zoukankan html css js c++ java

攻防世界 reverse reverse-for-the-holy-grail-350

reverse-for-the-holy-grail-350 tu-ctf-2016

程序流程很简单，就一个检验函数：

 1 __int64 __fastcall stringMod(__int64 *a1)
 2 {
 3   __int64 length; // r9
 4   char *c_str; // r10
 5   __int64 i; // rcx
 6   signed int v4; // er8
 7   int *temp_2; // rdi
 8   int *temp_3; // rsi
 9   signed int t; // ecx
10   signed int j; // er9
11   int index; // er10
12   unsigned int tmp; // eax
13   int sign; // esi
14   int v12; // esi
15   int temp[24]; // [rsp+0h] [rbp-60h]
16 
17   memset(temp, 0, 0x48uLL);
18   length = a1[1];
19   if ( length )
20   {
21     c_str = (char *)*a1;
22     i = 0LL;
23     v4 = 0;
24     do
25     {
26       v12 = c_str[i];
27       temp[i] = v12;
28       if ( 3 * ((unsigned int)i / 3) == (_DWORD)i && v12 != firstchar[(unsigned int)i / 3] )// 当i是3的倍数时，str=first[i/3]
29                                                 // { 65, 105, 110, 69, 111, 97}
30         v4 = -1;
31       ++i;
32     }
33     while ( i != length );
34   }
35   else
36   {
37     v4 = 0;
38   }
39   temp_2 = temp;
40   temp_3 = temp;
41   t = 666;
42   do
43   {
44     *temp_3 = t ^ *(unsigned __int8 *)temp_3;
45     t += t % 5;
46     ++temp_3;
47   }
48   while ( &temp[18] != temp_3 );                // 异或操作
49   j = 1;
50   index = 0;
51   tmp = 1;
52   sign = 0;
53   do                                            // 0,1,2  每三个数验证
54   {
55     if ( sign == 2 )
56     {
57       if ( *temp_2 != thirdchar[index] )        // { 751, 708, 732, 711, 734, 764, 0, 0 }
58                                                 // temp[2]=
59         v4 = -1;
60       if ( tmp % *temp_2 != masterArray[index] )// { 471, 12, 580, 606, 147, 108 }
61                                                 // 
62                                                 // temp[0]*temp[1]%temp[2]=
63         v4 = -1;
64       ++index;
65       tmp = 1;
66       sign = 0;
67     }
68     else                                        // sign  0,1,
69     {
70       tmp *= *temp_2;                           // 0 tmp=temp[0]   
71                                                 // 1 tmp=temp[0]*temp[1]
72       if ( ++sign == 3 )
73         sign = 0;
74     }
75     ++j;
76     ++temp_2;
77   }
78   while ( j != 19 );                            // 18循环
79   return (unsigned int)(t * v4);
80 }

wp:

 1 firstchar=[65, 105, 110, 69, 111, 97]
 2 thirdchar=[751, 708, 732, 711, 734, 764]
 3 masterArray=[471, 12, 580, 606, 147, 108 ]
 4 t=[]
 5 x=666
 6 for i in range(18):
 7     t.append(x)
 8     x+=x%5
 9 flag=[0 for i in range(18)]
10 index=0
11 for i in range(0,18,3):
12     flag[i]=firstchar[index]  #0,3,6
13     index+=1
14 index=0
15 for i in range(2,18,3):
16     flag[i]=thirdchar[index]^t[i]  #2 5,8
17     index+=1
18 index=0
19 for i in range(1,18,3):
20     for f in range(32,126):  #常用可输入字符
21         if (flag[i-1]^t[i-1])*(f^t[i])%(flag[i+1]^t[i+1])==masterArray[index]:
22             flag[i]=f
23             index+=1
24             break;
25 
26 print('tuctf{'+''.join(map(chr,flag))+'}')

tuctf{AfricanOrEuropean?}

查看全文

相关阅读:
111.浮动初识 Walker
105.灰度和对比度 Walker
102.表格属性 Walker
POJ 1321 棋盘问题
 HDU 1106 排序题解
 HDU 1240 Asteroids! 解题报告
 HDU 1372 Knight Moves
HDU 1253 胜利大逃亡
 HDU 1231:最大连续子序列解题报告
 POJ 2251 Dungeon Master

原文地址：https://www.cnblogs.com/DirWang/p/11575270.html