攻防世界 reverse Newbie_calculations

Newbie_calculations Hack-you-2014

题目名百度翻译成新手计算,那我猜应该是个实现计算器的题目。。。。

IDA打开程序,发现一长串的函数反复调用,而且程序没有输入,只有输出。额,那这样的话程序运行就应该输出flag,但程序中肯定会有垃圾循环操作,就让你跑不出来。0.0

这种题目就要分析函数作用,简化,自己实现算法。

程序流程:

  1 for ( i = 0; i < 32; ++i )
  2     flag[i] = 1;
  3   v121 = 0;
  4   puts("Your flag is:");
  5   v3 = mul_401100(flag, 0x3B9ACA00);
  6   v4 = sub_401220(v3, 0x3B9AC9CE);
  7   mul_401100(v4, 2);
  8   v5 = add_401000(&flag[1], 0x4C4B40);
  9   v6 = sub_401220(v5, 0x65B9AA);
 10   v7 = add_401000(v6, 1666666);
 11   v8 = add_401000(v7, 45);
 12   v9 = mul_401100(v8, 2);
 13   add_401000(v9, 5);
 14   v10 = mul_401100(&flag[2], 0x3B9ACA00);
 15   v11 = sub_401220(v10, 999999950);
 16   v12 = mul_401100(v11, 2);
 17   add_401000(v12, 2);
 18   v13 = add_401000(&flag[3], 55);
 19   v14 = sub_401220(v13, 3);
 20   v15 = add_401000(v14, 4);
 21   sub_401220(v15, 1);
 22   v16 = mul_401100(&flag[4], 100000000);
 23   v17 = sub_401220(v16, 99999950);
 24   v18 = mul_401100(v17, 2);
 25   add_401000(v18, 2);
 26   v19 = sub_401220(&flag[5], 1);
 27   v20 = mul_401100(v19, 1000000000);
 28   v21 = add_401000(v20, 55);
 29   sub_401220(v21, 3);
 30   v22 = mul_401100(&flag[6], 1000000);
 31   v23 = sub_401220(v22, 999975);
 32   mul_401100(v23, 4);
 33   v24 = add_401000(&flag[7], 55);
 34   v25 = sub_401220(v24, 33);
 35   v26 = add_401000(v25, 44);
 36   sub_401220(v26, 11);
 37   v27 = mul_401100(&flag[8], 10);
 38   v28 = sub_401220(v27, 5);
 39   v29 = mul_401100(v28, 8);
 40   add_401000(v29, 9);
 41   v30 = add_401000(&flag[9], 0);
 42   v31 = sub_401220(v30, 0);
 43   v32 = add_401000(v31, 11);
 44   v33 = sub_401220(v32, 11);
 45   add_401000(v33, 53);
 46   v34 = add_401000(&flag[10], 49);
 47   v35 = sub_401220(v34, 2);
 48   v36 = add_401000(v35, 4);
 49   sub_401220(v36, 2);
 50   v37 = mul_401100(&flag[11], 1000000);
 51   v38 = sub_401220(v37, 999999);
 52   v39 = mul_401100(v38, 4);
 53   add_401000(v39, 50);
 54   v40 = add_401000(&flag[12], 1);
 55   v41 = add_401000(v40, 1);
 56   v42 = add_401000(v41, 1);
 57   v43 = add_401000(v42, 1);
 58   v44 = add_401000(v43, 1);
 59   v45 = add_401000(v44, 1);
 60   v46 = add_401000(v45, 10);
 61   add_401000(v46, 32);
 62   v47 = mul_401100(&flag[13], 10);
 63   v48 = sub_401220(v47, 5);
 64   v49 = mul_401100(v48, 8);
 65   v50 = add_401000(v49, 9);
 66   add_401000(v50, 48);
 67   v51 = sub_401220(&flag[14], 1);
 68   v52 = mul_401100(v51, -294967296);
 69   v53 = add_401000(v52, 55);
 70   sub_401220(v53, 3);
 71   v54 = add_401000(&flag[15], 1);
 72   v55 = add_401000(v54, 2);
 73   v56 = add_401000(v55, 3);
 74   v57 = add_401000(v56, 4);
 75   v58 = add_401000(v57, 5);
 76   v59 = add_401000(v58, 6);
 77   v60 = add_401000(v59, 7);
 78   add_401000(v60, 20);
 79   v61 = mul_401100(&flag[16], 10);
 80   v62 = sub_401220(v61, 5);
 81   v63 = mul_401100(v62, 8);
 82   v64 = add_401000(v63, 9);
 83   add_401000(v64, 48);
 84   v65 = add_401000(&flag[17], 7);
 85   v66 = add_401000(v65, 6);
 86   v67 = add_401000(v66, 5);
 87   v68 = add_401000(v67, 4);
 88   v69 = add_401000(v68, 3);
 89   v70 = add_401000(v69, 2);
 90   v71 = add_401000(v70, 1);
 91   add_401000(v71, 20);
 92   v72 = add_401000(&flag[18], 7);
 93   v73 = add_401000(v72, 2);
 94   v74 = add_401000(v73, 4);
 95   v75 = add_401000(v74, 3);
 96   v76 = add_401000(v75, 6);
 97   v77 = add_401000(v76, 5);
 98   v78 = add_401000(v77, 1);
 99   add_401000(v78, 20);
100   v79 = mul_401100(&flag[19], 1000000);
101   v80 = sub_401220(v79, 999999);
102   v81 = mul_401100(v80, 4);
103   v82 = add_401000(v81, 50);
104   sub_401220(v82, 1);
105   v83 = sub_401220(&flag[20], 1);
106   v84 = mul_401100(v83, -294967296);
107   v85 = add_401000(v84, 49);
108   sub_401220(v85, 1);
109   v86 = sub_401220(&flag[21], 1);
110   v87 = mul_401100(v86, 1000000000);
111   v88 = add_401000(v87, 54);
112   v89 = sub_401220(v88, 1);
113   v90 = add_401000(v89, 1000000000);
114   sub_401220(v90, 1000000000);
115   v91 = add_401000(&flag[22], 49);
116   v92 = sub_401220(v91, 1);
117   v93 = add_401000(v92, 2);
118   sub_401220(v93, 1);
119   v94 = mul_401100(&flag[23], 10);
120   v95 = sub_401220(v94, 5);
121   v96 = mul_401100(v95, 8);
122   v97 = add_401000(v96, 9);
123   add_401000(v97, 48);
124   v98 = add_401000(&flag[24], 1);
125   v99 = add_401000(v98, 3);
126   v100 = add_401000(v99, 3);
127   v101 = add_401000(v100, 3);
128   v102 = add_401000(v101, 6);
129   v103 = add_401000(v102, 6);
130   v104 = add_401000(v103, 6);
131   add_401000(v104, 20);
132   v105 = add_401000(&flag[25], 55);
133   v106 = sub_401220(v105, 33);
134   v107 = add_401000(v106, 44);
135   v108 = sub_401220(v107, 11);
136   add_401000(v108, 42);
137   add_401000(&flag[26], flag[25]);
138   add_401000(&flag[27], flag[12]);
139   v109 = flag[27];
140   v110 = sub_401220(&flag[28], 1);
141   v111 = add_401000(v110, v109);
142   sub_401220(v111, 1);
143   v112 = flag[23];
144   v113 = sub_401220(&flag[29], 1);
145   v114 = mul_401100(v113, 1000000);
146   add_401000(v114, v112);
147   v115 = flag[27];
148   v116 = add_401000(&flag[30], 1);
149   mul_401100(v116, v115);
150   add_401000(&flag[31], flag[30]);
151   print_401C7F("CTF{");
152   for ( j = 0; j < 32; ++j )
153     print_401C7F("%c", SLOBYTE(flag[j]));
154   print_401C7F("}\n");
155   return 0;
156 }

这道题目的关键就在于如何识别出上面这些函数的作用

 1 _DWORD *__cdecl mul_401100(_DWORD *a1, int a2)
 2 {
 3   int v2; // ST20_4
 4   signed int v4; // [esp+Ch] [ebp-1Ch]
 5   int v5; // [esp+14h] [ebp-14h]
 6   int v6; // [esp+18h] [ebp-10h]
 7   int v7; // [esp+1Ch] [ebp-Ch]
 8   int v8; // [esp+20h] [ebp-8h]
 9 
10   v5 = *a1;
11   v6 = a2;
12   v4 = -1;
13   v8 = 0;
14   v7 = a2 * v5;
15   while ( a2 )                                  // a1累加a2次 相当于a1*a2
16   {
17     v2 = v7 * v5;
18     add_401000(&v8, *a1);
19     ++v7;
20     --a2;
21     v6 = v2 - 1;
22   }
23   while ( v4 )                                  // 循环结束a1=a1-1
24   {
25     ++v7;
26     ++*a1;
27     --v4;
28     --v6;
29   }
30   ++*a1;
31   *a1 = v8;
32   return a1;
33 }
 1 int *__cdecl add_401000(int *a1, int a2)
 2 {
 3   int v2; // edx
 4   int v4; // [esp+Ch] [ebp-18h]
 5   int v5; // [esp+10h] [ebp-14h]
 6   int v6; // [esp+18h] [ebp-Ch]
 7   signed int v7; // [esp+1Ch] [ebp-8h]
 8 
 9   v5 = -1;
10   v4 = -1 - a2 + 1;
11   v7 = 1231;
12   v2 = *a1;
13   v6 = a2 + 1231;
14   while ( v4 )                                  15                                                 // 循环结束 a1=a1+a2
16   {
17     ++v7;
18     --*a1;                       //循环-   相当于-(-a2)    +a2
19     --v4;
20     --v6;
21   }
22   while ( v5 )
23   {
24     --v6;
25     ++*a1;
26     --v5;
27   }
28   ++*a1;                                        // a1在上面的循环中-1,现在+1,还是原值
29   return a1;
30 }
 1 _DWORD *__cdecl sub_401220(_DWORD *a1, int a2)
 2 {
 3   int v3; // [esp+8h] [ebp-10h]
 4   signed int v4; // [esp+Ch] [ebp-Ch]
 5   signed int v5; // [esp+14h] [ebp-4h]
 6   int v6; // [esp+14h] [ebp-4h]
 7 
 8   v4 = -1;
 9   v3 = -1 - a2 + 1;
10   v5 = -1;
11   while ( v3 )                                  // -a2
12   {
13     ++*a1;                                      // 循环结束,相当于 a1=a1-a2
14     --v3;
15     --v5;
16   }
17   v6 = v5 * v5;
18   while ( v4 )                                  // 这个循环后  a1=a1-1
19   {
20     v6 *= 123;
21     ++*a1;
22     --v4;
23   }
24   ++*a1;                                        // a1+=1,恢复上一个循环前的值
25   return a1;
26 }

