A novice, if any error (insufficient) please correct me, thank you! !
Personal blog: Click to enter
Topic links: [GUET-CTF2019] number_game
IDA64 loading position, into the main function
function sub_4006D6 () function is to validate the user input and the length of the character range
Analyzing conditions looked sub_400917 () function, distinct and regular 5x5 sudoku
look sub_400881 (v7) function
25 as the number of the replacement value for the number # of v7
dozens final conversion of input V7 is dozens of
elapsed between sub_400758 () and sub_400807 () two functions.
These two functions using recursion, I really looked at the problem-solving ignorant force will not write the script. .
This line determines the breakpoints in the user input
and the movable transfer operation, the input 0123456789just ten numbers, enter, the program is broken down
F8 single step, when the implementation of the line when jz
modify z flag so that it can perform the following codes ( range because the input character does not Well)
continues to step F8, perform functions such as preventing two recursive
Double-V7. To the corresponding stack address.
Found under the subject of correspondence.
First calculate the number of columns of 5 * 5
dozens were derived alternative0,4,2,1,4,2,1,4,3,0
Write the script calculation flag
#include <stdio.h>
int main()
{
char arr[] = { 48, 52, 50, 49, 52, 50, 49, 52, 51, 48,0 };
int i,biao[] = { 7,3,8,1,9,4,0,5,2,6 };
char input[11] = { 0 };
for (i = 0; i < 10; i++)
input[biao[i]] = arr[i];
printf("flag{%s}", input);
return 0;
}
To get flagflag{1134240024}
