CTF-逆向-NSCTF-base

题目

CTF-逆向-NSCTF-base

解题思路

1、附件下载是一个base.exe,运行如下图:
CTF-逆向-NSCTF-base
2、扔到IDA,F5查看伪代码如下
CTF-逆向-NSCTF-base

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str[112]; // [rsp+20h] [rbp-70h] BYREF

  sub_402300();
  puts("please input your flag");
  sub_40AA40("%100s", Str);
  if ( strlen(Str) == 42
    && !strncmp("flag{", Str, 5ui64)            // flag长度42位
    && asc_40C030[0] == Str[41]
    && (unsigned __int8)sub_401530()
    && sub_401594((__int64)Str) )               // 将42位flag带入sub_401594函数中
  {
    puts("correct");
  }
  else
  {
    puts("try again");
  }
  system("pause");
  return 0;
}

sub_401594函数分析

bool __fastcall sub_401594(__int64 a1)
{
  char Destination[48]; // [rsp+20h] [rbp-50h] BYREF
  char Str2[24]; // [rsp+50h] [rbp-20h] BYREF
  int j; // [rsp+68h] [rbp-8h]
  int i; // [rsp+6Ch] [rbp-4h]

  strncpy(Destination, (const char *)(a1 + 5), 0x24ui64);// 0x24 36   a1+5
  for ( i = 0; i <= 35; ++i )
  {
    if ( Destination[i] <= 47 || Destination[i] > 51 )
      return 0;
    Destination[i] -= 48;
  }
  for ( j = 0; j <= 11; ++j )
    Str2[j] = Str[(4 * Destination[3 * j + 1]) | (16 * Destination[3 * j]) | Destination[3 * j + 2]];// __int64 sub_401530()
                                                // {
                                                //   int i; // [rsp+2Ch] [rbp-54h]
                                                // 
                                                //   for ( i = 0; i < strlen(Str); ++i )
                                                //     Str[i] ^= 0x20u;
                                                //   return 1i64;
                                                // }
  return strncmp("Agf2zwz1BML0", Str2, 0xCui64) == 0;// 比较前12个字节,如果相等返回0
}

sub_401530函数分析

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str[112]; // [rsp+20h] [rbp-70h] BYREF

  sub_402300();
  puts("please input your flag");
  sub_40AA40("%100s", Str);
  if ( strlen(Str) == 42
    && !strncmp("flag{", Str, 5ui64)            // flag长度42位
    && asc_40C030[0] == Str[41]
    && (unsigned __int8)sub_401530()
    && sub_401594((__int64)Str) )               // 将42位flag带入sub_401594函数中
  {
    puts("correct");
  }
  else
  {
    puts("try again");
  }
  system("pause");
  return 0;
}

编写解题脚本


str1='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/'

f = 'Agf2zwz1BML0'

list1 = []

for i in f:
    print(i)
    n = str1.find(i)
    list1.append(n)

print(list1)

flag=''
list2 = [0,1,2,3]
for l in list1:
    for i_16 in list2:
        for i_4 in list2:
            for i_1 in list2:
                if (i_4*4 | i_16*16 |i_1)==l:
                    flag = flag+ chr(i_16 + 48)
                    flag = flag+ chr(i_4 + 48)
                    flag = flag+ chr(i_1 + 48)

flag = 'flag{' + flag + '}'
print(flag)
上一篇:python中 isinstance()和 issubclass()


下一篇:MYSQL 实现查询一周内每天日志数量(详细分析和讲解流程)