Notice
Recent Posts
Recent Comments
Link
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | |||
5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | 21 | 22 | 23 | 24 | 25 |
26 | 27 | 28 | 29 | 30 | 31 |
Tags
- write-up
- 라업
- 코드엔진
- 워 게임
- 드림핵
- 라이트 업
- 리버싱
- 2021
- ctf
- reversing
- reversing.kr
- 풀이
- 강의
- c언어
- 파이썬
- 변수
- 리버스 엔지니어링
- Basic
- 시탭
- PYTHON
- 해킹캠프
- probgame
- write up
- hackingcamp
- web
- ShaktiCTF
- 라이트업
- 히공
- 뭉뭉
- vsCode
Archives
히공
ShaktiCTF 2021 - BomB 본문
728x90
문제
플래그 형식이 shaktiCTF라고 알려준다.
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v4; // rax
__int64 v5; // rax
int i; // [rsp+4h] [rbp-12Ch]
int j; // [rsp+8h] [rbp-128h]
int k; // [rsp+Ch] [rbp-124h]
char v10[32]; // [rsp+20h] [rbp-110h] BYREF
int v11[47]; // [rsp+40h] [rbp-F0h]
char s[10]; // [rsp+FFh] [rbp-31h] BYREF
__int64 v13; // [rsp+109h] [rbp-27h] BYREF
int v14; // [rsp+111h] [rbp-1Fh]
__int16 v15; // [rsp+115h] [rbp-1Bh]
char v16; // [rsp+117h] [rbp-19h]
unsigned __int64 v17; // [rsp+118h] [rbp-18h]
v17 = __readfsqword(0x28u);
s[9] = 0;
Keyboard();
std::operator>><char,std::char_traits<char>>(&std::cin, s);
if ( strlen(s) != 9 )
bomb();
for ( i = 0; i <= 7; ++i )
{
if ( s[i] > '9' || s[i] <= '/' )
bomb();
}
v13 = 0x313176D171310LL;
v14 = 0x201034B;
v15 = 0x705;
v16 = 0;
for ( j = 0; (unsigned __int64)j <= 14; ++j )
*((_BYTE *)&v13 + j) ^= s[j % strlen(s)]; // strlen(s) = 9
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v10);
if ( BYTE2(v13) != '#' || BYTE5(v13) != '!' || (_BYTE)v14 != '}' )
bomb();
v11[0] = 0x55;
v11[1] = 0x4C;
v11[2] = 0x42;
v11[3] = 0x35;
v11[4] = 0x50;
v11[5] = 0x48;
v11[6] = 0x76;
v11[7] = 0x62;
v11[8] = 0x3B;
v11[9] = 0x4E;
v11[10] = 0x62;
v11[11] = 0x7E;
v11[12] = 5;
v11[13] = 0x6B;
v11[14] = 100;
v11[15] = 75;
v11[16] = 110;
v11[17] = 60;
v11[18] = 123;
v11[19] = 16;
v11[20] = 17;
v11[21] = 105;
v11[22] = 57;
v11[23] = 6;
v11[24] = 119;
v11[25] = 85;
v11[26] = 98;
v11[27] = 93;
v11[28] = 112;
v11[29] = 16;
v11[30] = 87;
v11[31] = 109;
v11[32] = 96;
v11[33] = 126;
v11[34] = 82;
v11[35] = 100;
v11[36] = 78;
v11[37] = 1;
v11[38] = 98;
v11[39] = 105;
v11[40] = 65;
v11[41] = 4;
v11[42] = 116;
v11[43] = 79;
v11[44] = 2;
v11[45] = 35;
for ( k = 0; (unsigned __int64)k <= 45; ++k )
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=(
v10,
(unsigned int)(char)(LOBYTE(v11[k]) ^ *((_BYTE *)&v13 + k % 14)));
if ( *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](v10, 3LL) != 'k'
|| *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](v10, 0LL) != 's'
|| *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](v10, 6LL) != 'C'
|| *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](v10, 11LL) != 'H'
