XCTF攻防世界-Reverse-Shuffle

"本文通过IDA反编译揭示了一个CTF挑战的解题步骤,涉及字符数组操作和未加密字符串。核心内容是利用时间戳和PID生成随机数,还原初始字符串SECCON{WelcometotheSECCON2014CTF!}
摘要由CSDN通过智能技术生成

很简单的一道题。
用IDA打开,反编译主函数

int __cdecl main(int argc, const char **argv, const char **envp)
{
  time_t v3; // ebx
  __pid_t v4; // eax
  unsigned int v5; // ST18_4
  unsigned int v6; // ST1C_4
  char v7; // ST20_1
  signed int i; // [esp+14h] [ebp-44h]
  char s; // [esp+24h] [ebp-34h]
  char v11; // [esp+25h] [ebp-33h]
  char v12; // [esp+26h] [ebp-32h]
  char v13; // [esp+27h] [ebp-31h]
  char v14; // [esp+28h] [ebp-30h]
  char v15; // [esp+29h] [ebp-2Fh]
  char v16; // [esp+2Ah] [ebp-2Eh]
  char v17; // [esp+2Bh] [ebp-2Dh]
  char v18; // [esp+2Ch] [ebp-2Ch]
  char v19; // [esp+2Dh] [ebp-2Bh]
  char v20; // [esp+2Eh] [ebp-2Ah]
  char v21; // [esp+2Fh] [ebp-29h]
  char v22; // [esp+30h] [ebp-28h]
  char v23; // [esp+31h] [ebp-27h]
  char v24; // [esp+32h] [ebp-26h]
  char v25; // [esp+33h] [ebp-25h]
  char v26; // [esp+34h] [ebp-24h]
  char v27; // [esp+35h] [ebp-23h]
  char v28; // [esp+36h] [ebp-22h]
  char v29; // [esp+37h] [ebp-21h]
  char v30; // [esp+38h] [ebp-20h]
  char v31; // [esp+39h] [ebp-1Fh]
  char v32; // [esp+3Ah] [ebp-1Eh]
  char v33; // [esp+3Bh] [ebp-1Dh]
  char v34; // [esp+3Ch] [ebp-1Ch]
  char v35; // [esp+3Dh] [ebp-1Bh]
  char v36; // [esp+3Eh] [ebp-1Ah]
  char v37; // [esp+3Fh] [ebp-19h]
  char v38; // [esp+40h] [ebp-18h]
  char v39; // [esp+41h] [ebp-17h]
  char v40; // [esp+42h] [ebp-16h]
  char v41; // [esp+43h] [ebp-15h]
  char v42; // [esp+44h] [ebp-14h]
  char v43; // [esp+45h] [ebp-13h]
  char v44; // [esp+46h] [ebp-12h]
  char v45; // [esp+47h] [ebp-11h]
  char v46; // [esp+48h] [ebp-10h]
  char v47; // [esp+49h] [ebp-Fh]
  char v48; // [esp+4Ah] [ebp-Eh]
  char v49; // [esp+4Bh] [ebp-Dh]
  unsigned int v50; // [esp+4Ch] [ebp-Ch]

  v50 = __readgsdword(0x14u);
  s = 83;
  v11 = 69;
  v12 = 67;
  v13 = 67;
  v14 = 79;
  v15 = 78;
  v16 = 123;
  v17 = 87;
  v18 = 101;
  v19 = 108;
  v20 = 99;
  v21 = 111;
  v22 = 109;
  v23 = 101;
  v24 = 32;
  v25 = 116;
  v26 = 111;
  v27 = 32;
  v28 = 116;
  v29 = 104;
  v30 = 101;
  v31 = 32;
  v32 = 83;
  v33 = 69;
  v34 = 67;
  v35 = 67;
  v36 = 79;
  v37 = 78;
  v38 = 32;
  v39 = 50;
  v40 = 48;
  v41 = 49;
  v42 = 52;
  v43 = 32;
  v44 = 67;
  v45 = 84;
  v46 = 70;
  v47 = 33;
  v48 = 125;
  v49 = 0;
  v3 = time(0);
  v4 = getpid();
  srand(v3 + v4);
  for ( i = 0; i <= 99; ++i )
  {
    v5 = rand() % 40u;
    v6 = rand() % 40u;
    v7 = *(&s + v5);
    *(&s + v5) = *(&s + v6);
    *(&s + v6) = v7;
  }
  puts(&s);
  return 0;
}

其实flag就是未经过for循环处理的s字符串。
题目描述也给出了提示:找到字符串在随机化之前.
编写python脚本把ASCII码转换为字符串:

s = [83,69,67,67,79,78,123,87,101,108,99,111,109,101,32,116,111,
    32,116,104,101,32,83,69,67,67,79,78,32,50,48,49,52,32,67,84,70,33,125]
x = ''
for i in range(len(s)):
    x += chr(s[i])
print(x)

SECCON{Welcome to the SECCON 2014 CTF!}

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值