zoukankan      html  css  js  c++  java
  • BUUCTF SimpleRev

    SimpleRev

    程序流程很清晰

     1 int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
     2 {
     3   int v3; // eax
     4   char v4; // [rsp+Fh] [rbp-1h]
     5 
     6   while ( 1 )
     7   {
     8     while ( 1 )
     9     {
    10       printf("Welcome to CTF game!
    Please input d/D to start or input q/Q to quit this program: ", argv, envp);
    11       v4 = getchar();
    12       if ( v4 != 'd' && v4 != 'D' )
    13         break;
    14       Decry();
    15     }
    16     if ( v4 == 'q' || v4 == 'Q' )
    17       Exit();
    18     puts("Input fault format!");
    19     v3 = getchar();
    20     putchar(v3);
    21   }
    22 }

    关键处理在Decry()中

     1 unsigned __int64 Decry()
     2 {
     3   char c; // [rsp+Fh] [rbp-51h]
     4   int j; // [rsp+10h] [rbp-50h]
     5   int index; // [rsp+14h] [rbp-4Ch]
     6   int i; // [rsp+18h] [rbp-48h]
     7   int v5; // [rsp+1Ch] [rbp-44h]
     8   char src[8]; // [rsp+20h] [rbp-40h]
     9   __int64 v7; // [rsp+28h] [rbp-38h]
    10   int v8; // [rsp+30h] [rbp-30h]
    11   __int64 v9; // [rsp+40h] [rbp-20h]
    12   __int64 v10; // [rsp+48h] [rbp-18h]
    13   int v11; // [rsp+50h] [rbp-10h]
    14   unsigned __int64 v12; // [rsp+58h] [rbp-8h]
    15 
    16   v12 = __readfsqword(0x28u);
    17   *(_QWORD *)src = 'SLCDN';                     // NDCLS
    18   v7 = 0LL;
    19   v8 = 0;
    20   v9 = 'wodah';                                 // hadow
    21   v10 = 0LL;
    22   v11 = 0;
    23   text = (char *)join(key3, &v9);               // text=killshadow
    24   strcpy(key, key1);                            // ADSFK
    25   strcat(key, src);                             // key=ADSFKNDCLS
    26   j = 0;
    27   index = 0;
    28   getchar();
    29   v5 = strlen(key);
    30   for ( i = 0; i < v5; ++i )
    31   {
    32     if ( key[index % v5] > '@' && key[index % v5] <= 'Z' )
    33       key[i] = key[index % v5] + 32;            // key大写转小写
    34     ++index;
    35   }
    36   printf("Please input your flag:", src);
    37   while ( 1 )
    38   {
    39     c = getchar();
    40     if ( c == '
    ' )
    41       break;
    42     if ( c == ' ' )
    43     {
    44       ++j;
    45     }
    46     else
    47     {
    48       if ( c <= 96 || c > 'z' )
    49       {
    50         if ( c > 64 && c <= 'Z' )               // 大写字母
    51           str2[j] = (c - 39 - key[index++ % v5] + 97) % 26 + 97;// key=adsfkndcls
    52       }
    53       else                                      // 小写字母
    54       {
    55         str2[j] = (c - 39 - key[index++ % v5] + 97) % 26 + 97;
    56       }
    57       if ( !(index % v5) )
    58         putchar(' ');
    59       ++j;
    60     }
    61   }
    62   if ( !strcmp(text, str2) )                    // killshadow
    63     puts("Congratulation!
    ");
    64   else
    65     puts("Try again!
    ");
    66   return __readfsqword(0x28u) ^ v12;
    67 }

    wp:

     1 lt='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
     2 key=list('ADSFKNDCLS'.lower())
     3 klens=len(key)
     4 
     5 text='killshadow'
     6 flag=''
     7 for i in range(len(text)):
     8     str2=text[i]
     9     for c in lt:
    10         if str2== chr((ord(c) - 39 - ord(key[i  % klens]) + 97) % 26 + 97):
    11             flag+=c
    12 print('flag{'+flag+'}')

    flag{KLDQCUDFZO}

    输入的大小写字母操作是一样的,按我理解这题多解,爆破时输入是大小写都可以,但这里只考虑了大写。本想linux下运行看看,结果提示 :段错误(核心已转储)。0.0

     1 popk@popk-virtual-machine:~$ ulimit -c unlimited
     2 popk@popk-virtual-machine:~$ gdb ./SimpleRev core 
     3 GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
     4 Copyright (C) 2018 Free Software Foundation, Inc.
     5 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
     6 This is free software: you are free to change and redistribute it.
     7 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
     8 and "show warranty" for details.
     9 This GDB was configured as "x86_64-linux-gnu".
    10 Type "show configuration" for configuration details.
    11 For bug reporting instructions, please see:
    12 <http://www.gnu.org/software/gdb/bugs/>.
    13 Find the GDB manual and other documentation resources online at:
    14 <http://www.gnu.org/software/gdb/documentation/>.
    15 For help, type "help".
    16 Type "apropos word" to search for commands related to "word"...
    17 Reading symbols from ./SimpleRev...(no debugging symbols found)...done.
    18 [New LWP 2376]
    19 Core was generated by `./SimpleRev'.
    20 Program terminated with signal SIGSEGV, Segmentation fault.
    21 #0  0x0000000000000000 in ?? ()
    22 (gdb) 
    View Code
  • 相关阅读:
    Python基础-time and datetime
    Python基础-包
    Python基础-常用模块
    第四十七天Python学习记录
    第四十四天Python学习记录
    如何教你在NIPS会议上批量下载历年的pdf文档(另附04~14年NIPS论文下载链接)
    如何用pdfbox-app-1.8.10.jar批处理将pdf文档转换成text文档
    如何在Win10下设置图片的浏览方式为windows照片查看器
    如何不通过系统升级来安装window10正式版?(特别针对Xp用户)
    Mysql统计信息处理及binlog解释
  • 原文地址:https://www.cnblogs.com/DirWang/p/11657450.html
Copyright © 2011-2022 走看看