-
-
[原创]2022KCTF春季赛-第七题-一触即发-Writeup
-
发表于: 2022-5-23 14:06 8783
-
1、定位到逻辑在fmt_Fprintln_0中(0xF932E0)
分析逻辑
2、把代码扒下来
3、直接爆破7位数字
flag : 4224131
代码如下
#include <windows.h>
#include <iostream>
/
/
{
3
,
1
,
1
,
3
,
2
,
3
,
4
,
4
,
2
};
#define _QWORD unsigned long long
unsigned
long
long
arr_1111111
=
3
;
unsigned
long
long
arr_2222222
=
1
;
unsigned
long
long
arr_3333333
=
1
;
unsigned
long
long
arr_4444444
=
3
;
unsigned
long
long
arr_5555555
=
2
;
unsigned
long
long
arr_6666666
=
3
;
unsigned
long
long
arr_7777777
=
4
;
unsigned
long
long
arr_8888888
=
4
;
unsigned
long
long
arr_9999999
=
2
;
bool
func1(unsigned
long
long
*
arr)
{
unsigned
long
long
key_1
=
arr[
0
];
unsigned
long
long
key_2
=
arr[
1
];
unsigned
long
long
key_3
=
arr[
2
];
unsigned
long
long
key_4
=
arr[
3
];
unsigned
long
long
key_5
=
arr[
4
];
unsigned
long
long
key_6
=
arr[
5
];
unsigned
long
long
key_7
=
arr[
6
];
int
v13;
/
/
edi
__int64 v14;
/
/
r8
__int64 result;
/
/
ra
__int64 v58;
/
/
[rsp
+
80h
] [rbp
-
58h
] BYREF
__int64 v59;
/
/
[rsp
+
88h
] [rbp
-
50h
]
bool
v12;
/
/
rsi
v59
=
arr_1111111
+
key_1;
v58
=
key_2;
v12
=
key_2
+
arr_2222222
+
arr_1111111
+
key_1
=
=
0xA
;
if
(arr_4444444
+
key_4
+
key_3
+
arr_3333333 !
=
0xA
)
v12
=
0LL
;
if
(arr_7777777
+
arr_6666666
+
key_5
+
arr_5555555 !
=
0xA
)
v12
=
0LL
;
v13
=
arr_8888888;
if
(key_7
+
arr_9999999
+
arr_8888888
+
key_6 !
=
0xA
)
v12
=
0LL
;
if
(key_6
+
arr_5555555
+
arr_3333333
+
key_1 !
=
0xA
)
v12
=
0LL
;
if
(arr_8888888
+
key_5
+
key_3
+
arr_1111111 !
=
0xA
)
v12
=
0LL
;
if
(arr_9999999
+
arr_6666666
+
key_4
+
arr_2222222 !
=
0xA
)
v12
=
0LL
;
if
(key_7
+
arr_7777777
+
arr_4444444
+
v58 !
=
0xA
)
v12
=
0LL
;
v14
=
key_3
+
v59
+
arr_3333333;
if
(v14 !
=
0xA
)
v12
=
0LL
;
if
(arr_4444444
+
key_4
+
arr_2222222
+
v58 !
=
0xA
)
v12
=
0LL
;
if
(arr_8888888
+
key_6
+
key_5
+
arr_5555555 !
=
0xA
)
v12
=
0LL
;
result
=
key_7
+
arr_9999999
+
arr_7777777
+
arr_6666666;
if
(result !
