首页
论坛
课程
招聘
[原创]KCTF 2020 秋季赛第七题 writeup
2020-12-3 11:42 1694

[原创]KCTF 2020 秋季赛第七题 writeup

2020-12-3 11:42
1694

感谢奈沙夜影大佬的去花脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *v3; // edx
  int v4; // ecx
  unsigned int v5; // eax
  char *v6; // edx
  int v7; // ecx
  unsigned int v8; // eax
  char *v9; // kr04_4
  int v10; // esi
  int v11; // edi
  int v12; // ebx
  int v14; // edx
  int v15; // eax
  int v16; // edx
  int v17; // eax
  int v18; // edx
  int v19; // eax
  int v20; // eax
  int v21; // [esp+1Ch] [ebp-A0h]
  int v22; // [esp+20h] [ebp-9Ch]
  int v23; // [esp+24h] [ebp-98h]
  int v24; // [esp+28h] [ebp-94h]
  char v25; // [esp+2Ch] [ebp-90h]
  int *v26; // [esp+3Ch] [ebp-80h]
  int *v27; // [esp+40h] [ebp-7Ch]
  int *v28; // [esp+44h] [ebp-78h]
  int *v29; // [esp+48h] [ebp-74h]
  int *v30; // [esp+4Ch] [ebp-70h]
  int *v31; // [esp+50h] [ebp-6Ch]
  int *v32; // [esp+54h] [ebp-68h]
  int *v33; // [esp+58h] [ebp-64h]
  void *v34; // [esp+5Ch] [ebp-60h]
  int (*v35)(void); // [esp+60h] [ebp-5Ch]
  int (*v36)(void); // [esp+64h] [ebp-58h]
  int *v37; // [esp+68h] [ebp-54h]
  char v38[76]; // [esp+70h] [ebp-4Ch]
 
