2019网络与信息安全领域专项赛

Reverse

0x00 str_leak

题目给出一个cpp文件,这是使用的c++模板编程,分析代码。
_fun1是相当于开根号,fun4是求10000以内的素数个数 ,具体代码分析,参看文章:https://blog.csdn.net/liuhuiyan_2014/article/details/46276689
https://www.cnblogs.com/devymex/archive/2013/09/17/3326793.html
将注释的结果开方,算出10000以内的素数,按题目要求链接得到flag

#-*- coding:utf-8 -*-
n=10000
a=[i for i in range(10001)]  
k=2
start = time.clock()
while(k*k<=n):
    for j in range(k,n):
        while(0==a[j] and j<n):
            j+=1
        if 0==a[j]%k and k!=a[j]:
            a[j]=0
    if 0==(k-1)%6:
      k+=4
    elif 0==(k-5)%6:
        k+=2
    else:
        k+=1
q=0
for i in range(2,n):
    if 0!=a[i]:
        q =q+1
print("flag{",end='')
print("{0}-{1}-{2}-{3}-{4}-{5}".format(pow(963,2),pow(4396,2),pow(6666,2),pow(1999,2),pow(3141,2),q),end='')
print('}')

#flag{927369-19324816-44435556-3996001-9865881-1229}

0x01 flat

IDA打开,耐心分析代码,首先分析程序逻辑:输入字符串,经过五个check函数验证字符满足条件。
跟进fun_check1()
这里判断输入的字符长度在0到50之间。


image.png

跟进fun_check2()
判断开头为 "flag{"


image.png

image.png

跟进fun_check3()
判断字符最后一个为 “}”

跟进fun_check4()
判断 四个 ‘ - ' 的位置。


image.png

跟进fun_check5()
首先找到dest的值,得到dest数组为 “ J2261C63-3I2I-EGE4-IBCC-IE41A5I5F4HB”
image.png

这里对dest分类计算,将0-9 的ascll加17,’a'-'z'的ascll减48,其他字符不变。所以逆计算,0-9加17对应的是A-J , a-z 减 48 对应的是 1-9和A-J。
                                 while ( v11 == -1771681815 )
                                  {
                                    v6 = 1740029224;
                                    if ( v15[v12] >= 'a' )
                                      v6 = -1207418117;
                                    v11 = v6;
                                  }
                                  if ( v11 != -1490231676 )
                                    break;
                                  ++v12;
                                  v11 = -768723158;
                                }
                                if ( v11 != -1407902233 )
                                  break;
                                v4 = -1188300396;
                                if ( v15[v12] <= '9' )
                                  v4 = -478229440;
                                v11 = v4;
                              }
                              if ( v11 != -1207418117 )
                                break;
                              v7 = 1740029224;
                              if ( v15[v12] <= 'z' )
                                v7 = 2096910144;
                              v11 = v7;
                            }
                            if ( v11 != -1188300396 )
                              break;
                            v5 = -1771681815;
                            if ( v15[v12] == '-' )
                              v5 = -1167333891;
                            v11 = v5;
                          }
                          if ( v11 != -1167333891 )
                            break;
                          v13[v12] = v15[v12];
                          v11 = -118846692;
                        }
                        if ( v11 != -995934932 )
                          break;
                        v3 = -1188300396;
                        if ( v15[v12] >= '0' )
                          v3 = -1407902233;
                        v11 = v3;
                      }
                      if ( v11 != -991718889 )
                        break;
                      v11 = -1490231676;
                    }
                    if ( v11 != -768723158 )
                      break;
                    v8 = 1681851953;
                    if ( v12 < 36 )
                      v8 = 434013166;
                    v11 = v8;
                  }
                  if ( v11 != -624695604 )
                    break;
                  v2 = 659899916;
                  if ( v12 < 36 )
                    v2 = -995934932;
                  v11 = v2;
                }
                if ( v11 != -478229440 )
                  break;
                v13[v12] = v15[v12] + 17;//这里将0-9的加上17
                v11 = 1926387427;
              }
              if ( v11 != -451717645 )
                break;
              ++v12;
              v11 = -624695604;
            }
            if ( v11 != -118846692 )
              break;
            v11 = 1926387427;
          }
          if ( v11 != 329160926 )
            break;
          v16 = 0;
          v11 = 1269730414;
        }
        if ( v11 != 434013166 )
          break;
        v9 = -991718889;
        if ( v13[v12] != v14[v12] )
          v9 = 329160926;
        v11 = v9;
      }
      if ( v11 != 659899916 )
        break;
      v12 = 0;
      v11 = -768723158;
    }
    if ( v11 == 1269730414 )
      break;
    switch ( v11 )
    {
      case 1681851953:
        v16 = 1;
        v11 = 1269730414;
        break;
      case 1740029224:
        v11 = -118846692;
        break;
      case 1926387427:
        v11 = -451717645;
        break;
      case 2096910144:
        v13[v12] = v15[v12] - 1347911315 + 1347911267;//这里将a-z的加上48
        v11 = 1740029224;
        break;

脚本得到flag

a='J2261C63-3I2I-EGE4-IBCC-IE41A5I5F4HB'
flag = "flag{"
for i in a:
    if i>='0' and i<='9':
        flag += chr(ord(i)+48)
    elif i>='A' and i<='J':
        flag += chr(ord(i)-17)
    else:
        flag +=i
print (flag,end='')
print("}")
#flag{9bbfa2fc-c8b8-464d-8122-84da0e8e5d71}

推荐阅读更多精彩内容