📒 Description
📒 C code
📖 main
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[256]; // [rsp+20h] [rbp-118h] BYREF
memset(v4, 0, sizeof(v4));
sub_140001120("Input : ", argv, envp);
sub_1400011B0("%256s", v4);
if ( (unsigned int)sub_140001000(v4) )
puts("Correct");
else
puts("Wrong");
return 0;
}📖 sub_140001000
__int64 __fastcall sub_140001000(__int64 a1)
{
int i; // [rsp+0h] [rbp-18h]
for ( i = 0; (unsigned __int64)i < 0x1F; ++i )
{
if ( (i ^ (unsigned __int8)__ROL1__(*(_BYTE *)(a1 + i), i & 7)) != byte_140003000[i] )
return 0i64;
}
return 1i64;
}어우 ROL이 나온다. 식 정리해서 문제 해결해보도록 하자.
📒 Exploit
📖 식 정리
어 됐다.
📖 exploit.py
byte32=[82, 223, 179, 96, 241, 139, 28, 181, 87, 209, 159, 56, 75, 41, 217, 38, 127, 201, 163, 233, 83, 24, 79, 184, 106, 203, 135, 88, 91, 57, 30, 0]
answer=[]
def __ROR__(data, shift):
size = 8
shift = shift % size
body = data >> shift
head = (data << (size - shift)) - (body << size)
return(body+head)
for i in range(0, 31):
find = byte32[i] ^ i
size = i & 7
print(chr(__ROR__(find, size)), end = '')
answer.append(chr(__ROR__(find, size)))
#print(answer)
print()저 ROR 함수는 구글링 해서 가져왔다.
Today I Learned