777777 + arr_6666666;
    if (result != 0xA)
        v12 = 0LL;
 
    return v12;
}
 
int main()
{
    unsigned long long text[] = { 0,1,2,3,4,5,6,7,8,9 };
 
    unsigned long long arr[7] = { 0 };
    for (int i1 = 0; i1 < _countof(text); i1++)
    {
        arr[0] = text[i1];
        for (int i2 = 0; i2 < _countof(text); i2++)
        {
            arr[1] = text[i2];
            for (int i3 = 0; i3 < _countof(text); i3++)
            {
                arr[2] = text[i3];
                for (int i4 = 0; i4 < _countof(text); i4++)
                {
                    arr[3] = text[i4];
                    for (int i5 = 0; i5 < _countof(text); i5++)
                    {
                        arr[4] = text[i5];
                        for (int i6 = 0; i6 < _countof(text); i6++)
                        {
                            arr[5] = text[i6];
                            for (int i7 = 0; i7 < _countof(text); i7++)
                            {
                                arr[6] = text[i7];
                                if (func1(arr))
                                {
                                    std::cout << arr[0];
                                    std::cout << arr[1];
                                    std::cout << arr[2];
                                    std::cout << arr[3];
                                    std::cout << arr[4];
                                    std::cout << arr[5];
                                    std::cout << arr[6];
                                    std::cout << "\n";
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    system("pause");
    return 0;
}
#include <windows.h>
#include <iostream>
 
 
//{ 3, 1, 1, 3, 2, 3, 4, 4, 2 };
#define _QWORD unsigned long long
 
unsigned long long arr_1111111 = 3;
unsigned long long arr_2222222 = 1;
unsigned long long arr_3333333 = 1;
unsigned long long arr_4444444 = 3;
unsigned long long arr_5555555 = 2;
unsigned long long arr_6666666 = 3;
unsigned long long arr_7777777 = 4;
unsigned long long arr_8888888 = 4;
unsigned long long arr_9999999 = 2;
 
bool func1(unsigned long long *arr)
{
    unsigned long long key_1 = arr[0];
    unsigned long long key_2 = arr[1];
    unsigned long long key_3 = arr[2];
    unsigned long long key_4 = arr[3];
    unsigned long long key_5 = arr[4];
    unsigned long long key_6 = arr[5];
    unsigned long long key_7 = arr[6];
 
    int v13; // edi
    __int64 v14; // r8
    __int64 result; // ra
    __int64 v58; // [rsp+80h] [rbp-58h] BYREF
    __int64 v59; // [rsp+88h] [rbp-50h]
    bool v12; // rsi
 
    v59 = arr_1111111 + key_1;
    v58 = key_2;
    v12 = key_2 + arr_2222222 + arr_1111111 + key_1 == 0xA;
    if (arr_4444444 + key_4 + key_3 + arr_3333333 != 0xA)
        v12 = 0LL;
    if (arr_7777777 + arr_6666666 + key_5 + arr_5555555 != 0xA)
        v12 = 0LL;
    v13 = arr_8888888;
    if (key_7 + arr_9999999 + arr_8888888 + key_6 != 0xA)
        v12 = 0LL;
    if (key_6 + arr_5555555 + arr_3333333 + key_1 != 0xA)
        v12 = 0LL;
    if (arr_8888888 + key_5 + key_3 + arr_1111111 != 0xA)
        v12 = 0LL;
    if (arr_9999999 + arr_6666666 + key_4 + arr_2222222 != 0xA)
        v12 = 0LL;
    if (key_7 + arr_7777777 + arr_4444444 + v58 != 0xA)
        v12 = 0LL;

[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!

最后于 2022-5-23 14:08 被wx_孤城编辑 ,原因:
收藏
免费 3
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//