int __cdecl main(int argc, const char **argv, const char **envp)
{
char v3; // ST10_1
unsigned int v4; // esi
int v5; // ecx
char v6; // ST20_1
char Str2[16]; // [esp+8h] [ebp-204h]
__int128 v9; // [esp+18h] [ebp-1F4h]
char v10; // [esp+28h] [ebp-1E4h]
char v11; // [esp+29h] [ebp-1E3h]
char Dst[256]; // [esp+108h] [ebp-104h]
char v13[256]; // [esp+109h] [ebp-103h]
memset(Dst, 0, 0xFFu);
*Str2 = xmmword_402160;
v9 = xmmword_402150;
v10 = -114;
memset(&v11, 0, 0xDEu);
(sub_401020)("Password: ", v3);
sub_401050("%36s", Dst);
srand(0x3FD1CC7u);
v4 = 0;
if ( &Dst[strlen(Dst) + 1] != v13 )
{
do
{
v5 = rand() % 256;
v6 = (v5 | Dst[v4]) & ~(v5 & Dst[v4]);
Dst[v4] = v6;
sub_401020("%d, ", v6);
++v4;
}
while ( v4 < strlen(Dst) );
}
if ( !strncmp(Dst, Str2, 0x21u) )
sub_401020("\nCorrect\n");
else
sub_401020("\nWrong\n");
return 0;
}xmmword_402150,xmmword_402160 테이블을 가져오면 된다.
.rdata:00402150 xmmword_402150 xmmword 1A329AD1F535B7A46D23E29075ECBEBAh
.rdata:00402150 ; DATA XREF: _main+42↑r
.rdata:00402160 xmmword_402160 xmmword 0CFA8C1890818F8507F1A0A19BBC3CB4Dh
.rdata:00402160 ; DATA XREF: _main+27↑r
- solve.py
from ctypes import *
import string
seed = 0x3fd1cc7
lib = cdll.msvcrt
lib.srand(seed)
table=[0x4d,0xcb,0xc3,0xbb,0x19,0x0a,0x1a,0x7f,0x50,0xf8,0x18,0x08,0x89,0xc1,0xa8,0xcf,0xba,0xbe,0xec,0x75,0x90,0xe2,0x23,0x6d,0xa4,0xb7,0x35,0xf5,0xd1,0x9a,0x32,0x1a,0x8e]
flag=""
for i in range(33):
rand = lib.rand() % 256
for j in string.printable:
tmp = (rand | ord(j)) & (~(rand & ord(j)))
if tmp == table[i]:
flag += j
print flag
'CTF WriteUp' 카테고리의 다른 글
| 2019 Codegate Quals Writeup (0) | 2019.08.04 |
|---|---|
| 2018 고등해커 본선 Writeup (0) | 2019.08.04 |
| 2018 OtterCTF Writeup (0) | 2018.12.11 |
| 2018 picoCTF Writeup (0) | 2018.11.22 |
| 2018 고등해커 예선 Writeup (0) | 2018.11.22 |