首页
社区
课程
招聘
[原创]看雪 2022·KCTF 秋季赛 > 第六题 病疫先兆 by 心学
发表于: 2022-11-28 23:05 11180

[原创]看雪 2022·KCTF 秋季赛 > 第六题 病疫先兆 by 心学

htg 活跃值
4
2022-11-28 23:05
11180

工具:IDA、Python

代码错误时:输出error

程序整理的逻辑结构清晰,最终通过 if ( v14 && v13 ) 之后,才判断正确

构造序列号为:XXXXXKCTFYYYYY
直接采取爆破的方式,分别获取前后的5个数字字符。
5位数值依次传给种子,逐个生成,并与内置数值比较,成功即记录并退出循环。

C:\Users\surface>C:\Users\surface\OneDrive\Crack\CTF\Kanxue2022KCTFAutumn\06\CrackMe\CrackMe.exe
please input :
0123456789
error
请按任意键继续. . .
 
C:\Users\surface>
C:\Users\surface>C:\Users\surface\OneDrive\Crack\CTF\Kanxue2022KCTFAutumn\06\CrackMe\CrackMe.exe
please input :
0123456789
error
请按任意键继续. . .
 
C:\Users\surface>
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int preValue; // eax
  unsigned int preValueCopy; // ebx
  int sufValue; // eax
  unsigned int sufValueCopy; // edi
  int *v7; // esi
  int *v8; // esi
  char inputSN[128]; // [esp+4h] [ebp-A0h] BYREF
  char sufStr[8]; // [esp+84h] [ebp-20h] BYREF
  char preStr[8]; // [esp+8Ch] [ebp-18h] BYREF
  int v13; // [esp+94h] [ebp-10h]
  int v14; // [esp+98h] [ebp-Ch]
  int v15; // [esp+9Ch] [ebp-8h]
 
  memset(inputSN, 0, sizeof(inputSN));
  printf("please input :\n");
  scanf_s("%s", inputSN);
  if ( sub_B91000(inputSN) != 0xE )
    goto LABEL_19;
  preStr[5] = 0;                                // 字符串截断符:只允许5个字节
  *(_DWORD *)preStr = *(_DWORD *)inputSN;
  preStr[4] = inputSN[4];
  preValue = atoi(preStr);
  v15 = *(_DWORD *)&inputSN[5];
  sufStr[5] = 0;                                // 字符串截断符:只允许5个字节
  *(_DWORD *)sufStr = *(_DWORD *)&inputSN[9];
  preValueCopy = preValue;
  sufStr[4] = inputSN[0xD];
  sufValue = atoi(sufStr);
  v13 = 0;
  sufValueCopy = sufValue;
  v14 = 1;                                      // 需保证为1
  srand(preValueCopy);
  v7 = dword_B9F000;
  while ( rand() == *v7 )                       // 依次获取的随机值需与内置全局数组相等
  {
    if ( (int)++v7 >= (int)dword_B9F050 )
      goto LABEL_7;                             // 要跳出来。避开 v14=0
  }
  v14 = 0;                                      // 执行了这一步就错
LABEL_7:
  srand(sufValueCopy);
  v8 = dword_B9F050;
  while ( rand() == *v8 )                       // 依次获取的随机值需与内置全局数组相等
  {
    if ( (int)++v8 >= (int)&dword_B9F0A0 )
      goto LABEL_12;                            // 要跳出来。避开 v14=0
  }
  v14 = 0;                                      // 执行了这一步就错
LABEL_12:
  if ( (_BYTE)v15 == 'K' && *(_WORD *)((char *)&v15 + 1) == 'TC' && HIBYTE(v15) == 'F' )// KCTF
    v13 = 1;
  if ( v14 && v13 )
  {
    printf("success : %s\n", inputSN);
    system("pause");
  }
  else
  {
LABEL_19:
    printf("error\n");
    system("pause");
  }
  return 0;
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int preValue; // eax
  unsigned int preValueCopy; // ebx
  int sufValue; // eax
  unsigned int sufValueCopy; // edi
  int *v7; // esi
  int *v8; // esi
  char inputSN[128]; // [esp+4h] [ebp-A0h] BYREF
  char sufStr[8]; // [esp+84h] [ebp-20h] BYREF
  char preStr[8]; // [esp+8Ch] [ebp-18h] BYREF
  int v13; // [esp+94h] [ebp-10h]
  int v14; // [esp+98h] [ebp-Ch]
  int v15; // [esp+9Ch] [ebp-8h]
 
