- main
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char s1[264]; // [rsp+10h] [rbp-110h] BYREF
unsigned __int64 v5; // [rsp+118h] [rbp-8h]
v5 = __readfsqword(0x28u);
__isoc99_scanf("%63s", s1);
if ( strlen(s1) == 32 )
{
func1(s1, &unk_402068);
func2(s1, 31LL);
func3(s1, 90LL);
func1(s1, &unk_40206D);
func3(s1, 77LL);
func2(s1, 243LL);
func1(s1, &unk_402072);
if ( !memcmp(s1, s2, 0x20uLL) )
{
puts("Correct!");
return 0LL;
}
else
{
puts("your input is wrong x(");
return 1LL;
}
}
else
{
puts("your input length is wrong x(");
return 1LL;
}
}
- func
func1
v4 = strlen(a2)
a1[i] ^= a2[i%v4]
func2
a1[i] += a2[i]
func3
a1[i] -= a2[i]
- exploit.py
arr = [
0xF8, 0xE0, 0xE6, 0x9E, 0x7F, 0x32, 0x68, 0x31, 0x05, 0xDC,
0xA1, 0xAA, 0xAA, 0x09, 0xB3, 0xD8, 0x41, 0xF0, 0x36, 0x8C,
0xCE, 0xC7, 0xAC, 0x66, 0x91, 0x4C, 0x32, 0xFF, 0x05, 0xE0,
0xD9, 0x91
]
arr1 = [
0xDE, 0xAD, 0xBE, 0xEF
]
arr2 = [
0xEF, 0xBE, 0xAD, 0xDE
]
arr3 = [
0x11, 0x33, 0x55, 0x77, 0x99, 0xBB, 0xDD
]
def rev_func1(num1, num2):
return num1 ^ num2 & 0xff
def rev_func2(num1, num2):
return num1 - num2 & 0xff
def rev_func3(num1, num2):
return num1 + num2 & 0xff
for i in range(32):
arr[i] = rev_func1(arr[i], arr3[i%len(arr3)])
for i in range(32):
arr[i] = rev_func2(arr[i], 243)
for i in range(32):
arr[i] = rev_func3(arr[i], 77)
for i in range(32):
arr[i] = rev_func1(arr[i], arr2[i%len(arr2)])
for i in range(32):
arr[i] = rev_func3(arr[i], 90)
for i in range(32):
arr[i] = rev_func2(arr[i], 31)
for i in range(32):
arr[i] = rev_func1(arr[i], arr1[i%len(arr1)])
for i in range(32):
print(chr(arr[i]), end='')