  sub_40CA20();
  v26 = dword_401700;
  v27 = dword_401740;
  v28 = dword_4017B0;
  v29 = dword_401890;
  v30 = dword_4018F0;
  v31 = dword_401570;
  dword_4C5028 = 0;
  v32 = dword_401820;
  v33 = dword_401950;
  v34 = &loc_401AB0;
  v35 = (int (*)(void))dword_402F20;
  v36 = sub_402F90;
  dword_4C5024 = 0;
  v37 = dword_401620;
  v3 = a104010010e4b4c;
  do
  {
    v4 = *(_DWORD *)v3;
    v3 += 4;
    v5 = ~v4 & (v4 - 16843009) & 0x80808080;
  }
  while ( !v5 );
  if ( !(~v4 & (v4 - 16843009) & 0x8080) )
    v5 >>= 16;
  if ( !(~v4 & (v4 - 16843009) & 0x8080) )
    v3 += 2;
  sub_401B90(&F, a104010010e4b4c, (int)&v3[-__CFADD__((_BYTE)v5, (_BYTE)v5) - 4952195]);
  v6 = a1e9705f8d92146;
  do
  {
    v7 = *(_DWORD *)v6;
    v6 += 4;
    v8 = ~v7 & (v7 - 16843009) & 0x80808080;
  }
  while ( !v8 );
  if ( !(~v7 & (v7 - 16843009) & 0x8080) )
    v8 >>= 16;
  if ( !(~v7 & (v7 - 16843009) & 0x8080) )
    v6 += 2;
  sub_401B90(&G, a1e9705f8d92146, (int)&v6[-__CFADD__((_BYTE)v8, (_BYTE)v8) - 4952147]);
  v21 = dword_4C511C;
  v22 = dword_4C5118;
  ((void (__cdecl *)(int))loc_403020)(dword_4C5120);
  memset(v38, 0, 0x40u);
  sub_4B2760((int)&dword_4BA660, v38);
  v9 = &v38[strlen(v38)];
  if ( (unsigned int)(v9 - v38 - 13) > 50 )
    goto LABEL_22;
  v10 = ((int (__cdecl *)(char *, int))loc_4030E0)(v38, 7);
  v11 = ((int (__cdecl *)(char *, int))loc_4030E0)((char *)&v37 + v9 - v38 + 1, 7);
  v12 = 0;
  v24 = 0;
  v23 = 0;
  do
  {
    v25 = 15 - v12;
    if ( (v12 & 1) == ((int (*)(void))(&v26)[v12])() )
    {
      ++v23;
      v10 = v35() ^ __ROR4__(v10, v12);
      v11 = v36() ^ __ROR4__(v11, v25);
    }
    else
    {
      ++v24;
      v10 = v36() ^ __ROR4__(v10, v25);
      v11 = v35() ^ __ROR4__(v11, v12);
    }
    ++v12;
  }
  while ( v12 != 9 );
  if ( !v23 || !v24 || v21 != 0x1B6BA97 || v22 != 0x44C4B4E0 || sub_401B90(&A, v38, strlen(v38)) < 0 )
    goto LABEL_22;
  LOBYTE(B.d[1]) = 0;
  B.d[0] = F.d[0];
  v14 = 4;
  while ( 1 )
  {
    v15 = v14 - 1;
    if ( *((_BYTE *)B.d + v14 - 1) )
      break;
    --v14;
    if ( !v15 )
      goto LABEL_29;
  }
  v15 = v14;
LABEL_29:
  B.len = v15;
  multi(&C, &A, &B);
  LOBYTE(A.d[1]) = 0;
  A.d[0] = 0xE053D0F;
  v16 = 4;
  while ( 1 )
  {
    v17 = v16 - 1;
    if ( *((_BYTE *)A.d + v16 - 1) )
      break;
    --v16;
    if ( !v17 )
      goto LABEL_32;
  }
  v17 = v16;
  A.len = v17;
  divid(&C, &C, &A);
  add(&C, &C, &F);
  add(&C, &C, &G);
  multi(&D, &F, &G);
  sub(&B, &C, &D);
  if ( B.len > 16 )
    goto LABEL_22;
LABEL_32:
  multi(&C, &C, &A);
  LOBYTE(A.d[1]) = 0;
  A.d[0] = 0x25;
  v18 = 4;
  while ( 1 )
  {
    v19 = v18 - 1;
    if ( *((_BYTE *)A.d + v18 - 1) )
      break;
    --v18;
    if ( !v19 )
      goto LABEL_36;
  }
  v19 = v18;
LABEL_36:
  A.len = v19;
  multi(&D, &C, &A);
  add(&D, &D, &D);
  v20 = B.len;
  if ( B.len == F.len )
  {
    while ( --v20 >= 0 )
    {
      if ( *((_BYTE *)B.d + v20) != *((_BYTE *)F.d + v20) )
        goto LABEL_22;
    }
    ((void (__cdecl *)(int))loc_403020)(0x1B6BA97);
  }
  else
  {
LABEL_22:
    ((void (__cdecl *)(int))loc_403020)(v22);
  }
  return 0;
}

最后加法memcpy溢出一字节,导致只要比较一个字节。


看雪侠者千人榜,看看你上榜了吗?

最后于 2020-12-3 11:56 被kanxue编辑 ,原因:
收藏
点赞0
打赏
分享
最新回复 (2)
雪    币: 8
活跃值: 活跃值 (47)
能力值: ( LV3,RANK:25 )
在线值:
发帖
回帖
粉丝
某字哮天 活跃值 2020-12-4 10:57
2
0
有哪位大哥愿意说一下遇到这种花指令的思路是啥,菜的很无助
雪    币: 234
活跃值: 活跃值 (117)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
kakasasa 活跃值 2020-12-6 20:53
3
0
ida keypatch ctrl+alt+k nop掉,拿不准的就上od动态,去花后F5.
游客
登录 | 注册 方可回帖
返回