crazy 百越杯2018
查看main函数:
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rax
__int64 v4; // rax
__int64 v5; // rax
__int64 v6; // rax
__int64 v7; // rax
__int64 v8; // rax
__int64 v9; // rax
__int64 v10; // rax
__int64 v11; // rax
__int64 v12; // rax
__int64 v13; // rax
__int64 v14; // rax
__int64 v15; // rax
__int64 v16; // rax
char myinput_str; // [rsp+10h] [rbp-130h]
char v19; // [rsp+30h] [rbp-110h]
char v20; // [rsp+50h] [rbp-F0h]
char v21; // [rsp+70h] [rbp-D0h]
char myinput_copy; // [rsp+90h] [rbp-B0h]
char temp; // [rsp+B0h] [rbp-90h]
unsigned __int64 v24; // [rsp+128h] [rbp-18h]
v24 = __readfsqword(0x28u);
std::__cxx11::basic_string
(__int64)&myinput_str,
(__int64)argv,
(__int64)envp);
std::operator>>
v3 = std::operator<<
std::ostream::operator<<(v3, &std::endl
v4 = std::operator<<
std::ostream::operator<<(v4, &std::endl
v5 = std::operator<<
std::ostream::operator<<(v5, &std::endl
v6 = std::operator<<
&std::cout,
"*My goal was never to be the loudest or the craziest. It was to be the most entertaining.");
std::ostream::operator<<(v6, &std::endl
v7 = std::operator<<
std::ostream::operator<<(v7, &std::endl
v8 = std::operator<<
&std::cout,
"*I like to use the hard times in the past to motivate me today.");
std::ostream::operator<<(v8, &std::endl
v9 = std::operator<<
std::ostream::operator<<(v9, &std::endl
HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);// 327a6c4304ad5938eaf0efb6cc3e53dc
v10 = std::operator<<
std::ostream::operator<<(v10, &std::endl
std::__cxx11::basic_string
func1((__int64)&v20, (__int64)&v19);
func2((__int64)&v21, (__int64)&v20);
func3((__int64)&v21, 0);
std::__cxx11::basic_string
std::__cxx11::basic_string
std::__cxx11::basic_string
HighTemplar::calculate((HighTemplar *)&temp);//加密处
if ( (unsigned int)HighTemplar::getSerial((HighTemplar *)&temp) == 0 )//验证处
{
v11 = std::operator<<
std::ostream::operator<<(v11, &std::endl
v12 = std::operator<<
std::ostream::operator<<(v12, &std::endl
v13 = std::operator<<
std::ostream::operator<<(v13, &std::endl
ZN11HighTemplar7getFlagB5cxx11Ev((__int64)&myinput_copy, (__int64)&temp);// 取输入
v14 = std::operator<<
v15 = std::operator<<
v16 = std::operator<<
std::ostream::operator<<(v16, &std::endl
std::__cxx11::basic_string
}
HighTemplar::~HighTemplar((HighTemplar *)&temp);
std::__cxx11::basic_string
return 0;
}
三个关键函数HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str); HighTemplar::getSerial((HighTemplar *)&temp) 和 HighTemplar::calculate((HighTemplar *)&temp);
HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str),进行字符串转储。
unsigned __int64 __fastcall HighTemplar::HighTemplar(DarkTemplar *temp, char *myinput_str)
{
char v3; // [rsp+17h] [rbp-19h]
unsigned __int64 v4; // [rsp+18h] [rbp-18h]
v4 = __readfsqword(0x28u);
DarkTemplar::DarkTemplar(temp);
*(_QWORD *)temp = &off_401EA0;
*((_DWORD *)temp + 3) = 0;
std::__cxx11::basic_string
(char *)temp + 16,
myinput_str); // temp + 16 -->存储输入
std::__cxx11::basic_string
(char *)temp + 48,
myinput_str); // temp + 48 -->存储输入
std::allocator
std::__cxx11::basic_string
(__int64)temp + 80, // temp + 80 -->存储327a6c4304ad5938eaf0efb6cc3e53dc
(__int64)"327a6c4304ad5938eaf0efb6cc3e53dc",
(__int64)&v3);
std::allocator
return __readfsqword(0x28u) ^ v4;
}
HighTemplar::calculate((HighTemplar *)&temp);进行加密操作
bool __fastcall HighTemplar::calculate(HighTemplar *this)
{
__int64 v1; // rax
_BYTE *v2; // rbx
bool result; // al
_BYTE *v4; // rbx
int i; // [rsp+18h] [rbp-18h]
int j; // [rsp+1Ch] [rbp-14h]
if ( std::__cxx11::basic_string
{
v1 = std::operator<<
std::ostream::operator<<(v1, &std::endl
exit(-1);
}
for ( i = 0;
i <= (unsigned __int64)std::__cxx11::basic_string
++i )
{
v2 = (_BYTE *)std::__cxx11::basic_string
(char *)this + 16,
i);
*v2 = (*(_BYTE *)std::__cxx11::basic_string
(char *)this + 16,
i) ^ 0x50) // (每个字符^0x50)+23
+ 23;
}
for ( j = 0; ; ++j )
{
result = j <= (unsigned __int64)std::__cxx11::basic_string
if ( !result )
break;
v4 = (_BYTE *)std::__cxx11::basic_string
(char *)this + 16,
j);
*v4 = (*(_BYTE *)std::__cxx11::basic_string
(char *)this + 16,
j) ^ 0x13) // (每个字符^0x13)+11
+ 11;
}
return result;
}
HighTemplar::getSerial((HighTemplar *)&temp)进行验证操作
__int64 __fastcall HighTemplar::getSerial(HighTemplar *this)
{
__int64 v1; // rbx
__int64 v2; // rax
__int64 v3; // rax
__int64 v4; // rax
__int64 v5; // rax
unsigned int i; // [rsp+1Ch] [rbp-14h]
for ( i = 0;
(signed int)i < (unsigned __int64)std::__cxx11::basic_string
++i )
{
v1 = *(unsigned __int8 *)std::__cxx11::basic_string
(char *)this + 80,// HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str)之前赋值,327a6c4304ad5938eaf0efb6cc3e53dc
(signed int)i);
if ( (_BYTE)v1 != *(_BYTE *)std::__cxx11::basic_string
(char *)this + 16,// 取输入
(signed int)i) )
{
v4 = std::operator<<
v5 = std::ostream::operator<<(v4, i);
std::ostream::operator<<(v5, &std::endl
*((_DWORD *)this + 3) = 1;
return *((unsigned int *)this + 3);
}
v2 = std::operator<<
v3 = std::ostream::operator<<(v2, i);
std::ostream::operator<<(v3, &std::endl
}
return *((unsigned int *)this + 3);
}
简单的异或与加法的操作
wp:
temp='327a6c4304ad5938eaf0efb6cc3e53dc'
flag=''
for i in range(len(temp)):
n=ord(temp[i])
flag+=chr((((n-11)^0x13)-23)^0x50)
print('flag{'+flag+'}')
flag{tMx~qdstOs~crvtwb~aOba}qddtbrtcd}
手机扫一扫
移动阅读更方便
你可能感兴趣的文章