- main
int __fastcall main(int argc, const char **argv, const char **envp)
{
int k; // [rsp+4h] [rbp-Ch]
int j; // [rsp+8h] [rbp-8h]
int i; // [rsp+Ch] [rbp-4h]
puts("Input: ");
__isoc99_scanf("%s", input);
if ( strlen(input) == 64 )
{
for ( i = 0; i <= 63; ++i )
rot[i] = (input[i] + 13) & 0x7F;
result[0] = byte_40DF;
for ( j = 1; j <= 62; ++j )
result[j] = rot[63 - j];
byte_413F = rot[0];
for ( k = 0; k <= 64; ++k )
result2[k] = result[k] ^ 3;
}
if ( !strncmp(result2, "C@qpl==Bppl@<=pG<>@l>@Blsp<@l@AArqmGr=B@A>q@@B=GEsmC@ArBmAGlA=@q", 0x40uLL) )
{
puts("\nNice!");
printf("Flag is DH{%s}\n", input);
}
return 0;
}byte_40DF랑 byte_413F 모두 값이 저장되어 있지 않아서 벙찔 수 있지만 메모리를 살펴보면
0x40A0: rot[0]
0x40DF: byte_40DF = rot[63]
0x4100: result[0]
0x413F: byte_413F = result[63]
- 1단계
for ( i = 0; i <= 63; ++i )
rot[i] = (input[i] + 13) & 0x7F;- 2단계
for ( j = 0; j <= 63; ++j )
result[j] = rot[63 - j];- 3단계
for ( k = 0; k <= 64; ++k )
result2[k] = result[k] ^ 3;- 4단계
strncmp(result2, "C@qpl==Bppl@<=pG<>@l>@Blsp<@l@AArqmGr=B@A>q@@B=GEsmC@ArBmAGlA=@q", 0x40uLL)- exploit.py
s = list('C@qpl==Bppl@<=pG<>@l>@Blsp<@l@AArqmGr=B@A>q@@B=GEsmC@ArBmAGlA=@q')
for i in range(64):
s[i] = ord(s[i]) ^ 3 & 0xff
ans = [0 for i in range(64)]
for i in range(64):
ans[i] = s[63-i] & 0xff
for i in range(64):
ans[i] = (ans[i] - 13) & 0x7f
for i in ans:
print(chr(i), end='')