攻防世界 Shuffle dmd-50
1、拖进ida,分析main函数,可以看到for后面的代码
s = 83;
v11 = 69;
v12 = 67;
v13 = 67;
v14 = 79;
v15 = 78;
v16 = 123;
v17 = 87;
v18 = 101;
v19 = 108;
v20 = 99;
v21 = 111;
v22 = 109;
v23 = 101;
v24 = 32;
v25 = 116;
v26 = 111;
v27 = 32;
v28 = 116;
v29 = 104;
v30 = 101;
v31 = 32;
v32 = 83;
v33 = 69;
v34 = 67;
v35 = 67;
v36 = 79;
v37 = 78;
v38 = 32;
v39 = 50;
v40 = 48;
v41 = 49;
v42 = 52;
v43 = 32;
v44 = 67;
v45 = 84;
v46 = 70;
v47 = 33;
v48 = 125;
v49 = 0;
摁R在ida中可直接数字转字符串
s = 'S';
v11 = 'E';
v12 = 'C';
v13 = 'C';
v14 = 'O';
v15 = 'N';
v16 = '{';
v17 = 'W';
v18 = 'e';
v19 = 'l';
v20 = 'c';
v21 = 'o';
v22 = 'm';
v23 = 'e';
v24 = ' ';
v25 = 't';
v26 = 'o';
v27 = ' ';
v28 = 't';
v29 = 'h';
v30 = 'e';
v31 = ' ';
v32 = 'S';
v33 = 'E';
v34 = 'C';
v35 = 'C';
v36 = 'O';
v37 = 'N';
v38 = ' ';
v39 = '2';
v40 = '0';
v41 = '1';
v42 = '4';
v43 = ' ';
v44 = 'C';
v45 = 'T';
v46 = 'F';
v47 = '!';
v48 = '}';
v49 = '\0';
连起来就可以得到flag!
SECCON{Welcome to the SECCON 2014 CTF!}
2、dmd-50
首先拖进ida查看(必须是64位)
if ( *v41 != 55
|| v41[1] != 56
|| v41[2] != 48
|| v41[3] != 52
|| v41[4] != 51
|| v41[5] != 56
|| v41[6] != 100
|| v41[7] != 53
|| v41[8] != 98
|| v41[9] != 54
|| v41[10] != 101
|| v41[11] != 50
|| v41[12] != 57
|| v41[13] != 100
|| v41[14] != 98
|| v41[15] != 48
|| v41[16] != 56
|| v41[17] != 57
|| v41[18] != 56
|| v41[19] != 98
|| v41[20] != 99
|| v41[21] != 52
|| v41[22] != 102
|| v41[23] != 48
|| v41[24] != 50
|| v41[25] != 50
|| v41[26] != 53
|| v41[27] != 57
|| v41[28] != 51
|| v41[29] != 53
|| v41[30] != 99
|| v41[31] != 48 )
{
v23 = std::operator<<<std::char_traits<char>>(&std::cout, 'I');
v24 = std::operator<<<std::char_traits<char>>(v23, 'n');
v25 = std::operator<<<std::char_traits<char>>(v24, 'v');
v26 = std::operator<<<std::char_traits<char>>(v25, 'a');
v27 = std::operator<<<std::char_traits<char>>(v26, 'l');
v28 = std::operator<<<std::char_traits<char>>(v27, 'i');
v29 = std::operator<<<std::char_traits<char>>(v28, 'd');
v30 = std::operator<<<std::char_traits<char>>(v29, ' ');
v31 = std::operator<<<std::char_traits<char>>(v30, 'K');
v32 = std::operator<<<std::char_traits<char>>(v31, 'e');
v33 = std::operator<<<std::char_traits<char>>(v32, 'y');
v34 = std::operator<<<std::char_traits<char>>(v33, '!');
v35 = std::operator<<<std::char_traits<char>>(v34, ' ');
v36 = std::operator<<<std::char_traits<char>>(v35, ':');
v37 = std::operator<<<std::char_traits<char>>(v36, '(');
std::ostream::operator<<(v37, &std::endl<char,std::char_traits<char>>);
result = 0;
}
else
{
v3 = std::operator<<<std::char_traits<char>>(&std::cout, 'T');
v4 = std::operator<<<std::char_traits<char>>(v3, 'h');
v5 = std::operator<<<std::char_traits<char>>(v4, 'e');
v6 = std::operator<<<std::char_traits<char>>(v5, ' ');
v7 = std::operator<<<std::char_traits<char>>(v6, 'k');
v8 = std::operator<<<std::char_traits<char>>(v7, 'e');
v9 = std::operator<<<std::char_traits<char>>(v8, 'y');
v10 = std::operator<<<std::char_traits<char>>(v9, ' ');
v11 = std::operator<<<std::char_traits<char>>(v10, 'i');
v12 = std::operator<<<std::char_traits<char>>(v11, 's');
v13 = std::operator<<<std::char_traits<char>>(v12, ' ');
v14 = std::operator<<<std::char_traits<char>>(v13, 'v');
v15 = std::operator<<<std::char_traits<char>>(v14, 'a');
v16 = std::operator<<<std::char_traits<char>>(v15, 'l');
v17 = std::operator<<<std::char_traits<char>>(v16, 'i');
v18 = std::operator<<<std::char_traits<char>>(v17, 'd');
v19 = std::operator<<<std::char_traits<char>>(v18, ' ');
v20 = std::operator<<<std::char_traits<char>>(v19, ':');
v21 = std::operator<<<std::char_traits<char>>(v20, ')');
std::ostream::operator<<(v21, &std::endl<char,std::char_traits<char>>);
result = 0;
}
return result;
}
if后面的代码和上面的shuffle非常像,尝试摁R键转字符失败,下面可以写一个简单的代码来转字符
s = [55,56,48,52,51,56,100,53,98,54,101,50,57,100,98,48,56,57,56,98,99,52,102,48,50,50,53,57,51,53,99,48]
end=''
for i in s:
end+=chr(i)
print(end)
得到780438d5b6e29db0898bc4f0225935c0
根据main函数中
v43 = __readfsqword(0x28u);
std::operator<<<std::char_traits<char>>(&std::cout, "Enter the valid key!\n", envp);
std::operator>><char,std::char_traits<char>>(&edata, &v42);
std::allocator<char>::allocator(&v38);
std::string::string(&v39, &v42, &v38);
md5(&v40, &v39);
v41 = (_BYTE *)std::string::c_str((std::string *)&v40);
std::string::~string((std::string *)&v40);
std::string::~string((std::string *)&v39);
std::allocator<char>::~allocator(&v38);
推测是MD5加密算法
根据md5(md5($pass)),可得出是MD5算法两次加密
再次对grape进行加密就得到flag:b781cbb29054db12f88f08c6e161c199
具体密文的格式说明: