唉,遇到几个比较繁琐的题目,搞的心态都有点炸了,0.0
magic
这题也就那样,初时想要用用 angr 跑了一下,没搞出来,之后再去好好搞清楚吧,也不是特别清楚运用。
然后就自己去看了,就是有三个 check 函数,直接把代码 copy 下来,循环爆破一下就行了。
不能动调
也不知道要干嘛
输入自动代码?angr?
还是要仔细一点,flag正确那个函数中有一个TEA加密,漏掉了 0.0
解一下直接得 flag
#include <stdio.h>
__int64* tea(__int64* a1) {int v2 = 1865817980*32;unsigned int v3 = *a1;unsigned int v4 = a1[1];for (int i = 0; i <= 31; ++i){v4 -= (v3 + v2) ^ (16 * v3 + 31) ^ ((v3 >> 5) + 124);v3 -= (v4 + v2) ^ (16 * v4 + 111) ^ ((v4 >> 5) + 54);v2 -= 1865817980;}*a1 = v3;a1[1] = v4;return a1;
}
int main() {__int64 v14[27];v14[0] = 1350288828LL;v14[1] = 731421218LL;v14[2] = 1671728960LL;v14[3] = 2831241988LL;v14[4] = 1951471770LL;v14[5] = 2319350991LL;v14[6] = 1657444641LL;v14[7] = 236674178LL;v14[8] = 3281411241LL;v14[9] = 3592850081LL;v14[10] = 581718275LL;v14[11] = 2597100926LL;v14[12] = 575307203LL;v14[13] = 3582510352LL;v14[14] = 3410176996LL;v14[15] = 3064018193LL;v14[16] = 1278546908LL;v14[17] = 1875831745LL;v14[18] = 2741062944LL;v14[19] = 2277786060LL;v14[20] = 2717472665LL;v14[21] = 1047384394LL;v14[22] = 1864926511LL;v14[23] = 1387033695LL;v14[24] = 2442177625LL;v14[25] = 383659259LL;for (int i = 0; i < 26; i += 2) {tea(&v14[i]);}for (int i = 0; i < 26; i++) {printf("%c", v14[i]);}return 0;
}
所以还是不能心急,要静下来
signin_keys
int __cdecl main(int argc, const char **argv, const char **envp)
{char *v3; // ediint v4; // ebxsize_t v5; // eaxchar *v6; // eaxchar key[16]; // [esp+10h] [ebp-FCh] BYREFchar v9[16]; // [esp+20h] [ebp-ECh] BYREFchar v10[16]; // [esp+30h] [ebp-DCh] BYREFchar Src[16]; // [esp+40h] [ebp-CCh] BYREFint v12[22]; // [esp+50h] [ebp-BCh] BYREFint v13[25]; // [esp+A8h] [ebp-64h] BYREFv3 = ch; // 12/4-.v4 = 0;__main();v12[5] = 0;v12[4] = 0;v12[0] = 1732584193;v12[1] = -271733879;v12[2] = -1732584194;v12[3] = 271733878;v13[5] = 0; // 用来md的应该,不影响flagv13[4] = 0;v13[0] = 1732584193;v13[1] = -271733879;v13[2] = -1732584194;v13[3] = 271733878;puts("input the keys and then I will give you flag:");while ( 1 ){v5 = strlen(v3);if ( v5 ){Src[0] = *v3 - v4;if ( v5 != 1 ){Src[1] = (v3[1] + 1 - v4) ^ 1;if ( v5 != 2 ){Src[2] = (v3[2] + 2 - v4) ^ 2;if ( v5 != 3 ){Src[3] = (v3[3] + 3 - v4) ^ 3;if ( v5 != 4 ){Src[4] = (v3[4] + 4 - v4) ^ 4;if ( v5 != 5 ){Src[5] = (v3[5] + 5 - v4) ^ 5;if ( v5 != 6 ){Src[6] = (v3[6] + 6 - v4) ^ 6;if ( v5 != 7 ){Src[7] = (v3[7] + 7 - v4) ^ 7;if ( v5 == 9 )Src[8] = (v3[8] + 8 - v4) ^ 8;}}}}}}}v6 = &Src[v5];}else{v6 = Src;}*v6 = 0;++v4;MD5Update(v12, Src, strlen(Src));MD5Final((int)v10, v12);printf("input the %dth key: ", v4);scanf("%s", key);MD5Update(v13, key, strlen(key));MD5Final((int)v9, v13);if ( v9[0] != v10[0]|| v9[1] != v10[1]|| v9[2] != v10[2]|| v9[3] != v10[3]|| v9[4] != v10[4]|| v9[5] != v10[5]|| v9[6] != v10[6]|| v9[7] != v10[7]|| v9[8] != v10[8]|| v9[9] != v10[9]|| v9[10] != v10[10]|| v9[11] != v10[11]|| v9[12] != v10[12]|| v9[13] != v10[13]|| v9[14] != v10[14]|| v9[15] != v10[15] ){break;}v3 += 10;if ( v4 == 8 ){puts("the keys is right, your flag is: flag{md5(your input)}");system("pause");return 0;}}puts("no no no, the key is wrong!");system("pause");return 0;
}
看了一下 wp :大致理解了,就是原来有一个 Src 被赋值后进行 md5,然后输入
key,也进行 md5,比较两个是否相同,应该是要 8 个key
要注意的是== v3 的值==
# from hashlib import md5
# v3 = [b'12/4-.', b'745.30', b'cdaf_`', b'42764/', b'uyirp{', b'fvigdm', b'\x80~exhl', b'xzv{zbf']
# data = []
# for i in range(len(v3)):
# v4 = 0
# for j in range(len(v3[i])):
# # Calculate the transformed value according to the given formula
# transformed_value = (v3[i][j] + j - v4) ^ j
# data.append(transformed_value)
# v4 += 1
# print("Transformed data:", data)
# # Convert data list to bytes and compute MD5 hash
# hash_value = md5(bytes(data)).hexdigest()
# print("MD5 hash:", hash_value)flag = []
b = [b'12/4-.', b'745.30', b'cdaf_`', b'42764/', b'uyirp{', b'fvigdm', b'\x80~exhl', b'xzv{zbf']
for v4, ch in enumerate(b):flag += [(v + i - v4) ^ i for i, v in enumerate(ch)]print(bytes(flag))
from hashlib import md5
print(md5(bytes(flag)).hexdigest())print('-----------')from hashlib import md5
b = [b'12/4-.', b'745.30', b'cdaf_`', b'42764/', b'uyirp{', b'fvigdm', b'\x80~exhl', b'xzv{zbf']
flag = []
index = 0
for v4 in range(len(b)):ch = b[v4]for i in range(len(ch)):transformed_value = (ch[i] + i - v4) ^ iflag.append(transformed_value)index += 1
print(bytes(flag))
print(md5(bytes(flag)).hexdigest())这个enumerate获取索引和值的方法需要学一下了,最近经常在wp遇到。
![[k8s源码]1.client-go集群外部署](https://i-blog.csdnimg.cn/direct/41d669b72c0144e59ade88107a40d5f3.png)
