攻防世界 reverse hackme
hackme XCTF 3rd-GCTF-2017
__int64 __fastcall sub_400F8E(__int64 a1, __int64 a2) { char input[136]; // [rsp+10h] [rbp-B0h] int v4; // [rsp+98h] [rbp-28h] char v5; // [rsp+9Fh] [rbp-21h] int v6; // [rsp+A0h] [rbp-20h] unsigned __int8 c; // [rsp+A6h] [rbp-1Ah] char b; // [rsp+A7h] [rbp-19h] int index; // [rsp+A8h] [rbp-18h] int j; // [rsp+ACh] [rbp-14h] int temp; // [rsp+B0h] [rbp-10h] int k; // [rsp+B4h] [rbp-Ch] _BOOL4 sign; // [rsp+B8h] [rbp-8h] int i; // [rsp+BCh] [rbp-4h] print_407470((__int64)"Give me the password: ", a2); scanf_4075A0((__int64)"%s", input); for ( i = 0; input[i]; ++i ) ; sign = i == 22; // 输入22位 k = 10; // 只验证了10个数 do { index = (signed int)f_406D90() % 22; // 生成随机数 temp = 0; b = byte_6B4270[index]; c = input[index]; v6 = index + 1; j = 0; while ( j < v6 ) { ++j; temp = 0x6D01788D * temp + 0x3039; } v5 = temp ^ c; if ( b != ((unsigned __int8)temp ^ c) ) sign = 0; --k; } while ( k ); if ( sign ) v4 = print_407470((__int64)"Congras\n"); else v4 = print_407470((__int64)"Oh no!\n"); return 0LL; }
程序流程:
验证输入22位-->生成随机数验证10位数
wp:
bs=[0x5F, 0xF2, 0x5E, 0x8B, 0x4E, 0x0E, 0xA3, 0xAA, 0xC7, 0x93, 0x81, 0x3D, 0x5F, 0x74, 0xA3, 0x09, 0x91, 0x2B, 0x49, 0x28, 0x93, 0x67] flag=[0 for i in range(22)] for index in range(22): b=bs[index] temp=0 for i in range(index+1): temp=(0x6D01788D * temp + 0x3039) flag[index]=(temp^b)&0xff print(''.join(map(chr,flag)))
flag{d826e6926098ef46}