[SUCTF2018]babyre知识点 爆破 找到关键代码 __int64 sub_140012460(){ char *v0; // rdi __int64 i; // rcx char v3[48]; // [rsp+0h] [rbp-20h] BYREF char v4[32]; // [rsp+30h] [rbp+10h] char v5[184]; // [rsp+50h] [rbp+30h] BYREF char flag[60]; // [rsp+108h] [rbp+E8h] BYREF unsigned int key[8]; // [rsp+144h] [rbp+124h] BYREF int j; // [rsp+164h] [rbp+144h] int v9; // [rsp+234h] [rbp+214h] int v10; // [rsp+238h] [rbp+218h] v0 = v3; for ( i = 150i64; i; --i ) { *(_DWORD *)v0 = -858993460; v0 += 4; } sub_1400110A0((__int64)&unk_140023035); v4[0] = 2; v4[1] = 3; v4[2] = 2; v4[3] = 1; v4[4] = 4; v4[5] = 7; v4[6] = 4; v4[7] = 5; v4[8] = 10; v4[9] = 11; v4[10] = 10; v4[11] = 9; v4[12] = 14; v4[13] = 15; v4[14] = 12; v4[15] = 13; v4[16] = 16; v4[17] = 19; v4[18] = 16; v4[19] = 17; v4[20] = 20; v4[21] = 23; v4[22] = 22; v4[23] = 19; v4[24] = 28; v4[25] = 25; v4[26] = 30; v4[27] = 31; v4[28] = 28; v4[29] = 25; v4[30] = 26; v4[31] = 31; qmemcpy(v5, "$!\"'$!\"#().+$-&/81:;4=>7092;<567HIBBDDFGHIJJMMONPPRSUTVWYYZ[\\]^^``ccdeggiikklmnnpprstuwwxy{{}}", 94); v5[94] = 127; v5[95] = 127; v5[96] = -127; v5[97] = -127; v5[98] = -125; v5[99] = -125; v5[100] = -116; v5[101] = -115; v5[102] = -114; v5[103] = -113; v5[104] = -120; v5[105] = -119; v5[106] = -118; v5[107] = -117; v5[108] = -116; v5[109] = -115; v5[110] = -114; v5[111] = -121; v5[112] = -104; v5[113] = -111; v5[114] = -110; v5[115] = -109; v5[116] = -108; v5[117] = -107; v5[118] = -106; v5[119] = -105; v5[120] = -104; v5[121] = -103; v5[122] = -102; v5[123] = -102; v5[124] = -100; v5[125] = -100; v5[126] = -98; v5[127] = -98; v5[128] = -96; v5[129] = -96; v5[130] = -94; v5[131] = -94; v5[132] = -92; v5[133] = -92; v5[134] = -90; v5[135] = -90; v5[136] = -88; v5[137] = -88; v5[138] = -86; v5[139] = -86; v5[140] = -84; v5[141] = -84; v5[142] = -82; v5[143] = -82; v5[144] = -80; v5[145] = -79; v5[146] = -78; v5[147] = -77; memset(flag, 0, 0x1Fui64); sub_140011159(std::cout, "flag format: SUCTF{xxxxxxxxxxxxxxx}\n"); sub_140011159(std::cout, "Please Input Key:"); std::istream::operator>>(std::cin, key); key[0] %= 0x10000u; flag[30] = 8; while ( flag[30] ) { --flag[30]; for ( j = 22; j; flag[j] |= v10 << flag[30] ) { v9 = v4[22 * flag[30] + --j]; v10 = (v9 >> ((key[0] >> (2 * flag[30])) & 3)) & 1; } } sub_140011159(std::cout, flag); system("pause"); sub_1400113A7(v3, &unk_14001AD10); return 0i64;} 可发现v4和v5应当在一起 知道头几位为SUCTF,爆破即可 脚本#include <stdio.h>#include <string.h>#include <stdlib.h>int main(){ int v[500], flag[100], v9, v10; v[0] = 2; v[1] = 3; v[2] = 2; v[3] = 1; v[4] = 4; v[5] = 7; v[6] = 4; v[7] = 5; v[8] = 10; v[9] = 11; v[10] = 10; v[11] = 9; v[12] = 14; v[13] = 15; v[14] = 