所以关键函数是stringMod(v9), 其返回的结果影响是否打印出flag, 需要返回非负数
__int64 __fastcall stringMod(__int64 *a1)
{
__int64 v1; // r9
__int64 v2; // r10
__int64 v3; // rcx
int v4; // er8
int *v5; // rdi
int *v6; // rsi
int v7; // ecx
int v8; // er9
int v9; // er10
unsigned int v10; // eax
int v11; // esi
int v12; // esi
int v14[18]; // [rsp+0h] [rbp-60h] BYREF
__int64 v15; // [rsp+48h] [rbp-18h] BYREF
memset(v14, 0, sizeof(v14));
v1 = a1[1];
if ( v1 )
{
v2 = *a1;
v3 = 0LL;
v4 = 0;
do
{
v12 = *(char *)(v2 + v3);
v14[v3] = v12;
if ( 3 * ((unsigned int)v3 / 3) == (_DWORD)v3 && v12 != firstchar[(unsigned int)v3 / 3] )
v4 = -1;
++v3;
}
while ( v3 != v1 );
}
else
{
v4 = 0;
}
v5 = v14;
v6 = v14;
v7 = 666;
do
{
*v6 = v7 ^ *(unsigned __int8 *)v6;
v7 += v7 % 5;
++v6;
}
while ( &v15 != (__int64 *)v6 );
v8 = 1;
v9 = 0;
v10 = 1;
v11 = 0;
do
{
if ( v11 == 2 )
{
if ( *v5 != thirdchar[v9] )
v4 = -1;
if ( v10 % *v5 != masterArray[v9] )
v4 = -1;
++v9;
v10 = 1;
v11 = 0;
}
else
{
v10 *= *v5;
if ( ++v11 == 3 )
v11 = 0;
}
++v8;
++v5;
}
while ( v8 != 19 );
return (unsigned int)(v7 * v4);
}
上边还有一个检查函数 validChars
对cpp的API不熟悉, 不过可以大致猜测, v7, v9均为输入的secret password, 分析stringMod函数, 得知firstchar和thirdchar是已知的数组, 且分别表示每3个分组时, 第一个数和第三个数, 第二个数未知, 但可以爆破出来, 1,2数相乘模3数, 是否等于masterArray[v9], 可以爆破出2数.
firstchar = [0x41, 0x69, 0x6E, 0x45, 0x6F, 0x61]
thirdchar = [0x2EF, 0x2C4, 0x2DC, 0x2C7, 0x2DE, 0x2FC]
masterArray = [0x1D7, 0x0C, 0x244, 0x25E, 0x93, 0x6C]
flag = ""
number = [0] * 18
num = 666
for i in range(18):
if i % 3 == 0:
number[i] = firstchar[i // 3]
firstchar[i // 3] = (firstchar[i // 3] ^ num) & 0xffffffff
elif i % 3 == 1:
number[i] = num
elif i % 3 == 2:
number[i] = (thirdchar[i // 3] ^ num) & 0xffffffff
num += num % 5
for i in range(6):
for temp in range(1, 128):
if ((number[i * 3 + 1] ^ temp) & 0xffffffff) * firstchar[i] % thirdchar[i] == masterArray[i]:
number[i * 3 + 1] = temp
break
for i in range(18):
flag += chr(number[i])
print(flag)
加上tuctf{}修饰
tuctf{AfricanOrEuropean?}