攻防世界 reverse Newbie_calculations
Newbie_calculations Hack-you-2014
题目名百度翻译成新手计算,那我猜应该是个实现计算器的题目。。。。
IDA打开程序,发现一长串的函数反复调用,而且程序没有输入,只有输出。额,那这样的话程序运行就应该输出flag,但程序中肯定会有垃圾循环操作,就让你跑不出来。0.0
这种题目就要分析函数作用,简化,自己实现算法。
程序流程:
1 for ( i = 0; i < 32; ++i ) 2 flag[i] = 1; 3 v121 = 0; 4 puts("Your flag is:"); 5 v3 = mul_401100(flag, 0x3B9ACA00); 6 v4 = sub_401220(v3, 0x3B9AC9CE); 7 mul_401100(v4, 2); 8 v5 = add_401000(&flag[1], 0x4C4B40); 9 v6 = sub_401220(v5, 0x65B9AA); 10 v7 = add_401000(v6, 1666666); 11 v8 = add_401000(v7, 45); 12 v9 = mul_401100(v8, 2); 13 add_401000(v9, 5); 14 v10 = mul_401100(&flag[2], 0x3B9ACA00); 15 v11 = sub_401220(v10, 999999950); 16 v12 = mul_401100(v11, 2); 17 add_401000(v12, 2); 18 v13 = add_401000(&flag[3], 55); 19 v14 = sub_401220(v13, 3); 20 v15 = add_401000(v14, 4); 21 sub_401220(v15, 1); 22 v16 = mul_401100(&flag[4], 100000000); 23 v17 = sub_401220(v16, 99999950); 24 v18 = mul_401100(v17, 2); 25 add_401000(v18, 2); 26 v19 = sub_401220(&flag[5], 1); 27 v20 = mul_401100(v19, 1000000000); 28 v21 = add_401000(v20, 55); 29 sub_401220(v21, 3); 30 v22 = mul_401100(&flag[6], 1000000); 31 v23 = sub_401220(v22, 999975); 32 mul_401100(v23, 4); 33 v24 = add_401000(&flag[7], 55); 34 v25 = sub_401220(v24, 33); 35 v26 = add_401000(v25, 44); 36 sub_401220(v26, 11); 37 v27 = mul_401100(&flag[8], 10); 38 v28 = sub_401220(v27, 5); 39 v29 = mul_401100(v28, 8); 40 add_401000(v29, 9); 41 v30 = add_401000(&flag[9], 0); 42 v31 = sub_401220(v30, 0); 43 v32 = add_401000(v31, 11); 44 v33 = sub_401220(v32, 11); 45 add_401000(v33, 53); 46 v34 = add_401000(&flag[10], 49); 47 v35 = sub_401220(v34, 2); 48 v36 = add_401000(v35, 4); 49 sub_401220(v36, 2); 50 v37 = mul_401100(&flag[11], 1000000); 51 v38 = sub_401220(v37, 999999); 52 v39 = mul_401100(v38, 4); 53 add_401000(v39, 50); 54 v40 = add_401000(&flag[12], 1); 55 v41 = add_401000(v40, 1); 56 v42 = add_401000(v41, 1); 57 v43 = add_401000(v42, 1); 58 v44 = add_401000(v43, 1); 59 v45 = add_401000(v44, 1); 60 v46 = add_401000(v45, 10); 61 add_401000(v46, 32); 62 v47 = mul_401100(&flag[13], 10); 63 v48 = sub_401220(v47, 5); 64 v49 = mul_401100(v48, 8); 65 v50 = add_401000(v49, 9); 66 add_401000(v50, 48); 67 v51 = sub_401220(&flag[14], 1); 68 v52 = mul_401100(v51, -294967296); 69 v53 = add_401000(v52, 55); 70 sub_401220(v53, 3); 71 v54 = add_401000(&flag[15], 1); 72 v55 = add_401000(v54, 2); 73 v56 = add_401000(v55, 3); 74 v57 = add_401000(v56, 4); 75 v58 = add_401000(v57, 5); 76 v59 = add_401000(v58, 6); 77 v60 = add_401000(v59, 7); 78 add_401000(v60, 20); 79 v61 = mul_401100(&flag[16], 10); 80 v62 = sub_401220(v61, 5); 81 v63 = mul_401100(v62, 8); 82 v64 = add_401000(v63, 9); 83 add_401000(v64, 48); 84 v65 = add_401000(&flag[17], 7); 85 v66 = add_401000(v65, 6); 86 v67 = add_401000(v66, 5); 87 v68 = add_401000(v67, 4); 88 v69 = add_401000(v68, 