12; v[15] = 13; v[16] = 16; v[17] = 19; v[18] = 16; v[19] = 17; v[20] = 20; v[21] = 23; v[22] = 22; v[23] = 19; v[24] = 28; v[25] = 25; v[26] = 30; v[27] = 31; v[28] = 28; v[29] = 25; v[30] = 26; v[31] = 31; v[32] = 36; v[33] = 33; v[34] = 34; v[35] = 39; v[36] = 36; v[37] = 33; v[38] = 34; v[39] = 35; v[40] = 40; v[41] = 41; v[42] = 46; v[43] = 43; v[44] = 36; v[45] = 45; v[46] = 38; v[47] = 47; v[48] = 56; v[49] = 49; v[50] = 58; v[51] = 59; v[52] = 52; v[53] = 61; v[54] = 62; v[55] = 55; v[56] = 48; v[57] = 57; v[58] = 50; v[59] = 59; v[60] = 60; v[61] = 53; v[62] = 54; v[63] = 55; v[64] = 72; v[65] = 73; v[66] = 66; v[67] = 66; v[68] = 68; v[69] = 68; v[70] = 70; v[71] = 71; v[72] = 72; v[73] = 73; v[74] = 74; v[75] = 74; v[76] = 77; v[77] = 77; v[78] = 79; v[79] = 78; v[80] = 80; v[81] = 80; v[82] = 82; v[83] = 83; v[84] = 85; v[85] = 84; v[86] = 86; v[87] = 87; v[88] = 89; v[89] = 89; v[90] = 90; v[91] = 91; v[92] = 92; v[93] = 93; v[94] = 94; v[95] = 94; v[96] = 96; v[97] = 96; v[98] = 99; v[99] = 99; v[100] = 100; v[101] = 101; v[102] = 103; v[103] = 103; v[104] = 105; v[105] = 105; v[106] = 107; v[107] = 107; v[108] = 108; v[109] = 109; v[110] = 110; v[111] = 110; v[112] = 112; v[113] = 112; v[114] = 114; v[115] = 115; v[116] = 116; v[117] = 117; v[118] = 119; v[119] = 119; v[120] = 120; v[121] = 121; v[122] = 123; v[123] = 123; v[124] = 125; v[125] = 125; v[126] = 127; v[127] = 127; v[128] = -127; v[129] = -127; v[130] = -125; v[131] = -125; v[132] = -116; v[133] = -115; v[134] = -114; v[135] = -113; v[136] = -120; v[137] = -119; v[138] = -118; v[139] = -117; v[140] = -116; v[141] = -115; v[142] = -114; v[143] = -121; v[144] = -104; v[145] = -111; v[146] = -110; v[147] = -109; v[148] = -108; v[149] = -107; v[150] = -106; v[151] = -105; v[152] = -104; v[153] = -103; v[154] = -102; v[155] = -102; v[156] = -100; v[157] = -100; v[158] = -98; v[159] = -98; v[160] = -96; v[161] = -96; v[162] = -94; v[163] = -94; v[164] = -92; v[165] = -92; v[166] = -90; v[167] = -90; v[168] = -88; v[169] = -88; v[170] = -86; v[171] = -86; v[172] = -84; v[173] = -84; v[174] = -82; v[175] = -82; v[176] = -80; v[177] = -79; v[178] = -78; v[179] = -77; for (int key = 0; key < 0x10000; key++) { memset(flag, 0, sizeof(flag)); flag[30] = 8; while (flag[30]) { --flag[30]; for (int j = 22; j; flag[j] |= v10 << flag[30]) { v9 = v[22 * flag[30] + --j]; v10 = (v9 >> ((key >> 2 * flag[30]) & 3)) & 1; } } printf("key:%d\n", key); if (flag[0] == 'S' && flag[1] == 'U' && flag[2] == 'C' && flag[3] == 'T' && flag[4] == 'F') { for (int i = 0; i < 22; i++) printf("%c", flag[i]); system("pause"); } } return 0;}// SUCTF{Flag_8i7244980f}
