rctf2018_babyre

Author Avatar
Xzhah 5月 22, 2018
  • 在其它设备中阅读本文章

@xzh3ha

逻辑

真正核心函数为sub_80488E0而不是main,跟一下程序或者找一下输入位置都能知道

1.png

__PAIR(a3,a2)的作用是把a3作为高32位,a2作为低32位传入

2.png

对于这种单字符加密,爆破就完事儿了。

要求输出为如下

B80C91FE70573EFE
BEED92AE7F7A8193
7390C17B90347C6C
AA7A15DFAA7A15DF
526BA076153F1A32
545C15AD7D8AA463
526BA076FBCB7AA0
7D8AA4639C513266
526BA0766D7DF3E1
AA7A15DF9C513266
1EDC38649323BC07
7D8AA463FBCB7AA0
153F1A32526BA076
F5650025AA7A15DF
1EDC3864B13AD888

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
include<stdio.h>
include<string.h>
include<map>
include<utility>
int sub_400BA0(unsigned int a1, unsigned __int64 a2)
{
unsigned __int64 v5; // rax
unsigned int i; // esp+1Ch
unsigned __int32 v8; // esp+20h
unsigned int j; // esp+24h
int v10; // esp+28h
int s[32]; // esp+2Ch
unsigned int v12; // esp+ACh
v8 = a1;
for ( j = 0; j <= 0x20F; ++j )
{
v5 = a2 >> (j & 0x1F);
if ( j & 0x20 ){
__int64 temp =v5&0xffffffff00000000;
temp=temp>>32;
v5=v5&0xffffffff00000000;
v5=v5|temp;
}
v8 = (v8 >> 1) ^ (((unsigned int)v5 ^ v8 ^ (v8 >> 16) ^ (1551120942 >> (((v8 >> 1) & 1)
+ 2
* (2
* (((v8 >> 20) & 1)
+ 2
* (2 * ((v8 & 0x80000000) != 0)
+ ((v8 >> 26) & 1)))
+ ((v8 >> 9) & 1))))) << 31);
}
return v8;
}
int main(){
int num[]={0xB80C91FE,0x70573EFE,0xBEED92AE,0x7F7A8193
,0x7390C17B,0x90347C6C
,0xAA7A15DF,0xAA7A15DF
,0x526BA076,0x153F1A32
,0x545C15AD,0x7D8AA463
,0x526BA076,0xFBCB7AA0
,0x7D8AA463,0x9C513266
,0x526BA076,0x6D7DF3E1
,0xAA7A15DF,0x9C513266
,0x1EDC3864,0x9323BC07
,0x7D8AA463,0xFBCB7AA0
,0x153F1A32,0x526BA076
,0xF5650025,0xAA7A15DF
,0x1EDC3864,0xB13AD888};
for (int i=0;i<30;i++)
{
for (int k=0;k<=0xff;k++)
{
//int a3=0x1D082C23;
//int a2=0xA72BE4C1;
__int64 temp=0x1D082C23A72BE4C1;
//temp=temp|a3;
//temp=(temp<<32)|a2;
//k=82;
if(sub_400BA0(k,temp)==num[i])
{
printf("%c",k);
break;
}
//printf("%lx",sub_400BA0(k,temp));
//break;
}//break;
}
return 0;
}
3.png