3); 89 v70 = add_401000(v69, 2); 90 v71 = add_401000(v70, 1); 91 add_401000(v71, 20); 92 v72 = add_401000(&flag[18], 7); 93 v73 = add_401000(v72, 2); 94 v74 = add_401000(v73, 4); 95 v75 = add_401000(v74, 3); 96 v76 = add_401000(v75, 6); 97 v77 = add_401000(v76, 5); 98 v78 = add_401000(v77, 1); 99 add_401000(v78, 20); 100 v79 = mul_401100(&flag[19], 1000000); 101 v80 = sub_401220(v79, 999999); 102 v81 = mul_401100(v80, 4); 103 v82 = add_401000(v81, 50); 104 sub_401220(v82, 1); 105 v83 = sub_401220(&flag[20], 1); 106 v84 = mul_401100(v83, -294967296); 107 v85 = add_401000(v84, 49); 108 sub_401220(v85, 1); 109 v86 = sub_401220(&flag[21], 1); 110 v87 = mul_401100(v86, 1000000000); 111 v88 = add_401000(v87, 54); 112 v89 = sub_401220(v88, 1); 113 v90 = add_401000(v89, 1000000000); 114 sub_401220(v90, 1000000000); 115 v91 = add_401000(&flag[22], 49); 116 v92 = sub_401220(v91, 1); 117 v93 = add_401000(v92, 2); 118 sub_401220(v93, 1); 119 v94 = mul_401100(&flag[23], 10); 120 v95 = sub_401220(v94, 5); 121 v96 = mul_401100(v95, 8); 122 v97 = add_401000(v96, 9); 123 add_401000(v97, 48); 124 v98 = add_401000(&flag[24], 1); 125 v99 = add_401000(v98, 3); 126 v100 = add_401000(v99, 3); 127 v101 = add_401000(v100, 3); 128 v102 = add_401000(v101, 6); 129 v103 = add_401000(v102, 6); 130 v104 = add_401000(v103, 6); 131 add_401000(v104, 20); 132 v105 = add_401000(&flag[25], 55); 133 v106 = sub_401220(v105, 33); 134 v107 = add_401000(v106, 44); 135 v108 = sub_401220(v107, 11); 136 add_401000(v108, 42); 137 add_401000(&flag[26], flag[25]); 138 add_401000(&flag[27], flag[12]); 139 v109 = flag[27]; 140 v110 = sub_401220(&flag[28], 1); 141 v111 = add_401000(v110, v109); 142 sub_401220(v111, 1); 143 v112 = flag[23]; 144 v113 = sub_401220(&flag[29], 1); 145 v114 = mul_401100(v113, 1000000); 146 add_401000(v114, v112); 147 v115 = flag[27]; 148 v116 = add_401000(&flag[30], 1); 149 mul_401100(v116, v115); 150 add_401000(&flag[31], flag[30]); 151 print_401C7F("CTF{"); 152 for ( j = 0; j < 32; ++j ) 153 print_401C7F("%c", SLOBYTE(flag[j])); 154 print_401C7F("}\n"); 155 return 0; 156 }
这道题目的关键就在于如何识别出上面这些函数的作用
1 _DWORD *__cdecl mul_401100(_DWORD *a1, int a2) 2 { 3 int v2; // ST20_4 4 signed int v4; // [esp+Ch] [ebp-1Ch] 5 int v5; // [esp+14h] [ebp-14h] 6 int v6; // [esp+18h] [ebp-10h] 7 int v7; // [esp+1Ch] [ebp-Ch] 8 int v8; // [esp+20h] [ebp-8h] 9 10 v5 = *a1; 11 v6 = a2; 12 v4 = -1; 13 v8 = 0; 14 v7 = a2 * v5; 15 while ( a2 ) // a1累加a2次 相当于a1*a2 16 { 17 v2 = v7 * v5; 18 add_401000(&v8, *a1); 19 ++v7; 20 --a2; 21 v6 = v2 - 1; 22 } 23 while ( v4 ) // 循环结束a1=a1-1 24 { 25 ++v7; 26 ++*a1; 27 --v4; 28 --v6; 29 } 30 ++*a1; 31 *a1 = v8; 32 return a1; 33 }
