[V&N2020 公开赛]strangeCpp

附加

步骤

1. 查壳，无壳，64位程序
   

2. 64位ida载入，没有main函数，根据程序里的字符串，去查看函数

   __int64 __fastcall sub_140013AA0(__int64 a1, __int64 a2, __int64 *a3)
   {
   char *v3; // rdi
   signed __int64 i; // rcx
   __int64 v5; // rax
   __int64 v6; // rax
   __int64 v7; // rax
   __int64 v8; // rax
   char v10; // [rsp+0h] [rbp-20h]
   struct _SYSTEM_INFO SystemInfo; // [rsp+28h] [rbp+8h]
   __int64 *j; // [rsp+78h] [rbp+58h]
   __int64 v13; // [rsp+98h] [rbp+78h]
   __int64 *v14; // [rsp+1A0h] [rbp+180h]

   v14 = a3;
   v3 = &v10;
   for ( i = 94i64; i; --i )
   {
   *(_DWORD *)v3 = 3435973836;
   v3 += 4;
   }
   sub_1400110AA((__int64)&unk_140027033);
   GetSystemInfo(&SystemInfo);
   putchar(byte_140021004); // w
   putchar(byte_140021005); // e
   putchar(byte_140021006); // l
   putchar(byte_140021007); // c
   putchar(byte_140021019); // o
   putchar(byte_14002101A); // m
   putchar(byte_140021005); // e
   putchar(10);
   puts("Let me have a look at your computer…");
   for ( j = v14; *j; ++j )
   {
   v13 = *j;
   sub_140011226((__int64)"%s\n", v13); // 循环输出变量
   }
   std::basic_ostream>::operator<<(std::cout, sub_140011127); dword_140021190 = SystemInfo.dwNumberOfProcessors; // CPU数量 sub_140011226((__int64)"now system cpu num is %d\n", SystemInfo.dwNumberOfProcessors); if ( dword_140021190 < 8 ) { puts("Are you in VM?"); _exit(0); } if ( GetUserNameA(Str1, &pcbBuffer) ) // 获取用户名 { v5 = sub_140011172(std::cout, "this is useful"); std::basic_ostream>::operator<<(v5, sub_140011127); } v6 = std::basic_ostream>::operator<<(std::cout, sub_140011127); v7 = sub_140011172(v6, "ok,I am checking…"); std::basic_ostream>::operator<<(v7, sub_140011127); if ( !j_strcmp(Str1, "cxx") ) { v8 = sub_140011172(std::cout, "flag{where_is_my_true_flag?}"); std::basic_ostream>::operator<<(v8, sub_140011127);
   _exit(0);
   }
   system("pause");
   sub_1400113E3(&v10, &unk_14001DE50);
   return 0i64;
   }

以为flag{where_is_my_true_flag?}是答案，还是太天真了

1. 找了半天没找到关键点，想要动调但是报错，不清楚这是为什么。都没搞清楚这个程序要干嘛

2. 在查看了其他师傅的wp之后，发现了这题的关键点
   我们之前那个welcome的字符那边定义了一个数组
   

3. 找到交叉引用它的地方
   
   当满足21行的if条件的情况时，25行会根据异或算法，输出一个字符串，猜测是flag

4. result的值由sub_140011384函数得到，看一下sub_140011384函数
   
   根据20~23行的算法，加上上一张图里的dword_140021190 <= 14549743，可以穷举暴力破解出result里的值

   result=0
   for v8 in range(14549743):
   v7 = (((v8 << 8) ^ (v8 >> 12))*291)&0xFFFFFFFF
   if (v7 == 607052314):
   result = v8
   break

   print(result)

v7的类型是unsigned int–0~0xFFFFFFFF,输出的值需要截断，python默认没把数据截断
算出了result的值，看一下这个putchar语句输出的值

result=0
for v8 in range(14549743):
    v7 = (((v8 << 8) ^ (v8 >> 12))*291)&0xFFFFFFFF # 原文是unsigned int--0~0xFFFFFFFF,输出的值需要截断
    if (v7 == 607052314):
        result = v8
        break

print(result)

a=[0x26, 0x2C, 0x21, 0x27, 0x3B, 0x0D, 0x04, 0x75, 0x68, 0x34,
  0x28, 0x25, 0x0E, 0x35, 0x2D, 0x69, 0x3D, 0x6F, 0x6D, 0x00]

for j in range(17):
    print(chr((v8^a[j])&0xff),end="")

终于看到了曙光，讲123456拿去md5加密一下

flag{e10adc3949ba59abbe56e057f20f883e}