gift
拿到题目之后查壳发现是go语言编写的程序
运行发现会打印出flag的前面几个字节
CISCN{4b445b324
拖入IDA进行调试,发现那几个函数(main_CISCN6666666,main_CISCN66666666,main_CISCN6666666666)都执行很慢,查看发现调用了sleep函数
写个IDAPython脚本将其patch掉
for i in range(0x000000000054A265,0x000000000054A272):
ida_bytes.patch_byte(i, 0x90)
for i in range(0x000000000054A428,0x000000000054A435):
ida_bytes.patch_byte(i, 0x90)
for i in range(0x000000000054A5E0,0x000000000054A5E5):
ida_bytes.patch_byte(i, 0x90)
然后逐渐调试发现
推测这一段的功能
j = 1LL;
while ( j <= 4 )
{
v11 = j;
main_wtf(0LL, j, v5, char_1, char_1);
j = v11 + 1;
v5 = v18;
} // 通过这个循环为k赋值
方法一:(反推式子,不过比较难)
每次循环根据传入的char_1,得到k值,反推出一个式子
1 2
3 3
6 2
9 2
10 6
11 3
12 4
13 0
14 2
因为不能超过17,说明最后肯定有一个%17
(4**(j-1)+2**(j-1)) % 17
方法二:直接根据传入的参数,然后返回的k值,打印出对应的表值(比较现实,但是需要多次调试)
我最后调试出来的对应的表值如下:
dest = [2, 3, 2, 2, 6, 3, 4, 0, 2, 12, 5, 2, 6, 4, 2, 2, 5, 6, 2, 5, 2, 2, 12, 4, 2, 2, 2, 6, 2, 6, 0, 5]
写出解题脚本
def fun(j):
return (4**(j-1)+2**(j-1)) % 17
v15 = [0x54, 0x5E, 0x52, 0x04, 0x55, 0x05, 0x53, 0x5F, 0x50, 0x07, 0x54, 0x56, 0x51, 0x02, 0x03, 0x00, 0x57]
arr = [1,3,6,9,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,0x10,0x11,0x12,0x14,0x19,0x1E,0x28,0x42,0x66,0x0A0, 0x936,0x3D21,0x149A7,0x243AC,
0x0CB5BE,0x47DC61,0x16C0F46,0x262C432,0x4ACE299,0x10FBC92A,0x329ECDFD,0x370D7470]
flag = ''
for i in arr:
flag += chr(v15[fun(i)] ^ 0x66)
print('CISCN{'+flag+'}')
CISCN{4b445b3247c45344c54c44734445452c}