1 int *__cdecl add_401000(int *a1, int a2) 2 { 3 int v2; // edx 4 int v4; // [esp+Ch] [ebp-18h] 5 int v5; // [esp+10h] [ebp-14h] 6 int v6; // [esp+18h] [ebp-Ch] 7 signed int v7; // [esp+1Ch] [ebp-8h] 8 9 v5 = -1; 10 v4 = -1 - a2 + 1; 11 v7 = 1231; 12 v2 = *a1; 13 v6 = a2 + 1231; 14 while ( v4 ) 15 // 循环结束 a1=a1+a2 16 { 17 ++v7; 18 --*a1; //循环- 相当于-(-a2) +a2 19 --v4; 20 --v6; 21 } 22 while ( v5 ) 23 { 24 --v6; 25 ++*a1; 26 --v5; 27 } 28 ++*a1; // a1在上面的循环中-1,现在+1,还是原值 29 return a1; 30 }
1 _DWORD *__cdecl sub_401220(_DWORD *a1, int a2) 2 { 3 int v3; // [esp+8h] [ebp-10h] 4 signed int v4; // [esp+Ch] [ebp-Ch] 5 signed int v5; // [esp+14h] [ebp-4h] 6 int v6; // [esp+14h] [ebp-4h] 7 8 v4 = -1; 9 v3 = -1 - a2 + 1; 10 v5 = -1; 11 while ( v3 ) // -a2 12 { 13 ++*a1; // 循环结束,相当于 a1=a1-a2 14 --v3; 15 --v5; 16 } 17 v6 = v5 * v5; 18 while ( v4 ) // 这个循环后 a1=a1-1 19 { 20 v6 *= 123; 21 ++*a1; 22 --v4; 23 } 24 ++*a1; // a1+=1,恢复上一个循环前的值 25 return a1; 26 }
wp:
1 def mul_401100(a,b): 2 return a*b 3 def sub_401220(a,b): 4 return a-b 5 def add_401000(a,b): 6 return a+b 7 flag=[1 for i in range(32)] 8 v121 = 0 9 print("Your flag is:") 10 v3 = mul_401100(flag[0], 0x3B9ACA00) 11 v4 = sub_401220(v3, 0x3B9AC9CE) 12 flag[0]=mul_401100(v4, 2) 13 v5 = add_401000(flag[1], 0x4C4B40) 14 v6 = sub_401220(v5, 0x65B9AA) 15 v7 = add_401000(v6, 1666666) 16 v8 = add_401000(v7, 45) 17 v9 = mul_401100(v8, 2) 18 flag[1]=add_401000(v9, 5) 19 v10 = mul_401100(flag[2], 0x3B9ACA00) 20 v11 = sub_401220(v10, 999999950) 21 v12 = mul_401100(v11, 2) 22 flag[2]=add_401000(v12, 2) 23 v13 = add_401000(flag[3], 55) 24 v14 = sub_401220(v13, 3) 25 v15 = add_401000(v14, 4) 26 flag[3]=sub_401220(v15, 1) 27 v16 = mul_401100(flag[4], 100000000) 28 v17 = sub_401220(v16, 99999950) 29 v18 = mul_401100(v17, 2) 30 flag[4]=add_401000(v18, 2) 31 v19 = sub_401220(flag[5], 1) 32 v20 = mul_401100(v19, 1000000000) 33 v21 = add_401000(v20, 55) 34 flag[5]=sub_401220(v21, 3) 35 v22 = mul_401100(flag[6], 1000000) 36 v23 = sub_401220(v22, 999975) 37 flag[6]=mul_401100(v23, 4) 38 v24 = add_401000(flag[7], 55) 39 v25 = sub_401220(v24, 33) 40 v26 = add_401000(v25, 44) 41 flag[7]=sub_401220(v26, 11) 42 v27 = mul_401100(flag[8], 10) 43 v28 = sub_401220(v27, 5) 44 v29 = mul_401100(v28, 8) 45 flag[8]=add_401000(v29, 9) 46 v30 = add_401000(flag[9], 0) 47 v31 = sub_401220(v30, 0) 48 v32 = add_401000(v31, 11) 49 v33 = sub_401220(v32, 11) 50 flag[9]=add_401000(v33, 53) 51 v34 = add_401000(flag[10], 49) 52 v35 = sub_401220(v34, 2) 53 v36 = add_401000(v35, 4) 54 flag[10]=sub_401220(v36, 2) 55 v37 = mul_401100(flag[11], 1000000) 56 v38 = sub_401220(v37, 999999) 57 v39 = mul_401100(v38, 4) 58 flag[11]=add_401000(v39, 50) 59 v40 = add_401000(flag[12], 1) 60 v41 = add_401000(v40, 1) 61 v42 = add_401000(v41, 1) 62 v43 = add_401000(v42, 1) 63 v44 = add_401000(v43, 1) 64 v45 = add_401000(v44, 1) 65 v46 = add_401000(v45, 10) 66 flag[12]=add_401000(v46, 32) 67 v47 = mul_401100(flag[13], 10) 68 v48 = sub_401220(v47, 5) 69 v49 = mul_401100(v48, 