Reverse
0x00 str_leak
题目给出一个cpp文件,这是使用的c++模板编程,分析代码。
_fun1是相当于开根号,fun4是求10000以内的素数个数 ,具体代码分析,参看文章:https://blog.csdn.net/liuhuiyan_2014/article/details/46276689
https://www.cnblogs.com/devymex/archive/2013/09/17/3326793.html
将注释的结果开方,算出10000以内的素数,按题目要求链接得到flag
#-*- coding:utf-8 -*-
n=10000
a=[i for i in range(10001)]
k=2
start = time.clock()
while(k*k<=n):
for j in range(k,n):
while(0==a[j] and j<n):
j+=1
if 0==a[j]%k and k!=a[j]:
a[j]=0
if 0==(k-1)%6:
k+=4
elif 0==(k-5)%6:
k+=2
else:
k+=1
q=0
for i in range(2,n):
if 0!=a[i]:
q =q+1
print("flag{",end='')
print("{0}-{1}-{2}-{3}-{4}-{5}".format(pow(963,2),pow(4396,2),pow(6666,2),pow(1999,2),pow(3141,2),q),end='')
print('}')
#flag{927369-19324816-44435556-3996001-9865881-1229}
0x01 flat
IDA打开,耐心分析代码,首先分析程序逻辑:输入字符串,经过五个check函数验证字符满足条件。
跟进fun_check1()
这里判断输入的字符长度在0到50之间。
image.png
跟进fun_check2()
判断开头为 "flag{"
image.png
image.png
跟进fun_check3()
判断字符最后一个为 “}”
跟进fun_check4()
判断 四个 ‘ - ' 的位置。
image.png
跟进fun_check5()
首先找到dest的值,得到dest数组为 “ J2261C63-3I2I-EGE4-IBCC-IE41A5I5F4HB”
image.png
这里对dest分类计算,将0-9 的ascll加17,’a'-'z'的ascll减48,其他字符不变。所以逆计算,0-9加17对应的是A-J , a-z 减 48 对应的是 1-9和A-J。
while ( v11 == -1771681815 )
{
v6 = 1740029224;
if ( v15[v12] >= 'a' )
v6 = -1207418117;
v11 = v6;
}
if ( v11 != -1490231676 )
break;
++v12;
v11 = -768723158;
}
if ( v11 != -1407902233 )
break;
v4 = -1188300396;
if ( v15[v12] <= '9' )
v4 = -478229440;
v11 = v4;
}
if ( v11 != -1207418117 )
break;
v7 = 1740029224;
if ( v15[v12] <= 'z' )
v7 = 2096910144;
v11 = v7;
}
if ( v11 != -1188300396 )
break;
v5 = -1771681815;
if ( v15[v12] == '-' )
v5 = -1167333891;
v11 = v5;
}
if ( v11 != -1167333891 )
break;
v13[v12] = v15[v12];
v11 = -118846692;
}
if ( v11 != -995934932 )
break;
v3 = -1188300396;
if ( v15[v12] >= '0' )
v3 = -1407902233;
v11 = v3;
}
if ( v11 != -991718889 )
break;
v11 = -1490231676;
}
if ( v11 != -768723158 )
break;
v8 = 1681851953;
if ( v12 < 36 )
v8 = 434013166;
v11 = v8;
}
if ( v11 != -624695604 )
break;
v2 = 659899916;
if ( v12 < 36 )
v2 = -995934932;
v11 = v2;
}
if ( v11 != -478229440 )
break;
v13[v12] = v15[v12] + 17;//这里将0-9的加上17
v11 = 1926387427;
}
if ( v11 != -451717645 )
break;
++v12;
v11 = -624695604;
}
if ( v11 != -118846692 )
break;
v11 = 1926387427;
}
if ( v11 != 329160926 )
break;
v16 = 0;
v11 = 1269730414;
}
if ( v11 != 434013166 )
break;
v9 = -991718889;
if ( v13[v12] != v14[v12] )
v9 = 329160926;
v11 = v9;
}
if ( v11 != 659899916 )
break;
v12 = 0;
v11 = -768723158;
}
if ( v11 == 1269730414 )
break;
switch ( v11 )
{
case 1681851953:
v16 = 1;
v11 = 1269730414;
break;
case 1740029224:
v11 = -118846692;
break;
case 1926387427:
v11 = -451717645;
break;
case 2096910144:
v13[v12] = v15[v12] - 1347911315 + 1347911267;//这里将a-z的加上48
v11 = 1740029224;
break;
脚本得到flag
a='J2261C63-3I2I-EGE4-IBCC-IE41A5I5F4HB'
flag = "flag{"
for i in a:
if i>='0' and i<='9':
flag += chr(ord(i)+48)
elif i>='A' and i<='J':
flag += chr(ord(i)-17)
else:
flag +=i
print (flag,end='')
print("}")
#flag{9bbfa2fc-c8b8-464d-8122-84da0e8e5d71}
