XCTF 3rd-NJCTF-2017 first

其他 2020-03-16 13:17:27 阅读次数: 0

1.ida打开得到main():

  1 __int64 __fastcall main(__int64 a1, char **a2, char **a3)
  2 {
  3   __useconds_t *v3; // rbp
  4   unsigned int v4; // eax
  5   int *v5; // rcx
  6   int v6; // edx
  7   unsigned int v7; // eax
  8   bool v8; // zf
  9   signed __int64 v9; // rcx
 10   __int64 v10; // rax
 11   char v11; // bl
 12   char v12; // dl
 13   void (**v13)(void *); // rbp
 14   char *v14; // r12
 15   pthread_t *v15; // r13
 16   void (*v16)(void *); // rdi
 17   unsigned __int64 i; // rcx
 18   char v18; // al
 19   int *v19; // rdx
 20   int v20; // esi
 21   unsigned int v21; // eax
 22   unsigned __int64 v22; // rdx
 23   char *v23; // rax
 24   signed __int64 v24; // rdx
 25   char v25; // di
 26 
 27   v3 = useconds;
 28   v4 = time(0LL);
 29   srand(v4);
 30   do
 31   {
 32     ++v3;
 33     *(v3 - 1) = 100 * (rand() % 1000);
 34   }
 35   while ( v3 != &unk_602208 );
 36   __isoc99_scanf("%63s", dword_602180);
 37   v5 = dword_602180;
 38   do
 39   {
 40     v6 = *v5;
 41     ++v5;
 42     v7 = ~v6 & (v6 - 16843009) & 0x80808080;
 43   }
 44   while ( !v7 );
 45   v8 = (v7 & 0x8080) == 0;
 46   if ( !(v7 & 0x8080) )
 47     LOBYTE(v7) = BYTE2(v7);
 48   if ( v8 )
 49     v5 = (v5 + 2);
 50   v9 = v5 - (dword_602180 + __CFADD__(v7, v7) + 3);
 51   v10 = 0LL;
 52   v11 = 0;
 53   while ( v9 != v10 )
 54   {
 55     v12 = *(dword_602180 + v10) + v10;
 56     ++v10;
 57     v11 ^= v12;
 58   }
 59   v13 = &newthread;
 60   v14 = 0LL;
 61   v15 = &newthread;
 62   do
 63   {
 64     if ( pthread_create(v15, 0LL, start_routine, v14) )
 65     {
 66       perror("pthread_create");
 67       exit(-1);
 68     }
 69     ++v14;
 70     ++v15;
 71   }
 72   while ( v14 != 6 );
 73   do
 74   {
 75     v16 = *v13;
 76     ++v13;
 77     pthread_join(v16, 0LL);
 78   }
 79   while ( &free != v13 );
 80   for ( i = 0LL; ; byte_60221F[i] = v11 ^ byte_6020DF[i] ^ v18 )
 81   {
 82     v19 = dword_602180;
 83     do
 84     {
 85       v20 = *v19;
 86       ++v19;
 87       v21 = ~v20 & (v20 - 16843009) & 0x80808080;
 88     }
 89     while ( !v21 );
 90     if ( !(~v20 & (v20 - 257) & 0x8080) )
 91       LOBYTE(v21) = (~v20 & (v20 - 16843009) & 0x80808080) >> 16;
 92     if ( !(~v20 & (v20 - 257) & 0x8080) )
 93       v19 = (v19 + 2);
 94     v22 = v19 - (dword_602180 + __CFADD__(v21, v21) + 3);
 95     if ( v22 <= i )
 96       break;
 97     v18 = *(dword_602220 + i++);
 98   }
 99   if ( v22 )
100   {
101     if ( (LOBYTE(dword_602220[0]) - 48) > 74u )
102     {
103 LABEL_32:
104       puts("Badluck! There is no flag");
105       return 0LL;
106     }
107     v23 = dword_602220 + 1;
108     v24 = v22 + 6300192;
109     while ( v23 != v24 )
110     {
111       v25 = *v23++;
112       if ( (v25 - 48) > 0x4Au )
113         goto LABEL_32;
114     }
115   }
116   __printf_chk(1LL, "Here is the flag:%s\n", dword_602220);
117   return 0LL;
118 }

可以从代码得到:

 1   do
 2   {
 3     if ( pthread_create(v15, 0LL, start_routine, v14) )
 4     {
 5       perror("pthread_create");
 6       exit(-1);
 7     }
 8     ++v14;
 9     ++v15;
10   }
11   while ( v14 != 6 );

在此处创建了6个新的线程。

2.通过gdb的动态调试可以得知,程序把输入的字符串每4个分为一组。加上创建了6个线程,猜测输入字符串长度为24。

线程代码:

 1 unsigned __int64 __fastcall start_routine(void *a1)
 2 {
 3   __int64 v1; // rbp
 4   int v2; // ebx
 5   __useconds_t v3; // edi
 6   __int64 v4; // rbx
 7   int v5; // eax
 8   __int64 v6; // rdx
 9   __int64 v8; // [rsp+0h] [rbp-38h]
10   unsigned __int64 v9; // [rsp+18h] [rbp-20h]
11 
12   v1 = a1;
13   v2 = a1;
14   v3 = useconds[a1];
15   v9 = __readfsqword(0x28u);
16   v4 = v2;
17   usleep(v3);
18   pthread_mutex_lock(&mutex);
19   sub_400E10(&dword_602180[v4], 4uLL, &v8);
20   v5 = dword_6021E8;
21 
22   v6 = dword_6021E8;
23   if ( v8 == qword_602120[v1] )
24     dword_602220[v6] = dword_602180[v4];
25   else
26     dword_602220[v6] = 0;
27   dword_6021E8 = v5 + 1;
28   pthread_mutex_unlock(&mutex);
29   return __readfsqword(0x28u) ^ v9;
30 }

通过gdb调试知道,函数sub_400E10()为md5加密函数,传入参数为被分组的字符串的一组。所以线程的功能是把字符串md5加密后再与qword_602120[]数组进行对比。如果正确就把字符串赋值给一个全局数组变量,此变量在后面的flag的计算中需要使用。另外qword_602120[]数组为小端序储存,而且第一个线程的对比是qword_602120[0],如此类推。通过py脚本爆破出字符串。