  memset(inputSN, 0, sizeof(inputSN));
  printf("please input :\n");
  scanf_s("%s", inputSN);
  if ( sub_B91000(inputSN) != 0xE )
    goto LABEL_19;
  preStr[5] = 0;                                // 字符串截断符:只允许5个字节
  *(_DWORD *)preStr = *(_DWORD *)inputSN;
  preStr[4] = inputSN[4];
  preValue = atoi(preStr);
  v15 = *(_DWORD *)&inputSN[5];
  sufStr[5] = 0;                                // 字符串截断符:只允许5个字节
  *(_DWORD *)sufStr = *(_DWORD *)&inputSN[9];
  preValueCopy = preValue;
  sufStr[4] = inputSN[0xD];
  sufValue = atoi(sufStr);
  v13 = 0;
  sufValueCopy = sufValue;
  v14 = 1;                                      // 需保证为1
  srand(preValueCopy);
  v7 = dword_B9F000;
  while ( rand() == *v7 )                       // 依次获取的随机值需与内置全局数组相等
  {
    if ( (int)++v7 >= (int)dword_B9F050 )
      goto LABEL_7;                             // 要跳出来。避开 v14=0
  }
  v14 = 0;                                      // 执行了这一步就错
LABEL_7:
  srand(sufValueCopy);
  v8 = dword_B9F050;
  while ( rand() == *v8 )                       // 依次获取的随机值需与内置全局数组相等
  {
    if ( (int)++v8 >= (int)&dword_B9F0A0 )
      goto LABEL_12;                            // 要跳出来。避开 v14=0
  }
  v14 = 0;                                      // 执行了这一步就错
LABEL_12:
  if ( (_BYTE)v15 == 'K' && *(_WORD *)((char *)&v15 + 1) == 'TC' && HIBYTE(v15) == 'F' )// KCTF
    v13 = 1;
  if ( v14 && v13 )
  {
    printf("success : %s\n", inputSN);
    system("pause");
  }
  else
  {
LABEL_19:
    printf("error\n");
    system("pause");
  }
  return 0;
}
void __cdecl srand(unsigned int Seed)
{
  *(_DWORD *)(_getptd() + 0x14) = Seed;
}
void __cdecl srand(unsigned int Seed)
{
  *(_DWORD *)(_getptd() + 0x14) = Seed;
}
int __cdecl rand()
{
  int v0; // ecx
  unsigned int v1; // eax
 
  v0 = _getptd();
  v1 = 0x343FD * *(_DWORD *)(v0 + 0x14) + 0x269EC3;
  *(_DWORD *)(v0 + 0x14) = v1;
  return HIWORD(v1) & 0x7FFF;
}
int __cdecl rand()
{
  int v0; // ecx
  unsigned int v1; // eax
 
  v0 = _getptd();
  v1 = 0x343FD * *(_DWORD *)(v0 + 0x14) + 0x269EC3;
  *(_DWORD *)(v0 + 0x14) = v1;
  return HIWORD(v1) & 0x7FFF;
}
if ( sub_B91000(inputSN) != 0xE )
if ( sub_B91000(inputSN) != 0xE )
preStr[5] = 0;                                // 字符串截断符:只允许5个字节
*(_DWORD *)preStr = *(_DWORD *)inputSN;
preStr[4] = inputSN[4];
preValue = atoi(preStr);
preStr[5] = 0;                                // 字符串截断符:只允许5个字节
*(_DWORD *)preStr = *(_DWORD *)inputSN;
preStr[4] = inputSN[4];
preValue = atoi(preStr);

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//