=
0xA
)
v12
=
0LL
;
return
v12;
}
int
main()
{
unsigned
long
long
text[]
=
{
0
,
1
,
2
,
3
,
4
,
5
,
6
,
7
,
8
,
9
};
unsigned
long
long
arr[
7
]
=
{
0
};
for
(
int
i1
=
0
; i1 < _countof(text); i1
+
+
)
{
arr[
0
]
=
text[i1];
for
(
int
i2
=
0
; i2 < _countof(text); i2
+
+
)
{
arr[
1
]
=
text[i2];
for
(
int
i3
=
0
; i3 < _countof(text); i3
+
+
)
{
arr[
2
]
=
text[i3];
for
(
int
i4
=
0
; i4 < _countof(text); i4
+
+
)
{
arr[
3
]
=
text[i4];
for
(
int
i5
=
0
; i5 < _countof(text); i5
+
+
)
{
arr[
4
]
=
text[i5];
for
(
int
i6
=
0
; i6 < _countof(text); i6
+
+
)
{
arr[
5
]
=
text[i6];
for
(
int
i7
=
0
; i7 < _countof(text); i7
+
+
)
{
arr[
6
]
=
text[i7];
if
(func1(arr))
{
std::cout << arr[
0
];
std::cout << arr[
1
];
std::cout << arr[
2
];
std::cout << arr[
3
];
std::cout << arr[
4
];
std::cout << arr[
5
];
std::cout << arr[
6
];
std::cout <<
"\n"
;
}
}
}
}
}
}
}
}
system(
"pause"
);
return
0
;
}
#include <windows.h>
#include <iostream>
/
/
{
3
,
1
,
1
,
3
,
2
,
3
,
4
,
4
,
2
};
#define _QWORD unsigned long long
unsigned
long
long
arr_1111111
=
3
;
unsigned
long
long
arr_2222222
=
1
;
unsigned
long
long
arr_3333333
=
1
;
unsigned
long
long
arr_4444444
=
3
;
unsigned
long
long
arr_5555555
=
2
;
unsigned
long
long
arr_6666666
=
3
;
unsigned
long
long
arr_7777777
=
4
;
unsigned
long
long
arr_8888888
=
4
;
unsigned
long
long
arr_9999999
=
2
;
bool
func1(unsigned
long
long
*
arr)
{
unsigned
long
long
key_1
=
arr[
0
];
unsigned
long
long
key_2
=
arr[
1
];
unsigned
long
long
key_3
=
arr[
2
];
unsigned
long
long
key_4
=
arr[
3
];
unsigned
long
long
key_5
=
arr[
4
];
unsigned
long
long
key_6
=
arr[
5
];
unsigned
long
long
key_7
=
arr[
6
];
int
v13;
/
/
edi
__int64 v14;
/
/
r8
__int64 result;
/
/
ra
__int64 v58;
/
/
[rsp
+
80h
] [rbp
-
58h
] BYREF
__int64 v59;
/
/
[rsp
+
88h
] [rbp
-
50h
]
bool
v12;
/
/
rsi
v59
=
arr_1111111
+
key_1;
v58
=
key_2;
v12
=
key_2
+
arr_2222222
+
arr_1111111
+
key_1
=
=
0xA
;
if
(arr_4444444
+
key_4
+
key_3
+
arr_3333333 !
=
0xA
)
v12
=
0LL
;
if
(arr_7777777
+
arr_6666666
+
key_5
+
arr_5555555 !
=
0xA
)
v12
=
0LL
;
v13
=
arr_8888888;
if
(key_7
+
arr_9999999
+
arr_8888888
+
key_6 !
=
0xA
)
v12
=
0LL
;
if
(key_6
+
arr_5555555
+
arr_3333333
+
key_1 !
=
0xA
)
v12
=
0LL
;
if
(arr_8888888
+
key_5
+
key_3
+
arr_1111111 !
=
0xA
)
v12
=
0LL
;
if
(arr_9999999
+
arr_6666666
+
key_4
+
arr_2222222 !
=
0xA
)
v12
=
0LL
;
if
(key_7
+
arr_7777777
+
arr_4444444
+
v58 !
=
0xA
)
v12
=
0LL
;
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!
最后于 2022-5-23 14:08
被wx_孤城编辑
,原因:
赞赏记录
参与人
雪币
留言
时间
一笑人间万事
为你点赞~
2022-7-27 23:30
伟叔叔
为你点赞~
2022-7-15 11:14
wx_孤城
为你点赞~
2022-5-27 18:23
赞赏
他的文章
看原图
赞赏
雪币:
留言: