|
看了一下XCTF的高校公益赛,崩溃的感觉,两天把分析了两道题但是另外一道那道 天津垓 做到一半,实在是做不下去了只做到了最开始的那个Caucasus@s_ability后面的就没再分析了,还是太菜了。
后面再看WP后的时候有的大佬直接OD调试出的第一个,我是脚本写的。 浪费了太多的时间最后还没耐心了。cycle_graph这道题也是看了好久,还是分析的比较少,最开始走了一点弯路,后来才发现了。
接下来还是拖进IDA分析(现在也发现自己的OD调试的能力好像更差)
最开始的
经过观察选择先跟进dword_402178中以及后续的一些数据如下图:
在这个地方我疯狂“栽跟头”,为啥呢,注意看这里:
我最开始没有在意,但是分析到后面数据的个数总是对不上,我计算了多次这三个数组的地址。最后发现了这个因此又重新改写了脚本中每个数组的开头的数值
并且在这里还要注意char类型不要忽略了。另外v7也是char类型的。
而且确信它的源代码一定是这样的:
源代码
代码整体分析起来也不是十分难,但是我还是花掉了好长时间。
下面是代码的第一部分:
[Python] 纯文本查看 复制代码 a=[0x34,0x2,0x2C,0x2A,0x6,0x2A,0x2F,0x2A,0x33,0x3,0x2,0x32,0x32,0x32,0x30,0x3,0x1,0x32,0x2B,0x2,0x2E,0x1,0x2,0x2D,0x32,0x4,0x2D,0x30,0x31,0x2F,0x33,0x5]
b=[0x2,0x2,0x1,0x12,0x7,0x2,0x1A,0x0D,0x4,0x0A,0x4,0x15,0x0E,0x1,0x0,0x0E,0x5,0x7,0x1C,0x0C,0x1C,0x0F,0x0F,0x2,0x10,0x17,0x1E,0x17,0x13,0x9,0x16,0x1F]
c=[0x1,0x8,0x7,0x17,0x9,0x13,0x1F,0x17,0x9,0x0D,0x0C,0x1D,0x0A,0x18,0x9,0x18,0x19,0x9,0x1A,0x3,0x16,0x6,0x11,0x0D,0x7,0x0F,0x14,0x1,0x10,0x4,0x0B,0x1F]
x=[]
for i in range(0,32):
v3=a[i]
x.append(v3)
v4=3*b[i] #这里本来应该是先*12再除以4的,我直接换成*3了
x.append(v4)
v5=3*c[i] #这里本来应该是先*12再除以4的,我直接换成*3了
x.append(v5)
print(x)
求得x数组中的值:
[52, 6, 3, 2, 6, 24, 44, 3, 21, 42, 54, 69, 6, 21, 27, 42, 6, 57, 47, 78, 93, 42, 39, 69, 51, 12, 27, 3, 30, 39, 2, 12, 36, 50, 63, 87, 50, 42, 30, 50, 3, 72, 48, 0, 27, 3, 42, 72, 1, 15, 75, 50, 21, 27, 43, 84, 78, 2, 36, 9, 46, 84, 66, 1, 45, 18, 2, 45, 51, 45, 6, 39, 50, 48, 21, 4, 69, 45, 45, 90, 60, 48, 69, 3, 49, 57, 48, 47, 27, 12, 51, 66, 33, 5, 93, 93]
接着计算第二部分:
[Python] 纯文本查看 复制代码 def find_path(graph,start,end,path=[]):
path = path +[start]
if start == end:
return [path]
paths = []
for node in graph[start]:
if node not in path:
newpaths = find_path(graph,node,end,path)
for newpath in newpaths:
paths.append(newpath)
return paths
graph={}
for i in range(len(x)):
if i % 3 == 0:
graph[i] = []
else:
graph[i - (i % 3)].append(x[i])
allpath = find_path(graph,0,93)
for i in range(16):
if len(allpath[i])==16:
print(allpath[i])
用这一部分算出路径,因为它是循环十六次所以要寻找到路径长度为16的
得到[0, 6, 21, 39, 72, 48, 15, 57, 9, 54, 78, 90, 33, 63, 18, 93]这条路径。
最后一部分出flag:
[Python] 纯文本查看 复制代码 v7=48
v4=0
flag = [0]*16
p = [6, 21, 39, 72, 48, 15, 57, 9, 54, 78, 90, 33, 63, 18, 93, 93]
for i in range(16):
if x[v4 + 1] == p[i]:
flag[i] = v7 + x[v4]
v4 = x[v4 + 1]
elif x[v4 + 2] == p[i]:
flag[i] = v7 - x[v4]
v4 = x[v4 + 2]
v7 = flag[i]
print ("".join(chr(i) for i in flag))
这里还要注意的一点就是从6开始到93再这样总共才15个还需要再向后走一个,再走一个还是93。这里可以把第二部分中的graph打印出来看一下。
应该是这个:
{0: [6, 3], 3: [6, 24], 6: [3, 21], 9: [54, 69], 12: [21, 27], 15: [6, 57], 18: [78, 93], 21: [39, 69], 24: [12, 27], 27: [30, 39], 30: [12, 36], 33: [63, 87], 36: [42, 30], 39: [3, 72], 42: [0, 27], 45: [42, 72], 48: [15, 75], 51: [21, 27], 54: [84, 78], 57: [36, 9], 60: [84, 66], 63: [45, 18], 66: [45, 51], 69: [6, 39], 72: [48, 21], 75: [69, 45], 78: [90, 60], 81: [69, 3], 84: [57, 48], 87: [27, 12], 90: [66, 33], 93: [93, 93]}
最后的flag就不写了,有兴趣的可以自己去试一下。下边有文件链接。
|
[复制链接]
发表于 2020-3-17 18:54
