• 攻防世界 reverse Newbie_calculations


    Newbie_calculations Hack-you-2014

    题目名百度翻译成新手计算,那我猜应该是个实现计算器的题目。。。。

    IDA打开程序,发现一长串的函数反复调用,而且程序没有输入,只有输出。额,那这样的话程序运行就应该输出flag,但程序中肯定会有垃圾循环操作,就让你跑不出来。0.0

    这种题目就要分析函数作用,简化,自己实现算法。

    程序流程:

      1 for ( i = 0; i < 32; ++i )
      2     flag[i] = 1;
      3   v121 = 0;
      4   puts("Your flag is:");
      5   v3 = mul_401100(flag, 0x3B9ACA00);
      6   v4 = sub_401220(v3, 0x3B9AC9CE);
      7   mul_401100(v4, 2);
      8   v5 = add_401000(&flag[1], 0x4C4B40);
      9   v6 = sub_401220(v5, 0x65B9AA);
     10   v7 = add_401000(v6, 1666666);
     11   v8 = add_401000(v7, 45);
     12   v9 = mul_401100(v8, 2);
     13   add_401000(v9, 5);
     14   v10 = mul_401100(&flag[2], 0x3B9ACA00);
     15   v11 = sub_401220(v10, 999999950);
     16   v12 = mul_401100(v11, 2);
     17   add_401000(v12, 2);
     18   v13 = add_401000(&flag[3], 55);
     19   v14 = sub_401220(v13, 3);
     20   v15 = add_401000(v14, 4);
     21   sub_401220(v15, 1);
     22   v16 = mul_401100(&flag[4], 100000000);
     23   v17 = sub_401220(v16, 99999950);
     24   v18 = mul_401100(v17, 2);
     25   add_401000(v18, 2);
     26   v19 = sub_401220(&flag[5], 1);
     27   v20 = mul_401100(v19, 1000000000);
     28   v21 = add_401000(v20, 55);
     29   sub_401220(v21, 3);
     30   v22 = mul_401100(&flag[6], 1000000);
     31   v23 = sub_401220(v22, 999975);
     32   mul_401100(v23, 4);
     33   v24 = add_401000(&flag[7], 55);
     34   v25 = sub_401220(v24, 33);
     35   v26 = add_401000(v25, 44);
     36   sub_401220(v26, 11);
     37   v27 = mul_401100(&flag[8], 10);
     38   v28 = sub_401220(v27, 5);
     39   v29 = mul_401100(v28, 8);
     40   add_401000(v29, 9);
     41   v30 = add_401000(&flag[9], 0);
     42   v31 = sub_401220(v30, 0);
     43   v32 = add_401000(v31, 11);
     44   v33 = sub_401220(v32, 11);
     45   add_401000(v33, 53);
     46   v34 = add_401000(&flag[10], 49);
     47   v35 = sub_401220(v34, 2);
     48   v36 = add_401000(v35, 4);
     49   sub_401220(v36, 2);
     50   v37 = mul_401100(&flag[11], 1000000);
     51   v38 = sub_401220(v37, 999999);
     52   v39 = mul_401100(v38, 4);
     53   add_401000(v39, 50);
     54   v40 = add_401000(&flag[12], 1);
     55   v41 = add_401000(v40, 1);
     56   v42 = add_401000(v41, 1);
     57   v43 = add_401000(v42, 1);
     58   v44 = add_401000(v43, 1);
     59   v45 = add_401000(v44, 1);
     60   v46 = add_401000(v45, 10);
     61   add_401000(v46, 32);
     62   v47 = mul_401100(&flag[13], 10);
     63   v48 = sub_401220(v47, 5);
     64   v49 = mul_401100(v48, 8);
     65   v50 = add_401000(v49, 9);
     66   add_401000(v50, 48);
     67   v51 = sub_401220(&flag[14], 1);
     68   v52 = mul_401100(v51, -294967296);
     69   v53 = add_401000(v52, 55);
     70   sub_401220(v53, 3);
     71   v54 = add_401000(&flag[15], 1);
     72   v55 = add_401000(v54, 2);
     73   v56 = add_401000(v55, 3);
     74   v57 = add_401000(v56, 4);
     75   v58 = add_401000(v57, 5);
     76   v59 = add_401000(v58, 6);
     77   v60 = add_401000(v59, 7);
     78   add_401000(v60, 20);
     79   v61 = mul_401100(&flag[16], 10);
     80   v62 = sub_401220(v61, 5);
     81   v63 = mul_401100(v62, 8);
     82   v64 = add_401000(v63, 9);
     83   add_401000(v64, 48);
     84   v65 = add_401000(&flag[17], 7);
     85   v66 = add_401000(v65, 6);
     86   v67 = add_401000(v66, 5);
     87   v68 = add_401000(v67, 4);
     88   v69 = add_401000(v68, 3);
     89   v70 = add_401000(v69, 2);
     90   v71 = add_401000(v70, 1);
     91   add_401000(v71, 20);
     92   v72 = add_401000(&flag[18], 7);
     93   v73 = add_401000(v72, 2);
     94   v74 = add_401000(v73, 4);
     95   v75 = add_401000(v74, 3);
     96   v76 = add_401000(v75, 6);
     97   v77 = add_401000(v76, 5);
     98   v78 = add_401000(v77, 1);
     99   add_401000(v78, 20);
    100   v79 = mul_401100(&flag[19], 1000000);
    101   v80 = sub_401220(v79, 999999);
    102   v81 = mul_401100(v80, 4);
    103   v82 = add_401000(v81, 50);
    104   sub_401220(v82, 1);
    105   v83 = sub_401220(&flag[20], 1);
    106   v84 = mul_401100(v83, -294967296);
    107   v85 = add_401000(v84, 49);
    108   sub_401220(v85, 1);
    109   v86 = sub_401220(&flag[21], 1);
    110   v87 = mul_401100(v86, 1000000000);
    111   v88 = add_401000(v87, 54);
    112   v89 = sub_401220(v88, 1);
    113   v90 = add_401000(v89, 1000000000);
    114   sub_401220(v90, 1000000000);
    115   v91 = add_401000(&flag[22], 49);
    116   v92 = sub_401220(v91, 1);
    117   v93 = add_401000(v92, 2);
    118   sub_401220(v93, 1);
    119   v94 = mul_401100(&flag[23], 10);
    120   v95 = sub_401220(v94, 5);
    121   v96 = mul_401100(v95, 8);
    122   v97 = add_401000(v96, 9);
    123   add_401000(v97, 48);
    124   v98 = add_401000(&flag[24], 1);
    125   v99 = add_401000(v98, 3);
    126   v100 = add_401000(v99, 3);
    127   v101 = add_401000(v100, 3);
    128   v102 = add_401000(v101, 6);
    129   v103 = add_401000(v102, 6);
    130   v104 = add_401000(v103, 6);
    131   add_401000(v104, 20);
    132   v105 = add_401000(&flag[25], 55);
    133   v106 = sub_401220(v105, 33);
    134   v107 = add_401000(v106, 44);
    135   v108 = sub_401220(v107, 11);
    136   add_401000(v108, 42);
    137   add_401000(&flag[26], flag[25]);
    138   add_401000(&flag[27], flag[12]);
    139   v109 = flag[27];
    140   v110 = sub_401220(&flag[28], 1);
    141   v111 = add_401000(v110, v109);
    142   sub_401220(v111, 1);
    143   v112 = flag[23];
    144   v113 = sub_401220(&flag[29], 1);
    145   v114 = mul_401100(v113, 1000000);
    146   add_401000(v114, v112);
    147   v115 = flag[27];
    148   v116 = add_401000(&flag[30], 1);
    149   mul_401100(v116, v115);
    150   add_401000(&flag[31], flag[30]);
    151   print_401C7F("CTF{");
    152   for ( j = 0; j < 32; ++j )
    153     print_401C7F("%c", SLOBYTE(flag[j]));
    154   print_401C7F("}
    ");
    155   return 0;
    156 }

    这道题目的关键就在于如何识别出上面这些函数的作用

     1 _DWORD *__cdecl mul_401100(_DWORD *a1, int a2)
     2 {
     3   int v2; // ST20_4
     4   signed int v4; // [esp+Ch] [ebp-1Ch]
     5   int v5; // [esp+14h] [ebp-14h]
     6   int v6; // [esp+18h] [ebp-10h]
     7   int v7; // [esp+1Ch] [ebp-Ch]
     8   int v8; // [esp+20h] [ebp-8h]
     9 
    10   v5 = *a1;
    11   v6 = a2;
    12   v4 = -1;
    13   v8 = 0;
    14   v7 = a2 * v5;
    15   while ( a2 )                                  // a1累加a2次 相当于a1*a2
    16   {
    17     v2 = v7 * v5;
    18     add_401000(&v8, *a1);
    19     ++v7;
    20     --a2;
    21     v6 = v2 - 1;
    22   }
    23   while ( v4 )                                  // 循环结束a1=a1-1
    24   {
    25     ++v7;
    26     ++*a1;
    27     --v4;
    28     --v6;
    29   }
    30   ++*a1;
    31   *a1 = v8;
    32   return a1;
    33 }
     1 int *__cdecl add_401000(int *a1, int a2)
     2 {
     3   int v2; // edx
     4   int v4; // [esp+Ch] [ebp-18h]
     5   int v5; // [esp+10h] [ebp-14h]
     6   int v6; // [esp+18h] [ebp-Ch]
     7   signed int v7; // [esp+1Ch] [ebp-8h]
     8 
     9   v5 = -1;
    10   v4 = -1 - a2 + 1;
    11   v7 = 1231;
    12   v2 = *a1;
    13   v6 = a2 + 1231;
    14   while ( v4 )                                  15                                                 // 循环结束 a1=a1+a2
    16   {
    17     ++v7;
    18     --*a1;                       //循环-   相当于-(-a2)    +a2
    19     --v4;
    20     --v6;
    21   }
    22   while ( v5 )
    23   {
    24     --v6;
    25     ++*a1;
    26     --v5;
    27   }
    28   ++*a1;                                        // a1在上面的循环中-1,现在+1,还是原值
    29   return a1;
    30 }
     1 _DWORD *__cdecl sub_401220(_DWORD *a1, int a2)
     2 {
     3   int v3; // [esp+8h] [ebp-10h]
     4   signed int v4; // [esp+Ch] [ebp-Ch]
     5   signed int v5; // [esp+14h] [ebp-4h]
     6   int v6; // [esp+14h] [ebp-4h]
     7 
     8   v4 = -1;
     9   v3 = -1 - a2 + 1;
    10   v5 = -1;
    11   while ( v3 )                                  // -a2
    12   {
    13     ++*a1;                                      // 循环结束,相当于 a1=a1-a2
    14     --v3;
    15     --v5;
    16   }
    17   v6 = v5 * v5;
    18   while ( v4 )                                  // 这个循环后  a1=a1-1
    19   {
    20     v6 *= 123;
    21     ++*a1;
    22     --v4;
    23   }
    24   ++*a1;                                        // a1+=1,恢复上一个循环前的值
    25   return a1;
    26 }

    wp:

      1 def mul_401100(a,b):
      2     return a*b
      3 def sub_401220(a,b):
      4     return a-b
      5 def add_401000(a,b):
      6     return a+b
      7 flag=[1 for i in range(32)]
      8 v121 = 0
      9 print("Your flag is:")
     10 v3 = mul_401100(flag[0], 0x3B9ACA00)
     11 v4 = sub_401220(v3, 0x3B9AC9CE)
     12 flag[0]=mul_401100(v4, 2)
     13 v5 = add_401000(flag[1], 0x4C4B40)
     14 v6 = sub_401220(v5, 0x65B9AA)
     15 v7 = add_401000(v6, 1666666)
     16 v8 = add_401000(v7, 45)
     17 v9 = mul_401100(v8, 2)
     18 flag[1]=add_401000(v9, 5)
     19 v10 = mul_401100(flag[2], 0x3B9ACA00)
     20 v11 = sub_401220(v10, 999999950)
     21 v12 = mul_401100(v11, 2)
     22 flag[2]=add_401000(v12, 2)
     23 v13 = add_401000(flag[3], 55)
     24 v14 = sub_401220(v13, 3)
     25 v15 = add_401000(v14, 4)
     26 flag[3]=sub_401220(v15, 1)
     27 v16 = mul_401100(flag[4], 100000000)
     28 v17 = sub_401220(v16, 99999950)
     29 v18 = mul_401100(v17, 2)
     30 flag[4]=add_401000(v18, 2)
     31 v19 = sub_401220(flag[5], 1)
     32 v20 = mul_401100(v19, 1000000000)
     33 v21 = add_401000(v20, 55)
     34 flag[5]=sub_401220(v21, 3)
     35 v22 = mul_401100(flag[6], 1000000)
     36 v23 = sub_401220(v22, 999975)
     37 flag[6]=mul_401100(v23, 4)
     38 v24 = add_401000(flag[7], 55)
     39 v25 = sub_401220(v24, 33)
     40 v26 = add_401000(v25, 44)
     41 flag[7]=sub_401220(v26, 11)
     42 v27 = mul_401100(flag[8], 10)
     43 v28 = sub_401220(v27, 5)
     44 v29 = mul_401100(v28, 8)
     45 flag[8]=add_401000(v29, 9)
     46 v30 = add_401000(flag[9], 0)
     47 v31 = sub_401220(v30, 0)
     48 v32 = add_401000(v31, 11)
     49 v33 = sub_401220(v32, 11)
     50 flag[9]=add_401000(v33, 53)
     51 v34 = add_401000(flag[10], 49)
     52 v35 = sub_401220(v34, 2)
     53 v36 = add_401000(v35, 4)
     54 flag[10]=sub_401220(v36, 2)
     55 v37 = mul_401100(flag[11], 1000000)
     56 v38 = sub_401220(v37, 999999)
     57 v39 = mul_401100(v38, 4)
     58 flag[11]=add_401000(v39, 50)
     59 v40 = add_401000(flag[12], 1)
     60 v41 = add_401000(v40, 1)
     61 v42 = add_401000(v41, 1)
     62 v43 = add_401000(v42, 1)
     63 v44 = add_401000(v43, 1)
     64 v45 = add_401000(v44, 1)
     65 v46 = add_401000(v45, 10)
     66 flag[12]=add_401000(v46, 32)
     67 v47 = mul_401100(flag[13], 10)
     68 v48 = sub_401220(v47, 5)
     69 v49 = mul_401100(v48, 8)
     70 v50 = add_401000(v49, 9)
     71 flag[13]=add_401000(v50, 48)
     72 v51 = sub_401220(flag[14], 1)
     73 v52 = mul_401100(v51, -294967296)
     74 v53 = add_401000(v52, 55)
     75 flag[14]=sub_401220(v53, 3)
     76 v54 = add_401000(flag[15], 1)
     77 v55 = add_401000(v54, 2)
     78 v56 = add_401000(v55, 3)
     79 v57 = add_401000(v56, 4)
     80 v58 = add_401000(v57, 5)
     81 v59 = add_401000(v58, 6)
     82 v60 = add_401000(v59, 7)
     83 flag[15]=add_401000(v60, 20)
     84 v61 = mul_401100(flag[16], 10)
