[DASCTF 2023]controlflow
IDA直接反编译,通过汇编代码结合动态调试综合分析,得到输入数据变化过程大致如下:(设输入字符串为 input / str)
- 判断 input 的长度是否为40,之后将 input 复制到 str(int[]) 中,将 str 每一项都异或 0x401u(即1025)
- 将 str 的每个第 i 项都加上 i 的平方
- 将 str 的第 i 项(10≤i<30)异或 i(i+1)*
- str 的第 i 项(0≤i<40)都减去 i
- str 的每一个第 i 项(0≤i<40)都乘以 3
- 对于str[i] 10≤i<30 ,两两颠倒位置,即10与11交换,12与13交换…依次类推
- 将 str 与 flag_enc 比较,若相等,输出 “input correct”
flag_enc[0] = 3279;
flag_enc[1] = 3264;
flag_enc[2] = 3324;
flag_enc[3] = 3288;
flag_enc[4] = 3363;
flag_enc[5] = 3345;
flag_enc[6] = 3528;
flag_enc[7] = 3453;
flag_enc[8] = 3498;
flag_enc[9] = 3627;
flag_enc[10] = 3708;
flag_enc[11] = 3675;
flag_enc[12] = 3753;
flag_enc[13] = 3786;
flag_enc[14] = 3930;
flag_enc[15] = 3930;
flag_enc[16] = 4017;
flag_enc[17] = 4173;
flag_enc[18] = 4245;
flag_enc[19] = 4476;
flag_enc[20] = 4989;
flag_enc[21] = 4851;
flag_enc[22] = 5166;
flag_enc[23] = 5148;
flag_enc[24] = 4659;
flag_enc[25] = 4743;
flag_enc[26] = 4596;
flag_enc[27] = 5976;
flag_enc[28] = 5217;
flag_enc[29] = 4650;
flag_enc[30] = 6018;
flag_enc[31] = 6135;
flag_enc[32] = 6417;
flag_enc[33] = 6477;
flag_enc[34] = 6672;
flag_enc[35] = 6891;
flag_enc[36] = 7056;
flag_enc[37] = 7398;
flag_enc[38] = 7650;
flag_enc[39] = 7890;
分析数据处理过程,我们只需将上述5步反过来执行,便可得到正确的 flag,代码如下:
#include <iostream>
#include <cstdio>
#include <cstdlib>
#include <cstring>
#include <cctype>
#include <cmath>
#include <vector>
#include <algorithm>
#include <stack>
#include <set>
#include <map>
#include <ctime>
#include "defs.h"
// #include <bits/stdc++.h>
using namespace std;
typedef long long LL;
typedef long double DD;
int main()
{
int v3[40],i,j,k;
char input[50];
cin >> input;
for ( i = 0; i < 45 && input[i]; ++i )
;
//cout << i << endl;
v3[0] = 3279;
v3[1] = 3264;
v3[2] = 3324;
v3[3] = 3288;
v3[4] = 3363;
v3[5] = 3345;
v3[6] = 3528;
v3[7] = 3453;
v3[8] = 3498;
v3[9] = 3627;
v3[10] = 3708;
v3[11] = 3675;
v3[12] = 3753;
v3[13] = 3786;
v3[14] = 3930;
v3[15] = 3930;
v3[16] = 4017;
v3[17] = 4173;
v3[18] = 4245;
v3[19] = 4476;
v3[20] = 4989;
v3[21] = 4851;
v3[22] = 5166;
v3[23] = 5148;
v3[24] = 4659;
v3[25] = 4743;
v3[26] = 4596;
v3[27] = 5976;
v3[28] = 5217;
v3[29] = 4650;
v3[30] = 6018;
v3[31] = 6135;
v3[32] = 6417;
v3[33] = 6477;
v3[34] = 6672;
v3[35] = 6891;
v3[36] = 7056;
v3[37] = 7398;
v3[38] = 7650;
v3[39] = 7890;
//cout << 1093 << endl;
for(i=10;i<30;i+=2)
{
v3[i] ^= v3[i+1];
v3[i+1] ^= v3[i];
v3[i] ^= v3[i+1];
}
for ( k = 0; k < 40; ++k )
{
v3[k] /= 3;
//v3[k] >>= 1;
v3[k] += k;
if(k>=10&&k<30)
{
v3[k] ^= (k-10)*(k-9);
}
v3[k] -= k*k;
v3[k] ^= 0x401u;
}
cout << (char)v3[0] << (char)v3[1] << (char)v3[2] << (char)v3[3] << (char)v3[4] << (char)v3[5] << (char)v3[6] << (char)v3[7] << (char)v3[8] << (char)v3[9] << (char)v3[10] << (char)v3[11] << (char)v3[12] << (char)v3[13] << (char)v3[14] << (char)v3[15] << (char)v3[16] << (char)v3[17] << (char)v3[18] << (char)v3[19] << (char)v3[20] << (char)v3[21] << (char)v3[22] << (char)v3[23] << (char)v3[24] << (char)v3[25] << (char)v3[26] << (char)v3[27] << (char)v3[28] << (char)v3[29] << (char)v3[30] << (char)v3[31] << (char)v3[32] << (char)v3[33] << (char)v3[34] << (char)v3[35] << (char)v3[36] << (char)v3[37] << (char)v3[38] << (char)v3[39] << endl;
i = 2;
cout << ('p' ^ 0x401u) << endl;
//cout << ('a' ^ 0x401u + i*(i-1)); // 10001101101
return 0;//-22 61 13 92
}
/*
input[i] += i*i;
input[i] -= i;
input[i] *= 3;
*/
得到 flag:DASCTF{TWpnemRuSTRkVzVsWVhOMmJqZzNOREoy}
作者:CHTXRT
出处:https://blog.csdn.net/CHTXRT
本文使用「CC BY-SA 4.0」创作共享协议,转载请在文章明显位置注明作者及出处。