|| *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](v10, 45LL) != '}' )
{
bomb();
}
v4 = std::operator<<<std::char_traits<char>>(&std::cout, "<:: ");
v5 = std::operator<<<char>(v4, v10);
std::operator<<<std::char_traits<char>>(v5, " ::>\n");
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v10);
return 0;
}
메인 함수
def main():
v13 = [0x10, 0x13, 0x17, 0x6d,0x17,0x13, 0x03,0]
v13.extend([0x4b,0x03,0x01,0x2]) # v14
v13.extend([0x05,0x07]) # v15
v13.append(0) # v16
v11 = bytearray(46)
v11[0] = 0x55;
v11[1] = 0x4C;
v11[2] = 0x42;
v11[3] = 0x35;
v11[4] = 0x50;
v11[5] = 0x48;
v11[6] = 0x76;
v11[7] = 0x62;
v11[8] = 0x3B;
v11[9] = 0x4E;
v11[10] = 0x62;
v11[11] = 0x7E;
v11[12] = 5;
v11[13] = 0x6B;
v11[14] = 100;
v11[15] = 75;
v11[16] = 110;
v11[17] = 60;
v11[18] = 123;
v11[19] = 16;
v11[20] = 17;
v11[21] = 105;
v11[22] = 57;
v11[23] = 6;
v11[24] = 119;
v11[25] = 85;
v11[26] = 98;
v11[27] = 93;
v11[28] = 112;
v11[29] = 16;
v11[30] = 87;
v11[31] = 109;
v11[32] = 96;
v11[33] = 126;
v11[34] = 82;
v11[35] = 100;
v11[36] = 78;
v11[37] = 1;
v11[38] = 98;
v11[39] = 105;
v11[40] = 65;
v11[41] = 4;
v11[42] = 116;
v11[43] = 79;
v11[44] = 2;
v11[45] = 35;
st = ''
for i in range(9):
st += chr(ord("shakictf{"[i]) ^ v11[i] ^ v13[i])
print(st)
main()
출력 값 : 6743.8
앞자리가 6743이다.
def main():
for brute in range(10000,100000):
s = '6743' + str(brute)
v13 = [0x10, 0x13, 0x17, 0x6d,0x17,0x13, 0x03,0]
v13.extend([0x4b,0x03,0x01,0x2]) # v14
v13.extend([0x05,0x07]) # v15
v13.append(0) # v16
for j in range(15):
v13[j] ^= ord(s[j%len(s)])
v11 = bytearray(46)
v11[0] = 0x55;
v11[1] = 0x4C;
v11[2] = 0x42;
v11[3] = 0x35;
v11[4] = 0x50;
v11[5] = 0x48;
v11[6] = 0x76;
v11[7] = 0x62;
v11[8] = 0x3B;
v11[9] = 0x4E;
v11[10] = 0x62;
v11[11] = 0x7E;
v11[12] = 5;
v11[13] = 0x6B;
v11[14] = 100;
v11[15] = 75;
v11[16] = 110;
v11[17] = 60;
v11[18] = 123;
v11[19] = 16;
v11[20] = 17;
v11[21] = 105;
v11[22] = 57;
v11[23] = 6;
v11[24] = 119;
v11[25] = 85;
v11[26] = 98;
v11[27] = 93;
v11[28] = 112;
v11[29] = 16;
v11[30] = 87;
v11[31] = 109;
v11[32] = 96;
v11[33] = 126;
v11[34] = 82;
v11[35] = 100;
v11[36] = 78;
v11[37] = 1;
v11[38] = 98;
v11[39] = 105;
v11[40] = 65;
v11[41] = 4;
v11[42] = 116;
v11[43] = 79;
v11[44] = 2;
v11[45] = 35;
st = ''
for k in range(46):
st+= chr(v11[k] ^ v13[k%14])
if st[:9] =='shaktiCTF':
print(st)
return 0
main()
브포를 돌려서 풀었다.
플래그 : shaktiCTF{TH3_BoMb_1$_D3AcTiV4t3D_gR34T_w0Rk!}
'write up > ShaktiCTF 2021' 카테고리의 다른 글
ShaktiCTF 2021 - Chunkies (0) | 2021.04.05 |
---|---|
ShaktiCTF 2021 - PacMat (0) | 2021.04.05 |
ShaktiCTF 2021 - fusk (0) | 2021.04.05 |
ShaktiCTF 2021 - deceev (0) | 2021.04.05 |
ShaktiCTF 2021 - hack (0) | 2021.04.05 |
Comments