-
-
[原创]看雪 2022·KCTF 秋季赛 > 第六题 病疫先兆 by 心学
-
发表于: 2022-11-28 23:05 11180
-
工具:IDA、Python
代码错误时:输出error
程序整理的逻辑结构清晰,最终通过 if ( v14 && v13 ) 之后,才判断正确
构造序列号为:XXXXXKCTFYYYYY
直接采取爆破的方式,分别获取前后的5个数字字符。
5位数值依次传给种子,逐个生成,并与内置数值比较,成功即记录并退出循环。
C:\Users\surface>C:\Users\surface\OneDrive\Crack\CTF\Kanxue2022KCTFAutumn\
06
\CrackMe\CrackMe.exe
please
input
:
0123456789
error
请按任意键继续. . .
C:\Users\surface>
C:\Users\surface>C:\Users\surface\OneDrive\Crack\CTF\Kanxue2022KCTFAutumn\
06
\CrackMe\CrackMe.exe
please
input
:
0123456789
error
请按任意键继续. . .
C:\Users\surface>
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
int
preValue;
/
/
eax
unsigned
int
preValueCopy;
/
/
ebx
int
sufValue;
/
/
eax
unsigned
int
sufValueCopy;
/
/
edi
int
*
v7;
/
/
esi
int
*
v8;
/
/
esi
char inputSN[
128
];
/
/
[esp
+
4h
] [ebp
-
A0h] BYREF
char sufStr[
8
];
/
/
[esp
+
84h
] [ebp
-
20h
] BYREF
char preStr[
8
];
/
/
[esp
+
8Ch
] [ebp
-
18h
] BYREF
int
v13;
/
/
[esp
+
94h
] [ebp
-
10h
]
int
v14;
/
/
[esp
+
98h
] [ebp
-
Ch]
int
v15;
/
/
[esp
+
9Ch
] [ebp
-
8h
]
memset(inputSN,
0
, sizeof(inputSN));
printf(
"please input :\n"
);
scanf_s(
"%s"
, inputSN);
if
( sub_B91000(inputSN) !
=
0xE
)
goto LABEL_19;
preStr[
5
]
=
0
;
/
/
字符串截断符:只允许
5
个字节
*
(_DWORD
*
)preStr
=
*
(_DWORD
*
)inputSN;
preStr[
4
]
=
inputSN[
4
];
preValue
=
atoi(preStr);
v15
=
*
(_DWORD
*
)&inputSN[
5
];
sufStr[
5
]
=
0
;
/
/
字符串截断符:只允许
5
个字节
*
(_DWORD
*
)sufStr
=
*
(_DWORD
*
)&inputSN[
9
];
preValueCopy
=
preValue;
sufStr[
4
]
=
inputSN[
0xD
];
sufValue
=
atoi(sufStr);
v13
=
0
;
sufValueCopy
=
sufValue;
v14
=
1
;
/
/
需保证为
1
srand(preValueCopy);
v7
=
dword_B9F000;
while
( rand()
=
=
*
v7 )
/
/
依次获取的随机值需与内置全局数组相等
{
if
( (
int
)
+
+
v7 >
=
(
int
)dword_B9F050 )
goto LABEL_7;
/
/
要跳出来。避开 v14
=
0
}
v14
=
0
;
/
/
执行了这一步就错
LABEL_7:
srand(sufValueCopy);
v8
=
dword_B9F050;
while
( rand()
=
=
*
v8 )
/
/
依次获取的随机值需与内置全局数组相等
{
if
( (
int
)
+
+
v8 >
=
(
int
)&dword_B9F0A0 )
goto LABEL_12;
/
/
要跳出来。避开 v14
=
0
}
v14
=
0
;
/
/
执行了这一步就错
LABEL_12:
if
( (_BYTE)v15
=
=
'K'
&&
*
(_WORD
*
)((char
*
)&v15
+
1
)
=
=
'TC'
&& HIBYTE(v15)
=
=
'F'
)
/
/
KCTF
v13
=
1
;
if
( v14 && v13 )
{
printf(
"success : %s\n"
, inputSN);
system(
"pause"
);
}
else
{
LABEL_19:
printf(
"error\n"
);
system(
"pause"
);
}
return
0
;
}
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
int
preValue;
/
/
eax
unsigned
int
preValueCopy;
/
/
ebx
int
sufValue;
/
/
eax
unsigned
int
sufValueCopy;
/
/
edi
int
*
v7;
/
/
esi
int
*
v8;
/
/
esi
char inputSN[
128
];
/
/
[esp
+
4h
] [ebp
-
A0h] BYREF
char sufStr[
8
];
/
/
[esp
+
84h
] [ebp
-
20h
] BYREF
char preStr[
8
];
/
/
[esp
+
8Ch
] [ebp
-
18h
] BYREF
int
v13;
/
/
[esp
+
94h
] [ebp
-
10h
]
int
v14;
/
/
[esp
+
98h
] [ebp
-
Ch]
int
v15;
/
/
[esp
+
9Ch
] [ebp
-
8h
]
memset(inputSN,
0
, sizeof(inputSN));
printf(
"please input :\n"
);
scanf_s(
"%s"
, inputSN);
if
( sub_B91000(inputSN) !