8) 70 v50 = add_401000(v49, 9) 71 flag[13]=add_401000(v50, 48) 72 v51 = sub_401220(flag[14], 1) 73 v52 = mul_401100(v51, -294967296) 74 v53 = add_401000(v52, 55) 75 flag[14]=sub_401220(v53, 3) 76 v54 = add_401000(flag[15], 1) 77 v55 = add_401000(v54, 2) 78 v56 = add_401000(v55, 3) 79 v57 = add_401000(v56, 4) 80 v58 = add_401000(v57, 5) 81 v59 = add_401000(v58, 6) 82 v60 = add_401000(v59, 7) 83 flag[15]=add_401000(v60, 20) 84 v61 = mul_401100(flag[16], 10) 85 v62 = sub_401220(v61, 5) 86 v63 = mul_401100(v62, 8) 87 v64 = add_401000(v63, 9) 88 flag[16]=add_401000(v64, 48) 89 v65 = add_401000(flag[17], 7) 90 v66 = add_401000(v65, 6) 91 v67 = add_401000(v66, 5) 92 v68 = add_401000(v67, 4) 93 v69 = add_401000(v68, 3) 94 v70 = add_401000(v69, 2) 95 v71 = add_401000(v70, 1) 96 flag[17]=add_401000(v71, 20) 97 v72 = add_401000(flag[18], 7) 98 v73 = add_401000(v72, 2) 99 v74 = add_401000(v73, 4) 100 v75 = add_401000(v74, 3) 101 v76 = add_401000(v75, 6) 102 v77 = add_401000(v76, 5) 103 v78 = add_401000(v77, 1) 104 flag[18]=add_401000(v78, 20) 105 v79 = mul_401100(flag[19], 1000000) 106 v80 = sub_401220(v79, 999999) 107 v81 = mul_401100(v80, 4) 108 v82 = add_401000(v81, 50) 109 flag[19]=sub_401220(v82, 1) 110 v83 = sub_401220(flag[20], 1) 111 v84 = mul_401100(v83, -294967296) 112 v85 = add_401000(v84, 49) 113 flag[20]=sub_401220(v85, 1) 114 v86 = sub_401220(flag[21], 1) 115 v87 = mul_401100(v86, 1000000000) 116 v88 = add_401000(v87, 54) 117 v89 = sub_401220(v88, 1) 118 v90 = add_401000(v89, 1000000000) 119 flag[21]=sub_401220(v90, 1000000000) 120 v91 = add_401000(flag[22], 49) 121 v92 = sub_401220(v91, 1) 122 v93 = add_401000(v92, 2) 123 flag[22]=sub_401220(v93, 1) 124 v94 = mul_401100(flag[23], 10) 125 v95 = sub_401220(v94, 5) 126 v96 = mul_401100(v95, 8) 127 v97 = add_401000(v96, 9) 128 flag[23]=add_401000(v97, 48) 129 v98 = add_401000(flag[24], 1) 130 v99 = add_401000(v98, 3) 131 v100 = add_401000(v99, 3) 132 v101 = add_401000(v100, 3) 133 v102 = add_401000(v101, 6) 134 v103 = add_401000(v102, 6) 135 v104 = add_401000(v103, 6) 136 flag[24]=add_401000(v104, 20) 137 v105 = add_401000(flag[25], 55) 138 v106 = sub_401220(v105, 33) 139 v107 = add_401000(v106, 44) 140 v108 = sub_401220(v107, 11) 141 flag[25]=add_401000(v108, 42) 142 flag[26]=add_401000(flag[26], flag[25]) 143 flag[27]=add_401000(flag[27], flag[12]) 144 v109 = flag[27] 145 v110 = sub_401220(flag[28], 1) 146 v111 = add_401000(v110, v109) 147 flag[28]=sub_401220(v111, 1) 148 v112 = flag[23] 149 v113 = sub_401220(flag[29], 1) 150 v114 = mul_401100(v113, 1000000) 151 flag[29]=add_401000(v114, v112) 152 v115 = flag[27] 153 v116 = add_401000(flag[30], 1) 154 flag[30]=mul_401100(v116, v115) 155 flag[31]=add_401000(flag[31], flag[30]) 156 print("CTF{"+''.join(map(chr,flag))+"}")
Your flag is:
CTF{daf8f4d816261a41a115052a1bc21ade}