- main
int __fastcall main(int argc, const char **argv, const char **envp)
{
puts("Input: ");
__isoc99_scanf("%s", input);
if ( strlen(input) == 64 )
{
if ( (unsigned int)check(input) )
{
puts("Nice!");
printf("Flag is DH{%s}\n", input);
}
else
{
puts("good.");
}
}
else
{
puts("Try again.");
}
return 0;
}check 함수를 통해 input을 확인한다. input의 길이는 64
- check
__int64 __fastcall check(char *a1)
{
if ( *a1 + 9 == result
&& ~a1[1] == dword_4024
&& a1[2] - 4 == dword_4028
&& 2 * a1[3] == dword_402C
&& a1[4] + 34 == dword_4030
&& a1[5] + 40 == dword_4034
&& a1[6] - 40 == dword_4038
&& 3 * a1[7] == dword_403C
&& ~a1[8] == dword_4040
&& 2 * a1[9] == dword_4044
&& 4 * a1[10] == dword_4048
&& 4 * a1[11] == dword_404C
&& 19 - a1[12] == dword_4050
&& a1[13] + 17 == dword_4054
&& a1[14] + 30 == dword_4058
&& a1[15] == dword_405C )
{
return check_not(a1);
}
else
{
return 0LL;
}
}이 조건들을 다 만족시키면 check_not이 리턴된다.
- check_not
__int64 __fastcall check_not(__int64 a1)
{
int i; // [rsp+1Ch] [rbp-4h]
for ( i = 16; i <= 25; ++i )
{
if ( ~*(char *)(i + a1) + i != result[i] )
return 0LL;
}
return check_add(a1);
}- check_add
__int64 __fastcall check_add(__int64 a1)
{
int i; // [rsp+1Ch] [rbp-4h]
for ( i = 26; i <= 35; ++i )
{
if ( *(char *)(i + a1) + i != result[i] )
return 0LL;
}
return check_dec(a1);
}- check_dec
__int64 __fastcall check_dec(__int64 a1)
{
int i; // [rsp+1Ch] [rbp-4h]
for ( i = 36; i <= 45; ++i )
{
if ( *(char *)(i + a1) - i != result[i] )
return 0LL;
}
return check_mul(a1);
}- check_mul
__int64 __fastcall check_mul(__int64 a1)
{
int i; // [rsp+1Ch] [rbp-4h]
for ( i = 46; i <= 55; ++i )
{
if ( i * *(char *)(i + a1) != result[i] )
return 0LL;
}
return check_la(a1);
}- check_la
__int64 __fastcall check_la(__int64 a1)
{
int i; // [rsp+14h] [rbp-4h]
for ( i = 56; i <= 63; ++i )
{
if ( *(char *)(i + a1) + 100 - i != result[i] )
return 0LL;
}
return 1LL;
}이 함수들을 모두 만족시켜야 한다.
조건을 하나씩 정리해보자.
- 조건
- 0~15
특수 조건들
a1[0] + 9 = 0x39
~a1[1] = 0xFFFFF9B
a1[2] - 4 = 0x2C
2 * a1[3] = 0xC6
a1[4] + 34 = 0x59
a1[5] + 40 = 0x58
a1[6] - 40 = 0x39
3 * a1[7] = 0xAB
~a1[8] = 0xFFFFFFCE
2 * a1[9] = 0xC6
4 * a1[10] = 0x18C
4 * a1[11] = 0x190
19 - a1[12] = 0xFFFFFFDA
a1[13] + 17 = 0x73
a1[14] + 30 = 0x52
a1[15] = 0x66-
16~25
~a1[i] + i = result[i] -
26~35
a1[i] + i = result[i] -
36~45
a1[i] - i = result[i] -
46~55
a1[i] * i = result[i] -
56~63
a1[i] + 100 - i = result[i]
- exploit.py
def to_int(s):
ans = 0
for i in range(3, -1, -1):
ans = ans << 8
ans += int(s[i*2:i*2+2], 16)
return ans
with open('D:\\code\\dh\\rev\\mixcmp\\result.txt', 'r') as f:
arr = [0 for i in range(64)]
data = f.read()
for i in range(64):
if i == 0:
arr[i] = (to_int(data[i*8:(i+1)*8]) - 9) & 0xff
elif i == 1:
arr[i] = ~to_int(data[i*8:(i+1)*8]) & 0xff
elif i == 2:
arr[i] = (to_int(data[i*8:(i+1)*8]) + 4) & 0xff
elif i == 3:
arr[i] = (to_int(data[i*8:(i+1)*8]) // 2) & 0xff
elif i == 4:
arr[i] = (to_int(data[i*8:(i+1)*8]) - 34) & 0xff
elif i == 5:
arr[i] = (to_int(data[i*8:(i+1)*8]) - 40) & 0xff
elif i == 6:
arr[i] = (to_int(data[i*8:(i+1)*8]) + 40) & 0xff
elif i == 7:
arr[i] = (to_int(data[i*8:(i+1)*8]) // 3) & 0xff
elif i == 8:
arr[i] = ~to_int(data[i*8:(i+1)*8]) & 0xff
elif i == 9:
arr[i] = (to_int(data[i*8:(i+1)*8]) // 2) & 0xff
elif i == 10:
arr[i] = (to_int(data[i*8:(i+1)*8]) // 4) & 0xff
elif i == 11:
arr[i] = (to_int(data[i*8:(i+1)*8]) // 4) & 0xff
elif i == 12:
arr[i] = (19 - to_int(data[i*8:(i+1)*8])) & 0xff
elif i == 13:
arr[i] = (to_int(data[i*8:(i+1)*8]) - 17) & 0xff
elif i == 14:
arr[i] = (to_int(data[i*8:(i+1)*8]) - 30) & 0xff
elif i == 15:
arr[i] = to_int(data[i*8:(i+1)*8]) & 0xff
elif i < 26:
arr[i] = ~(to_int(data[i*8:(i+1)*8]) - i) & 0xff
elif i < 36:
arr[i] = (to_int(data[i*8:(i+1)*8]) - i) & 0xff
elif i < 46:
arr[i] = (to_int(data[i*8:(i+1)*8]) + i) & 0xff
elif i < 56:
arr[i] = (to_int(data[i*8:(i+1)*8]) // i) & 0xff
else:
arr[i] = (to_int(data[i*8:(i+1)*8]) + i - 100) & 0xff
for i in arr:
print(chr(i), end = '')