=
0xE
)
goto LABEL_19;
preStr[
5
]
=
0
;
/
/
字符串截断符:只允许
5
个字节
*
(_DWORD
*
)preStr
=
*
(_DWORD
*
)inputSN;
preStr[
4
]
=
inputSN[
4
];
preValue
=
atoi(preStr);
v15
=
*
(_DWORD
*
)&inputSN[
5
];
sufStr[
5
]
=
0
;
/
/
字符串截断符:只允许
5
个字节
*
(_DWORD
*
)sufStr
=
*
(_DWORD
*
)&inputSN[
9
];
preValueCopy
=
preValue;
sufStr[
4
]
=
inputSN[
0xD
];
sufValue
=
atoi(sufStr);
v13
=
0
;
sufValueCopy
=
sufValue;
v14
=
1
;
/
/
需保证为
1
srand(preValueCopy);
v7
=
dword_B9F000;
while
( rand()
=
=
*
v7 )
/
/
依次获取的随机值需与内置全局数组相等
{
if
( (
int
)
+
+
v7 >
=
(
int
)dword_B9F050 )
goto LABEL_7;
/
/
要跳出来。避开 v14
=
0
}
v14
=
0
;
/
/
执行了这一步就错
LABEL_7:
srand(sufValueCopy);
v8
=
dword_B9F050;
while
( rand()
=
=
*
v8 )
/
/
依次获取的随机值需与内置全局数组相等
{
if
( (
int
)
+
+
v8 >
=
(
int
)&dword_B9F0A0 )
goto LABEL_12;
/
/
要跳出来。避开 v14
=
0
}
v14
=
0
;
/
/
执行了这一步就错
LABEL_12:
if
( (_BYTE)v15
=
=
'K'
&&
*
(_WORD
*
)((char
*
)&v15
+
1
)
=
=
'TC'
&& HIBYTE(v15)
=
=
'F'
)
/
/
KCTF
v13
=
1
;
if
( v14 && v13 )
{
printf(
"success : %s\n"
, inputSN);
system(
"pause"
);
}
else
{
LABEL_19:
printf(
"error\n"
);
system(
"pause"
);
}
return
0
;
}
void __cdecl srand(unsigned
int
Seed)
{
*
(_DWORD
*
)(_getptd()
+
0x14
)
=
Seed;
}
void __cdecl srand(unsigned
int
Seed)
{
*
(_DWORD
*
)(_getptd()
+
0x14
)
=
Seed;
}
int
__cdecl rand()
{
int
v0;
/
/
ecx
unsigned
int
v1;
/
/
eax
v0
=
_getptd();
v1
=
0x343FD
*
*
(_DWORD
*
)(v0
+
0x14
)
+
0x269EC3
;
*
(_DWORD
*
)(v0
+
0x14
)
=
v1;
return
HIWORD(v1) &
0x7FFF
;
}
int
__cdecl rand()
{
int
v0;
/
/
ecx
unsigned
int
v1;
/
/
eax
v0
=
_getptd();
v1
=
0x343FD
*
*
(_DWORD
*
)(v0
+
0x14
)
+
0x269EC3
;
*
(_DWORD
*
)(v0
+
0x14
)
=
v1;
return
HIWORD(v1) &
0x7FFF
;
}
if
( sub_B91000(inputSN) !
=
0xE
)
if
( sub_B91000(inputSN) !
=
0xE
)
preStr[
5
]
=
0
;
/
/
字符串截断符:只允许
5
个字节
*
(_DWORD
*
)preStr
=
*
(_DWORD
*
)inputSN;
preStr[
4
]
=
inputSN[
4
];
preValue
=
atoi(preStr);
preStr[
5
]
=
0
;
/
/
字符串截断符:只允许
5
个字节
*
(_DWORD
*
)preStr
=
*
(_DWORD
*
)inputSN;
preStr[
4
]
=
inputSN[
4
];
preValue
=
atoi(preStr);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
看原图
赞赏
雪币:
留言: