A cat cat, facing the wp recurrence of the big guys (so difficult... my good dish 5555)
refer to the official wp and the big guy’s article
REVERSE-COMPETITION-NEPCTF
Title link:
Link: https://pan.baidu.com/s/1PzZ7uYlxSHjj9L7-iuWqjQ
Extraction code: 8lw2 After
copying this content, open the Baidu Netdisk mobile app, which is more convenient for operation
No shell, ida32-bit open, cross-reference string plz input right num:\n:
comes to the sub_4010A0()
function
void __noreturn sub_4010A0()
{
__int64 v0; // rax
char Dst; // [esp+0h] [ebp-108h]
memset(&Dst, 0, 0xFFu);
dword_403378 = (int)malloc(8u);
Memory = (void *)dword_403378;
*(_DWORD *)(dword_403378 + 4) = 0;
sub_401020("plz input right num:\n", Dst);
sub_401060("%s", (unsigned int)&Dst);
v0 = atoi64(&Dst); // 将输入的字符转换为整型数字
sub_401120(v0, HIDWORD(v0)); // 对输入进行变换和检查
}
Enter sub_401120
Here to popularize
HIDWORD: refers to the low-order
LODWORD: refers to the high-order . Explanation of
line 13 About sub_401F00
the explanation
of v3==Fb72>&6,
we found the word “flag right” in the string window before, and after jumping over it I found that the last is to judge aFb726 and
look up and find that
double-click aFb726 to get Fb72>&6
View byte_402194
2163qwe)(*&^%489$!057@#><A
The sub_401160() in line 17 should be compared, and the content of the comparison is v3
Ready to write script
arr="2163qwe)(*&^%489$!057@#><A"
v3="Fb72>&6"
flag=[]
for i in range(len(v3)):
v4=chr(ord(v3[i])^7)
index=arr.find(v4)
flag.append(index)
sum=0
for i in range(len(flag)-1,0,-1):
sum=(flag[i]+sum)*26
sum+=flag[0]
print(sum)
The result is:
flag: Nep{md5(518100101)}
The following is the official source code of this question
源码:
#include<stdio.h>
#include<stdlib.h>
#include<windows.h>
/*
进制加密的思路input_data: 518100101
加密后的数据: Fb72>&6
*/
const char jinzhi_table[] = "2163qwe)(*&^%489$!057@#><A";
const int jz = 26;
char key[] = {
"Fb72>&6" };
struct node {
char data;
struct node* next;
}*head, * cur_node;
void check_the_flag(); // 检查flag 是否正确
//void wrong();
//void right();
void linklist_add(char i);
void base_conversion(long long int n);
int del_linked(int sum);
int v6 = 0;
int main()
{
char input[255] = {
0 };
long long int x;
head = cur_node = (struct node*)malloc(sizeof(struct node));
cur_node->next = NULL;
printf("plz input right num:\n");
scanf_s("%s", input, 32);
x = _atoi64(input);
base_conversion(x);
return 0;
}
void base_conversion(long long int n)
{
// 进制转换
int i = 0;
char a;
while (n)
{
a = jinzhi_table[n % jz];
n = n / jz;
linklist_add(a ^ 7);
i++;
}check_the_flag();
}
void linklist_add(char i)
{
cur_node->next = (struct node*)malloc(sizeof(struct node));
cur_node->data = i;
cur_node = cur_node->next;
cur_node->next = NULL;
}
void check_the_flag()
{
int i, sum = 0;
struct node* tmp = head;
for (i = 0; i < 8; i++)
{
if (tmp == NULL) {
break;
}
//printf("%c", tmp->data);
if (tmp->data == key[i]) {
sum++;
}
tmp = tmp->next;
}
// 链表释放内存
int code = del_linked(sum);
if (sum != 8) {
/*right();*/
puts("flag is Error!!!");
exit(code);
}
else {
//wrong();
puts("flag is Right!!!, please md5('Nep{you_input_num}') submit th4
flag");
system("pause");
exit(code);
}
}
int del_linked(int sum){
if (head == NULL) {
return -1;
}
int tmp = sum;while (head != NULL) {
cur_node = head;
head = head->next;
free(cur_node);
tmp -= 1;
}
return tmp;
}