 

wp:

  1 def mul_401100(a,b):
  2     return a*b
  3 def sub_401220(a,b):
  4     return a-b
  5 def add_401000(a,b):
  6     return a+b
  7 flag=[1 for i in range(32)]
  8 v121 = 0
  9 print("Your flag is:")
 10 v3 = mul_401100(flag[0], 0x3B9ACA00)
 11 v4 = sub_401220(v3, 0x3B9AC9CE)
 12 flag[0]=mul_401100(v4, 2)
 13 v5 = add_401000(flag[1], 0x4C4B40)
 14 v6 = sub_401220(v5, 0x65B9AA)
 15 v7 = add_401000(v6, 1666666)
 16 v8 = add_401000(v7, 45)
 17 v9 = mul_401100(v8, 2)
 18 flag[1]=add_401000(v9, 5)
 19 v10 = mul_401100(flag[2], 0x3B9ACA00)
 20 v11 = sub_401220(v10, 999999950)
 21 v12 = mul_401100(v11, 2)
 22 flag[2]=add_401000(v12, 2)
 23 v13 = add_401000(flag[3], 55)
 24 v14 = sub_401220(v13, 3)
 25 v15 = add_401000(v14, 4)
 26 flag[3]=sub_401220(v15, 1)
 27 v16 = mul_401100(flag[4], 100000000)
 28 v17 = sub_401220(v16, 99999950)
 29 v18 = mul_401100(v17, 2)
 30 flag[4]=add_401000(v18, 2)
 31 v19 = sub_401220(flag[5], 1)
 32 v20 = mul_401100(v19, 1000000000)
 33 v21 = add_401000(v20, 55)
 34 flag[5]=sub_401220(v21, 3)
 35 v22 = mul_401100(flag[6], 1000000)
 36 v23 = sub_401220(v22, 999975)
 37 flag[6]=mul_401100(v23, 4)
 38 v24 = add_401000(flag[7], 55)
 39 v25 = sub_401220(v24, 33)
 40 v26 = add_401000(v25, 44)
 41 flag[7]=sub_401220(v26, 11)
 42 v27 = mul_401100(flag[8], 10)
 43 v28 = sub_401220(v27, 5)
 44 v29 = mul_401100(v28, 8)
 45 flag[8]=add_401000(v29, 9)
 46 v30 = add_401000(flag[9], 0)
 47 v31 = sub_401220(v30, 0)
 48 v32 = add_401000(v31, 11)
 49 v33 = sub_401220(v32, 11)
 50 flag[9]=add_401000(v33, 53)
 51 v34 = add_401000(flag[10], 49)
 52 v35 = sub_401220(v34, 2)
 53 v36 = add_401000(v35, 4)
 54 flag[10]=sub_401220(v36, 2)
 55 v37 = mul_401100(flag[11], 1000000)
 56 v38 = sub_401220(v37, 999999)
 57 v39 = mul_401100(v38, 4)
 58 flag[11]=add_401000(v39, 50)
 59 v40 = add_401000(flag[12], 1)
 60 v41 = add_401000(v40, 1)
 61 v42 = add_401000(v41, 1)
 62 v43 = add_401000(v42, 1)
 63 v44 = add_401000(v43, 1)
 64 v45 = add_401000(v44, 1)
 65 v46 = add_401000(v45, 10)
 66 flag[12]=add_401000(v46, 32)
 67 v47 = mul_401100(flag[13], 10)
 68 v48 = sub_401220(v47, 5)
 69 v49 = mul_401100(v48, 8)
 70 v50 = add_401000(v49, 9)
 71 flag[13]=add_401000(v50, 48)
 72 v51 = sub_401220(flag[14], 1)
 73 v52 = mul_401100(v51, -294967296)
 74 v53 = add_401000(v52, 55)
 75 flag[14]=sub_401220(v53, 3)
 76 v54 = add_401000(flag[15], 1)
 77 v55 = add_401000(v54, 2)
 78 v56 = add_401000(v55, 3)
 79 v57 = add_401000(v56, 4)
 80 v58 = add_401000(v57, 5)
 81 v59 = add_401000(v58, 6)
