tinyctf-2014
elrond32
1 int __cdecl main(int a1, char **arg_input) 2 { 3 if ( a1 > 1 && check_8048414(arg_input[1], 0) ) 4 { 5 puts("Access granted"); 6 print_flag_8048538((int)arg_input[1]); 7 } 8 else 9 { 10 puts("Access denied"); 11 } 12 return 0; 13 }
关注check_8048414函数和print_flag_8048538函数
1 signed int __cdecl sub_8048414(_BYTE *a1, int a2) 2 { 3 signed int result; // eax 4 5 switch ( a2 ) 6 { 7 case 0: 8 if ( *a1 == 'i' ) 9 goto LABEL_19; 10 result = 0; 11 break; 12 case 1: 13 if ( *a1 == 'e' ) 14 goto LABEL_19; 15 result = 0; 16 break; 17 case 3: 18 if ( *a1 == 'n' ) 19 goto LABEL_19; 20 result = 0; 21 break; 22 case 4: 23 if ( *a1 == 'd' ) 24 goto LABEL_19; 25 result = 0; 26 break; 27 case 5: 28 if ( *a1 == 'a' ) 29 goto LABEL_19; 30 result = 0; 31 break; 32 case 6: 33 if ( *a1 == 'g' ) 34 goto LABEL_19; 35 result = 0; 36 break; 37 case 7: 38 if ( *a1 == 's' ) 39 goto LABEL_19; 40 result = 0; 41 break; 42 case 9: 43 if ( *a1 == 'r' ) 44 LABEL_19: 45 result = check_8048414(a1 + 1, 7 * (a2 + 1) % 11);// arg2-->0 7 1 3 6 5 9 4 46 else 47 result = 0; 48 break; 49 default: 50 result = 1; 51 break; 52 } 53 return result; 54 }
上面函数验证输入
输出flag函数print_flag_8048538:
1 int __cdecl print_flag_8048538(int a1) 2 { 3 int v2[33]; // [esp+18h] [ebp-A0h] 4 int i; // [esp+9Ch] [ebp-1Ch] 5 6 qmemcpy(v2, data_8048760, sizeof(v2)); 7 for ( i = 0; i <= 32; ++i ) 8 putchar(v2[i] ^ *(char *)(a1 + i % 8)); 9 return putchar(10);
wp:
1 a='ie ndags r' 2 x=0 3 s=[] 4 for i in range(8): 5 x=7*x%11 6 s.append(a[x]) 7 x+=1 8 print(''.join(s)) 9 data=[15, 31, 4, 9, 28, 18, 66, 9, 12, 68, 13, 7, 9, 6, 45, 55, 89, 30, 0, 89, 15, 8, 28, 35, 54, 7, 85, 2, 12, 8, 65, 10, 20] 10 for i in range(33): 11 print(chr(ord(s[i%8])^data[i]),end='')
isengard
flag{s0me7hing_S0me7hinG_t0lki3n}