  1 import hashlib
  2 import multiprocessing
  3 answer=['4746bbbd02bb590f', 'beac2821ece8fc5c', 'ad749265ca7503ef', '4386b38fc12c4227', 'b03ecc45a7ec2da7', 'bE3c5ffe121734e8']
  4 
  5 def cal_1():
  6     for i in range(32, 50):
  7         flag = ['0', '0', '0', '0']
  8         flag[0] = chr(i)
  9         for j in range(32, 50):
 10             flag[1] = chr(j)
 11             for k in range(32, 127):
 12                 flag[2] = chr(k)
 13                 for l in range(32, 127):
 14                     flag[3] = chr(l)
 15                     result = ''.join(flag)
 16                     flag_md5 = hashlib.md5()
 17                     flag_md5.update(result.encode(encoding='utf-8'))
 18                     if flag_md5.hexdigest()[0:16] == answer[0]:
 19                         print(result)
 20 
 21 def cal_2():
 22     for i in range(50, 75):
 23         flag = ['0', '0', '0', '0']
 24         flag[0] = chr(i)
 25         for j in range(32, 50):
 26             flag[1] = chr(j)
 27             for k in range(32, 127):
 28                 flag[2] = chr(k)
 29                 for l in range(32, 127):
 30                     flag[3] = chr(l)
 31                     result = ''.join(flag)
 32                     flag_md5 = hashlib.md5()
 33                     flag_md5.update(result.encode(encoding='utf-8'))
 34                     if flag_md5.hexdigest()[0:16] == answer[0]:
 35                         print(result)
 36 
 37 def cal_3():
 38     for i in range(75, 100):
 39         flag = ['0','0','0','0']
 40         flag[0] = chr(i)
 41         for j in range(32, 50):
 42             flag[1] = chr(j)
 43             for k in range(32, 127):
 44                 flag[2] = chr(k)
 45                 for l in range(32, 127):
 46                     flag[3] = chr(l)
 47                     result=''.join(flag)
 48                     flag_md5 = hashlib.md5()
 49                     flag_md5.update(result.encode(encoding='utf-8'))
 50                     if flag_md5.hexdigest()[0:16] == answer[0]:
 51                         print(result)
 52 
 53 def cal_4():
 54     for i in range(100, 127):
 55         flag = ['0','0','0','0']
 56         flag[0] = chr(i)
 57         for j in range(32, 50):
 58             flag[1] = chr(j)
 59             for k in range(32, 127):
 60                 flag[2] = chr(k)
 61                 for l in range(32, 127):
 62                     flag[3] = chr(l)
 63                     result=''.join(flag)
 64                     flag_md5 = hashlib.md5()
 65                     flag_md5.update(result.encode(encoding='utf-8'))
 66                     if flag_md5.hexdigest()[0:16] == answer[0]:
 67                         print(result)
 68 
 69 def cal_5():
 70     for i in range(32, 50):
 71         flag = ['0','0','0','0']
 72         flag[0] = chr(i)
 73         for j in range(50, 75):
 74             flag[1] = chr(j)
 75             for k in range(32, 127):
 76                 flag[2] = chr(k)
 77                 for l in range(32, 127):
 78                     flag[3] = chr(l)
 79                     result=''.join(flag)
 80                     flag_md5 = hashlib.md5()
 81                     flag_md5.update(result.encode(encoding='utf-8'))
 82                     if flag_md5.hexdigest()[0:16] == answer[0]:
 83                         print(result)
 84 
 85 def cal_6():
 86     for i in range(50, 75):
 87         flag = ['0','0','0','0']
 88         flag[0] = chr(i)
 89         for j in range(50, 75):
 90             flag[1] = chr(j)
 91             for k in range(32, 127):
 92                 flag[2] = chr(k)
 93                 for l in range(32, 127):
 94                     flag[3] = chr(l)
 95                     result=''.join(flag)
 96                     flag_md5 = hashlib.md5()
 97                     flag_md5.update(result.encode(encoding='utf-8'))
 98                     if flag_md5.hexdigest()[0:16] == answer[0]:
 99                         print(result)
100 
101 
102 def cal_7():
103     for i in range(75, 100):
104         flag = ['0', '0', '0', '0']
105         flag[0] = chr(i)
106         for j in range(50, 75):
107             flag[1] = chr(j)
108             for k in range(32, 127):
109                 flag[2] = chr(k)
110                 for l in range(32, 127):
111                     flag[3] = chr(l)
112                     result = ''.join(flag)
113                     flag_md5 = hashlib.md5()
114                     flag_md5.update(result.encode(encoding='utf-8'))
115                     if flag_md5.hexdigest()[0:16] == answer[0]:
116                         print(result)
117 
118 
119 def cal_8():
120     for i in range(100, 127):
121         flag = ['0', '0', '0', '0']
122         flag[0] = chr(i)
123         for j in range(50, 75):
124             flag[1] = chr(j)
125             for k in range(32, 127):
126                 flag[2] = chr(k)
127                 for l in range(32, 127):
128                     flag[3] = chr(l)
129                     result = ''.join(flag)
130                     flag_md5 = hashlib.md5()
131                     flag_md5.update(result.encode(encoding='utf-8'))
132                     if flag_md5.hexdigest()[0:16] == answer[0]:
133                         print(result)
134 
135 
136 def cal_9():
137     for i in range(32, 50):
138         flag = ['0', '0', '0', '0']
139         flag[0] = chr(i)
140         for j in range(75, 100):
141             flag[1] = chr(j)
142             for k in range(32, 127):
143                 flag[2] = chr(k)
144                 for l in range(32, 127):
145                     flag[3] = chr(l)
146                     result = ''.join(flag)
147                     flag_md5 = hashlib.md5()
148                     flag_md5.update(result.encode(encoding='utf-8'))
149                     if flag_md5.hexdigest()[0:16] == answer[0]:
150                         print(result)