 82 v60 = add_401000(v59, 7)
 83 flag[15]=add_401000(v60, 20)
 84 v61 = mul_401100(flag[16], 10)
 85 v62 = sub_401220(v61, 5)
 86 v63 = mul_401100(v62, 8)
 87 v64 = add_401000(v63, 9)
 88 flag[16]=add_401000(v64, 48)
 89 v65 = add_401000(flag[17], 7)
 90 v66 = add_401000(v65, 6)
 91 v67 = add_401000(v66, 5)
 92 v68 = add_401000(v67, 4)
 93 v69 = add_401000(v68, 3)
 94 v70 = add_401000(v69, 2)
 95 v71 = add_401000(v70, 1)
 96 flag[17]=add_401000(v71, 20)
 97 v72 = add_401000(flag[18], 7)
 98 v73 = add_401000(v72, 2)
 99 v74 = add_401000(v73, 4)
100 v75 = add_401000(v74, 3)
101 v76 = add_401000(v75, 6)
102 v77 = add_401000(v76, 5)
103 v78 = add_401000(v77, 1)
104 flag[18]=add_401000(v78, 20)
105 v79 = mul_401100(flag[19], 1000000)
106 v80 = sub_401220(v79, 999999)
107 v81 = mul_401100(v80, 4)
108 v82 = add_401000(v81, 50)
109 flag[19]=sub_401220(v82, 1)
110 v83 = sub_401220(flag[20], 1)
111 v84 = mul_401100(v83, -294967296)
112 v85 = add_401000(v84, 49)
113 flag[20]=sub_401220(v85, 1)
114 v86 = sub_401220(flag[21], 1)
115 v87 = mul_401100(v86, 1000000000)
116 v88 = add_401000(v87, 54)
117 v89 = sub_401220(v88, 1)
118 v90 = add_401000(v89, 1000000000)
119 flag[21]=sub_401220(v90, 1000000000)
120 v91 = add_401000(flag[22], 49)
121 v92 = sub_401220(v91, 1)
122 v93 = add_401000(v92, 2)
123 flag[22]=sub_401220(v93, 1)
124 v94 = mul_401100(flag[23], 10)
125 v95 = sub_401220(v94, 5)
126 v96 = mul_401100(v95, 8)
127 v97 = add_401000(v96, 9)
128 flag[23]=add_401000(v97, 48)
129 v98 = add_401000(flag[24], 1)
130 v99 = add_401000(v98, 3)
131 v100 = add_401000(v99, 3)
132 v101 = add_401000(v100, 3)
133 v102 = add_401000(v101, 6)
134 v103 = add_401000(v102, 6)
135 v104 = add_401000(v103, 6)
136 flag[24]=add_401000(v104, 20)
137 v105 = add_401000(flag[25], 55)
138 v106 = sub_401220(v105, 33)
139 v107 = add_401000(v106, 44)
140 v108 = sub_401220(v107, 11)
141 flag[25]=add_401000(v108, 42)
142 flag[26]=add_401000(flag[26], flag[25])
143 flag[27]=add_401000(flag[27], flag[12])
144 v109 = flag[27]
145 v110 = sub_401220(flag[28], 1)
146 v111 = add_401000(v110, v109)
147 flag[28]=sub_401220(v111, 1)
148 v112 = flag[23]
149 v113 = sub_401220(flag[29], 1)
150 v114 = mul_401100(v113, 1000000)
151 flag[29]=add_401000(v114, v112)
152 v115 = flag[27]
153 v116 = add_401000(flag[30], 1)
154 flag[30]=mul_401100(v116, v115)
155 flag[31]=add_401000(flag[31], flag[30])
156 print("CTF{"+''.join(map(chr,flag))+"}")

Your flag is:
CTF{daf8f4d816261a41a115052a1bc21ade}

 

posted @ 2019-09-26 09:45  DirWangK  阅读(927)  评论(2编辑  收藏  举报