攻防世界--dmd-50

V2AS问路

攻防世界--dmd-50

阅读原文时间：2023年07月11日阅读：1

测试文件：https://adworld.xctf.org.cn/media/task/attachments/7ef7678559ea46cbb535c0b6835f2f4d

获取信息

64位文件

int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rax
__int64 v4; // rax
__int64 v5; // rax
__int64 v6; // rax
__int64 v7; // rax
__int64 v8; // rax
__int64 v9; // rax
__int64 v10; // rax
__int64 v11; // rax
__int64 v12; // rax
__int64 v13; // rax
__int64 v14; // rax
__int64 v15; // rax
__int64 v16; // rax
__int64 v17; // rax
__int64 v18; // rax
__int64 v19; // rax
__int64 v20; // rax
__int64 v21; // rax
int result; // eax
__int64 v23; // rax
__int64 v24; // rax
__int64 v25; // rax
__int64 v26; // rax
__int64 v27; // rax
__int64 v28; // rax
__int64 v29; // rax
__int64 v30; // rax
__int64 v31; // rax
__int64 v32; // rax
__int64 v33; // rax
__int64 v34; // rax
__int64 v35; // rax
__int64 v36; // rax
__int64 v37; // rax
char v38; // [rsp+Fh] [rbp-71h]
char v39; // [rsp+10h] [rbp-70h]
char v40; // [rsp+20h] [rbp-60h]
_BYTE *v41; // [rsp+28h] [rbp-58h]
char v42; // [rsp+30h] [rbp-50h]
unsigned __int64 v43; // [rsp+68h] [rbp-18h]

v43 = __readfsqword(0x28u);
std::operator<<>(&std::cout, "Enter the valid key!\n", envp);
std::operator>>>(&edata, &v42);
std::allocator::allocator(&v38);
std::string::string(&v39, &v42, &v38);
md5(&v40, &v39);
v41 = (_BYTE *)std::string::c_str((std::string *)&v40);
std::string::~string((std::string *)&v40);
std::string::~string((std::string *)&v39);
std::allocator::~allocator(&v38);
if ( *v41 != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != 'd'
|| v41[] != ''
|| v41[] != 'b'
|| v41[] != ''
|| v41[] != 'e'
|| v41[] != ''
|| v41[] != ''
|| v41[] != 'd'
|| v41[] != 'b'
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != 'b'
|| v41[] != 'c'
|| v41[] != ''
|| v41[] != 'f'
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != ''
|| v41[] != 'c'
|| v41[] != '' )
{
v23 = std::operator<<>(&std::cout, 'I');
v24 = std::operator<<>(v23, 'n');
v25 = std::operator<<>(v24, 'v');
v26 = std::operator<<>(v25, 'a');
v27 = std::operator<<>(v26, 'l');
v28 = std::operator<<>(v27, 'i');
v29 = std::operator<<>(v28, 'd');
v30 = std::operator<<>(v29, ' ');
v31 = std::operator<<>(v30, 'K');
v32 = std::operator<<>(v31, 'e');
v33 = std::operator<<>(v32, 'y');
v34 = std::operator<<>(v33, '!');
v35 = std::operator<<>(v34, ' ');
v36 = std::operator<<>(v35, ':');
v37 = std::operator<<>(v36, '(');
std::ostream::operator<<(v37, &std::endl>);
result = ;
}
else
{
v3 = std::operator<<>(&std::cout, 'T');
v4 = std::operator<<>(v3, 'h');
v5 = std::operator<<>(v4, 'e');
v6 = std::operator<<>(v5, ' ');
v7 = std::operator<<>(v6, 'k');
v8 = std::operator<<>(v7, 'e');
v9 = std::operator<<>(v8, 'y');
v10 = std::operator<<>(v9, ' ');
v11 = std::operator<<>(v10, 'i');
v12 = std::operator<<>(v11, 's');
v13 = std::operator<<>(v12, ' ');
v14 = std::operator<<>(v13, 'v');
v15 = std::operator<<>(v14, 'a');
v16 = std::operator<<>(v15, 'l');
v17 = std::operator<<>(v16, 'i');
v18 = std::operator<<>(v17, 'd');
v19 = std::operator<<>(v18, ' ');
v20 = std::operator<<>(v19, ':');
v21 = std::operator<<>(v20, ')');
std::ostream::operator<<(v21, &std::endl>);
result = ;
}
return result;
}

查看第50行代码，这是一个md5加密

在看第55~86行代码的字符，猜测应该也是md5加密

780438d5b6e29db0898bc4f0225935c0

将这串字符串解密，得到

主要可以看到字符串经过2次md5解密，因此我们可以猜测，我们输入的flag是grape的1次md5加密，经过第50行代码的md5再次加密，再与780438d5b6e29db0898bc4f0225935c0比较

将grape经过1次md5加密得到

b781cbb29054db12f88f08c6e161c199

手机扫一扫

移动阅读更方便

你可能感兴趣的文章