151 
152 
153 def cal_10():
154     for i in range(50, 75):
155         flag = ['0', '0', '0', '0']
156         flag[0] = chr(i)
157         for j in range(75, 100):
158             flag[1] = chr(j)
159             for k in range(32, 127):
160                 flag[2] = chr(k)
161                 for l in range(32, 127):
162                     flag[3] = chr(l)
163                     result = ''.join(flag)
164                     flag_md5 = hashlib.md5()
165                     flag_md5.update(result.encode(encoding='utf-8'))
166                     if flag_md5.hexdigest()[0:16] == answer[0]:
167                         print(result)
168 
169 
170 def cal_11():
171     for i in range(75, 100):
172         flag = ['0', '0', '0', '0']
173         flag[0] = chr(i)
174         for j in range(75, 100):
175             flag[1] = chr(j)
176             for k in range(32, 127):
177                 flag[2] = chr(k)
178                 for l in range(32, 127):
179                     flag[3] = chr(l)
180                     result = ''.join(flag)
181                     flag_md5 = hashlib.md5()
182                     flag_md5.update(result.encode(encoding='utf-8'))
183                     if flag_md5.hexdigest()[0:16] == answer[0]:
184                         print(result)
185 
186 
187 def cal_12():
188     for i in range(100, 127):
189         flag = ['0', '0', '0', '0']
190         flag[0] = chr(i)
191         for j in range(75, 100):
192             flag[1] = chr(j)
193             for k in range(32, 127):
194                 flag[2] = chr(k)
195                 for l in range(32, 127):
196                     flag[3] = chr(l)
197                     result = ''.join(flag)
198                     flag_md5 = hashlib.md5()
199                     flag_md5.update(result.encode(encoding='utf-8'))
200                     if flag_md5.hexdigest()[0:16] == answer[0]:
201                         print(result)
202 
203 
204 def cal_13():
205     for i in range(32, 50):
206         flag = ['0', '0', '0', '0']
207         flag[0] = chr(i)
208         for j in range(100, 127):
209             flag[1] = chr(j)
210             for k in range(32, 127):
211                 flag[2] = chr(k)
212                 for l in range(32, 127):
213                     flag[3] = chr(l)
214                     result = ''.join(flag)
215                     flag_md5 = hashlib.md5()
216                     flag_md5.update(result.encode(encoding='utf-8'))
217                     if flag_md5.hexdigest()[0:16] == answer[0]:
218                         print(result)
219 
220 
221 def cal_14():
222     for i in range(50, 75):
223         flag = ['0', '0', '0', '0']
224         flag[0] = chr(i)
225         for j in range(100, 127):
226             flag[1] = chr(j)
227             for k in range(32, 127):
228                 flag[2] = chr(k)
229                 for l in range(32, 127):
230                     flag[3] = chr(l)
231                     result = ''.join(flag)
232                     flag_md5 = hashlib.md5()
233                     flag_md5.update(result.encode(encoding='utf-8'))
234                     if flag_md5.hexdigest()[0:16] == answer[0]:
235                         print(result)
236 
237 
238 def cal_15():
239     for i in range(75, 100):
240         flag = ['0', '0', '0', '0']
241         flag[0] = chr(i)
242         for j in range(100, 127):
243             flag[1] = chr(j)
244             for k in range(32, 127):
245                 flag[2] = chr(k)
246                 for l in range(32, 127):
247                     flag[3] = chr(l)
248                     result = ''.join(flag)
249                     flag_md5 = hashlib.md5()
250                     flag_md5.update(result.encode(encoding='utf-8'))
251                     if flag_md5.hexdigest()[0:16] == answer[0]:
252                         print(result)
253 
254 
255 def cal_16():
256     for i in range(100, 127):
257         flag = ['0', '0', '0', '0']
258         flag[0] = chr(i)
259         for j in range(100, 127):
260             flag[1] = chr(j)
261             for k in range(32, 127):
262                 flag[2] = chr(k)
263                 for l in range(32, 127):
264                     flag[3] = chr(l)
265                     result = ''.join(flag)
266                     flag_md5 = hashlib.md5()
267                     flag_md5.update(result.encode(encoding='utf-8'))
268                     if flag_md5.hexdigest()[0:16] == answer[0]:
269                         print(result)
270 
271 
272 if __name__ =="__main__":
273     p1=multiprocessing.Process(target=cal_1(),args=(2,))
274     p2=multiprocessing.Process(target=cal_2(),args=(3,))
275     p3=multiprocessing.Process(target=cal_3(),args=(4,))
276     p4=multiprocessing.Process(target=cal_4(),args=(5,))
277     p5=multiprocessing.Process(target=cal_5(),args=(6,))
278     p6=multiprocessing.Process(target=cal_6(),args=(7,))
279     p7=multiprocessing.Process(target=cal_7(),args=(8,))
280     p8=multiprocessing.Process(target=cal_8(),args=(9,))
281     p9=multiprocessing.Process(target=cal_9(),args=(10,))
282     p10= multiprocessing.Process(target=cal_10(), args=(11,))
283     p11= multiprocessing.Process(target=cal_11(), args=(12,))
284     p12= multiprocessing.Process(target=cal_12(), args=(13,))
285     p13= multiprocessing.Process(target=cal_13(), args=(14,))
286     p14= multiprocessing.Process(target=cal_14(), args=(15,))
287     p15= multiprocessing.Process(target=cal_15(), args=(16,))
288     p16= multiprocessing.Process(target=cal_16(), args=(17,))
289     p1.start()
290     p2.start()
291     p3.start()
292     p4.start()
293     p5.start()
294     p6.start()
295     p7.start()
296     p8.start()
297     p9.start()
298     p10.start()
299     p11.start()
300     p12.start()
301     p13.start()
302     p14.start()
303     p15.start()
304     p16.start()