     85 v62 = sub_401220(v61, 5)
     86 v63 = mul_401100(v62, 8)
     87 v64 = add_401000(v63, 9)
     88 flag[16]=add_401000(v64, 48)
     89 v65 = add_401000(flag[17], 7)
     90 v66 = add_401000(v65, 6)
     91 v67 = add_401000(v66, 5)
     92 v68 = add_401000(v67, 4)
     93 v69 = add_401000(v68, 3)
     94 v70 = add_401000(v69, 2)
     95 v71 = add_401000(v70, 1)
     96 flag[17]=add_401000(v71, 20)
     97 v72 = add_401000(flag[18], 7)
     98 v73 = add_401000(v72, 2)
     99 v74 = add_401000(v73, 4)
    100 v75 = add_401000(v74, 3)
    101 v76 = add_401000(v75, 6)
    102 v77 = add_401000(v76, 5)
    103 v78 = add_401000(v77, 1)
    104 flag[18]=add_401000(v78, 20)
    105 v79 = mul_401100(flag[19], 1000000)
    106 v80 = sub_401220(v79, 999999)
    107 v81 = mul_401100(v80, 4)
    108 v82 = add_401000(v81, 50)
    109 flag[19]=sub_401220(v82, 1)
    110 v83 = sub_401220(flag[20], 1)
    111 v84 = mul_401100(v83, -294967296)
    112 v85 = add_401000(v84, 49)
    113 flag[20]=sub_401220(v85, 1)
    114 v86 = sub_401220(flag[21], 1)
    115 v87 = mul_401100(v86, 1000000000)
    116 v88 = add_401000(v87, 54)
    117 v89 = sub_401220(v88, 1)
    118 v90 = add_401000(v89, 1000000000)
    119 flag[21]=sub_401220(v90, 1000000000)
    120 v91 = add_401000(flag[22], 49)
    121 v92 = sub_401220(v91, 1)
    122 v93 = add_401000(v92, 2)
    123 flag[22]=sub_401220(v93, 1)
    124 v94 = mul_401100(flag[23], 10)
    125 v95 = sub_401220(v94, 5)
    126 v96 = mul_401100(v95, 8)
    127 v97 = add_401000(v96, 9)
    128 flag[23]=add_401000(v97, 48)
    129 v98 = add_401000(flag[24], 1)
    130 v99 = add_401000(v98, 3)
    131 v100 = add_401000(v99, 3)
    132 v101 = add_401000(v100, 3)
    133 v102 = add_401000(v101, 6)
    134 v103 = add_401000(v102, 6)
    135 v104 = add_401000(v103, 6)
    136 flag[24]=add_401000(v104, 20)
    137 v105 = add_401000(flag[25], 55)
    138 v106 = sub_401220(v105, 33)
    139 v107 = add_401000(v106, 44)
    140 v108 = sub_401220(v107, 11)
    141 flag[25]=add_401000(v108, 42)
    142 flag[26]=add_401000(flag[26], flag[25])
    143 flag[27]=add_401000(flag[27], flag[12])
    144 v109 = flag[27]
    145 v110 = sub_401220(flag[28], 1)
    146 v111 = add_401000(v110, v109)
    147 flag[28]=sub_401220(v111, 1)
    148 v112 = flag[23]
    149 v113 = sub_401220(flag[29], 1)
    150 v114 = mul_401100(v113, 1000000)
    151 flag[29]=add_401000(v114, v112)
    152 v115 = flag[27]
    153 v116 = add_401000(flag[30], 1)
    154 flag[30]=mul_401100(v116, v115)
    155 flag[31]=add_401000(flag[31], flag[30])
    156 print("CTF{"+''.join(map(chr,flag))+"}")

    Your flag is:
    CTF{daf8f4d816261a41a115052a1bc21ade}

  • 相关阅读:
    区块链中的密码学
    初识nodeJS
    JS或jQuery获取当前屏幕宽度
    jQuery与Zepto的异同
    使用递归解决斐波那契数列的性能问题
    sass高级语法的补充
    sass的高级语法
    栅格 CSS中的循环 媒体查询
    Zepto
    dedecms 留言板中引用模板文件方法
  • 原文地址:https://www.cnblogs.com/DirWang/p/11586159.html
Copyright © 2020-2023  润新知