hackme XCTF 3rd-GCTF-2017
__int64 __fastcall sub_400F8E(__int64 a1, __int64 a2)
{
char input[136]; // [rsp+10h] [rbp-B0h]
int v4; // [rsp+98h] [rbp-28h]
char v5; // [rsp+9Fh] [rbp-21h]
int v6; // [rsp+A0h] [rbp-20h]
unsigned __int8 c; // [rsp+A6h] [rbp-1Ah]
char b; // [rsp+A7h] [rbp-19h]
int index; // [rsp+A8h] [rbp-18h]
int j; // [rsp+ACh] [rbp-14h]
int temp; // [rsp+B0h] [rbp-10h]
int k; // [rsp+B4h] [rbp-Ch]
_BOOL4 sign; // [rsp+B8h] [rbp-8h]
int i; // [rsp+BCh] [rbp-4h] print_407470((__int64)"Give me the password: ", a2);
scanf_4075A0((__int64)"%s", input);
for ( i = 0; input[i]; ++i )
;
sign = i == 22; // 输入22位
k = 10; // 只验证了10个数
do
{
index = (signed int)f_406D90() % 22; // 生成随机数
temp = 0;
b = byte_6B4270[index];
c = input[index];
v6 = index + 1;
j = 0;
while ( j < v6 )
{
++j;
temp = 0x6D01788D * temp + 0x3039;
}
v5 = temp ^ c;
if ( b != ((unsigned __int8)temp ^ c) )
sign = 0;
--k;
}
while ( k );
if ( sign )
v4 = print_407470((__int64)"Congras\n");
else
v4 = print_407470((__int64)"Oh no!\n");
return 0LL;
}
程序流程:
验证输入22位–>生成随机数验证10位数
wp:
bs=[0x5F, 0xF2, 0x5E, 0x8B, 0x4E, 0x0E, 0xA3, 0xAA, 0xC7, 0x93,
0x81, 0x3D, 0x5F, 0x74, 0xA3, 0x09, 0x91, 0x2B, 0x49, 0x28,
0x93, 0x67]
flag=[0 for i in range(22)]
for index in range(22):
b=bs[index]
temp=0
for i in range(index+1):
temp=(0x6D01788D * temp + 0x3039)
flag[index]=(temp^b)&0xff
print(''.join(map(chr,flag)))
flag{d826e6926098ef46}