这个脚本只能一个组爆破,需要在爆破完一个后手动修改answer[i]数组的i来爆破出6个组。最后得到输入字符串"juhuhfenlapsiuerhjifdunu"

3.因为此题有多解,需要在linux上用shell。

运行后得到一堆解,最后根据语义得到flag:goodjobyougetthisflag233

猜你喜欢

转载自www.cnblogs.com/mio-yy/p/12503124.html
今日推荐
开源日报 | Chrome内置Gemini的意义不在于Gemini;中国AI追随之路的五大误区;ECharts创始人“下海”养鱼;谷歌I/O开发者大会什么都有,只是没有惊喜
微软回应中国区AI团队“打包赴美”传闻
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
美国拟限制 AI 大模型出口中国和俄罗斯
苹果将与 OpenAI 达成协议,将 ChatGPT 应用于 iPhone
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
《2024 年一季度互联网投融资运行情况》研究报告
报告:Django 仍然是 74% 开发者的首选
周排行
返回指定时间格式
fopen函数中的mode参数
Java 单例模式探讨
Flex remoteobject工作原理探讨
寻找mplayer的便捷安装方法
30天了解30种技术系列---(26)MySQL自动化运维工具Inception
关于Jboss/Tomcat/Jetty的JNDI定义123
程序减肥,strip,eu-strip 及其符号表
AsyncTask、View.post(Runnable)、ViewTreeObserver三种方式总结frame animation自动启动
Json和Bean的互相转换
每日归档
更多
2024-05-15(24)
2024-05-14(0)
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022