1. 程式人生 > >18/10/05-5-BugKu-逆向-LittleRotatorGame(NJCTF)

18/10/05-5-BugKu-逆向-LittleRotatorGame(NJCTF)

game iostream splay display 腳本 cpp ctf llvm spl

0x00

題目鏈接:https://pan.baidu.com/s/1FLIaSN6EOe34qQNO_8yi-g
提取碼:phou

0x01

native層分析

根據提示程序用了O-LLVM混淆,IDA分析ANativeActivity_onCreate函數,分析此處

技術分享圖片
1 v24 = flg((int)v67, &v89);
2                                           j___android_log_print(4, "an-activity", "The flag is:njctf{%s}", v24);
3                                           v4 = -681054051
; 4 v25 = v2; 5 v66 = v2; 6 goto LABEL_214;
View Code

可看出flag與flg函數有關。

0x02

分析flg層函數。

技術分享圖片
 1 char *__fastcall flg(int a1, char *a2)
 2 {
 3   int v2; // ST0C_4
 4   int v3; // r4
 5
int v4; // r0 6 char v5; // ST08_1 7 int v6; // ST10_4 8 int v7; // r0 9 int v8; // r2 10 int v9; // r0 11 int v10; // r3 12 int v11; // r0 13 14 v2 = a1; 15 v3 = a1; 16 v4 = a1 % 10; 17 v5 = v4; 18 *a2 = 20 * v4; 19 v6 = v3 / 100 % 10; 20 v7 = 19 * v6 + 20 * v4; 21 a2[1] = v7; 22 a2[2] = v7 - 4
; 23 v8 = v3 / 10 % 10; 24 a2[3] = v3 / 1000000 % 10 + 11 * v8; 25 v9 = v3 / 10000 % 10; 26 v10 = v3 / 1000 % 10; 27 a2[4] = 20 * v10 - v9; 28 a2[5] = (v8 + v5) * v10; 29 a2[6] = v8 * v10 * v9; 30 v11 = v2 / 100000 % 10; 31 a2[7] = 20 * v11 - v6; 32 a2[8] = 10 * v10 | 1; 33 a2[9] = (v8 + v5) * v11 - 1; 34 a2[10] = v5 * v8 * v6 * v6 - 4; 35 *(_WORD *)(a2 + 11) = (unsigned __int8)((v6 + v8) * v11 - 5); 36 return a2; 37 }
View Code

發現有/1000000,說明輸入的數大於1000000,可以進行爆破。

0x03

寫腳本進行爆破,從1000000到10000000。

cpp腳本

技術分享圖片
 1 #include<iostream>
 2 void check(int num);
 3 int ok(char);
 4 int main(void)
 5 {
 6     for(int i = 1000000; i < 10000000; i++)
 7     {
 8         check(i);
 9     }
10     return 0;
11 }
12 void check(int num)
13 {
14     int m = 1;
15 
16     char flag[13];
17     int v4 = num % 10;
18     flag[0] = 20 * v4;
19     int v6 = num / 100 % 10;
20     int v7 = 19 * v6 + 20 * v4;
21     flag[1] = v7;
22     flag[2] = v7 - 4;
23     int v8 = num/10%10;
24     flag[3] = num / 1000000 % 10 + 11 * v8;
25     int v9 = num / 10000 % 10;
26     int v10 = num / 1000 % 10;
27     flag[4] = 20* v10 - v9;
28     flag[5] = (v8 + v4) * v10;
29     flag[6] = v8 * v10 * v9;
30     int v11 = num / 100000 % 10;
31     flag[7] = 20 * v11 - v6;
32     flag[8] = 10 * v10 | 1;
33     flag[9] = (v8 + v4) * v11 - 1;
34     flag[10] = v4 * v8 * v6 * v6 - 4;
35     flag[11] = (v6 + v8) * v11 - 5;
36     flag[12] = \0;
37 
38     for(int i = 0; i < 12; i++)
39     {
40         if(!((flag[i] >= A && flag[i] <= Z) || (flag[i] >= a && flag[i] <= z) || (flag[i] >= 0 && flag[i] <= 9) ))
41         {
42             m = 0;
43         }
44     }
45     if(m == 1)
46     printf("%s\n",flag);
47 }
View Code

python腳本

技術分享圖片
 1 def check1(num):
 2     flag = [0] * 12
 3     v4 = num % 10
 4     flag[0] = 20 * v4
 5     v6 = num / 100 % 10
 6     v7 = 19 * v6 + 20 * v4
 7     flag[1] = v7
 8     flag[2] = v7 - 4
 9     v8 = num / 10 % 10
10     flag[3] = num / 1000000 % 10 + 11 * v8
11     v9 = num / 10000 % 10
12     v10 = num / 1000 % 10
13     flag[4] = 20 * v10 - v9
14     flag[5] = (v8 + v4) * v10
15     flag[6] = v8 * v10 * v9
16     v11 = num / 100000 % 10
17     flag[7] = 20 * v11 - v6
18     flag[8] = 10 * v10 | 1
19     flag[9] = (v8 + v4) * v11 - 1
20     flag[10] = v4 * v8 * v6 * v6 - 4
21     flag[11] = (v6 + v8) * v11 - 5
22     m = 1
23     for i in flag:
24         if(check2(i)):
25             m = 0
26     if (m == 1):
27         str = ‘‘
28         for i in flag:
29             str += chr(i)
30         print str
31 
32 
33 def check2(num):
34     if ((num >= ord(A)) & (num <= ord(Z))):
35         return 0
36     if ((num >= ord(a)) & (num <= ord(z))):
37         return 0
38     if ((num >= ord(0)) & (num <= ord(9))):
39         return 0
40     return 1
41 
42 
43 for i in range(1000000,10000000):
44     check1(i)
View Code

python跑得會比較慢,在輸出結果中有一個即是flag。

18/10/05-5-BugKu-逆向-LittleRotatorGame(NJCTF)