-
-
[原创]看雪 2022·KCTF 秋季赛 > 第六题 病疫先兆
-
2022-11-28 22:18
-
1、直接F5,结合调试知道输入的格式为{前5位校验码+4位用户名+后5位校验码),总共是14位字符。
2、rand()是关键,跟进去看下rand的实现。
前面跟下srand函数,函数2020C1返回值+0X14的初始值是由srand传入的,就是输入的前5位校验码字符串转换后的数字。
3、把约束条件扣出来,解出前5位和后5位校验码的代码如下。
#include <iostream>
unsigned int hehe(unsigned int seed)
{
return (seed * 0x343FD + 0x269ec3);
}
int main()
{
unsigned long a[20] = { 0x3BFC, 0x2173, 0x25BB, 0x380B, 0x2C13, 0x75BE, 0x7366, 0x46A3,
0x13C1, 0x159B, 0x5B5F, 0x534F, 0x4E37, 0x3A04, 0x1301, 0x5D0C,
0x4155, 0x48E9, 0x61D2, 0x6158 };
1 | unsigned long b[20] = { 0x2BB6,0x6B5A,0x3D4,0x152B,0x6E04,0x254C,0x40AE,0x56CA, |
0x17E1,0x55C7,0x3641,0x2D3C,0x0A41,0x4BC5,0x6233,0x1FE7,
0x6E05,0x0F6E,0x6398,0x6AD7 };
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | unsigned int seed, i;for (seed = 10000; seed < 0xffffffff; seed++){ unsigned key = seed; for (i = 0; i < 20; i++) { key = hehe(key); if (((key >> 16)&0x7fff) == b[i]) { continue; } else { break; } } if (i == 20) { std::cout << seed; break; }}std::cout << "Hello World!\n"; |
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
|
|
|---|---|
