SUCTF 2016 : dMd
发布时间:2020-12-14 01:44:14 所属栏目:Linux 来源:网络整理
导读:这个题可以说是比较坑了 (还不是我很弱...) Linux跑一下: 要输密码 ida打开看看: int __cdecl main( int argc, const char **argv, const char ** envp){ __int64 v3; // rax __int64 v4; // rax __int64 v5; // rax __int64 v6; // rax __int64 v7; //
|
这个题可以说是比较坑了(还不是我很弱...) Linux跑一下:
要输密码 ida打开看看: int __cdecl main(int argc,const char **argv,const char **envp) { __int64 v3; // rax __int64 v4; // rax __int64 v5; // rax __int64 v6; // rax __int64 v7; // rax __int64 v8; // rax __int64 v9; // rax __int64 v10; // rax __int64 v11; // rax __int64 v12; // rax __int64 v13; // rax __int64 v14; // rax __int64 v15; // rax __int64 v16; // rax __int64 v17; // rax __int64 v18; // rax __int64 v19; // rax __int64 v20; // rax __int64 v21; // rax int result; // eax __int64 v23; // rax __int64 v24; // rax __int64 v25; // rax __int64 v26; // rax __int64 v27; // rax __int64 v28; // rax __int64 v29; // rax __int64 v30; // rax __int64 v31; // rax __int64 v32; // rax __int64 v33; // rax __int64 v34; // rax __int64 v35; // rax __int64 v36; // rax __int64 v37; // rax char v38; // [rsp+Fh] [rbp-71h] char v39; // [rsp+10h] [rbp-70h] char v40; // [rsp+20h] [rbp-60h] _BYTE *v41; // [rsp+28h] [rbp-58h] char v42; // [rsp+30h] [rbp-50h] unsigned __int64 v43; // [rsp+68h] [rbp-18h] v43 = __readfsqword(0x28u); std::operator<<<std::char_traits<char>>(&std::cout,"Enter the valid key!n",envp); std::operator>><char,std::char_traits<char>>(&edata,&v42); std::allocator<char>::allocator((__int64)&v38); std::string::string(&v39,&v42,&v38); md5((MD5 *)&v40,(const std::string *)&v39); v41 = (_BYTE *)std::string::c_str((std::string *)&v40); std::string::~string((std::string *)&v40); std::string::~string((std::string *)&v39); std::allocator<char>::~allocator(&v38); if ( *v41 != 55 || v41[1] != 56 || v41[2] != 48 || v41[3] != 52 || v41[4] != 51 || v41[5] != 56 || v41[6] != 100 || v41[7] != 53 || v41[8] != 98 || v41[9] != 54 || v41[10] != 101 || v41[11] != 50 || v41[12] != 57 || v41[13] != 100 || v41[14] != 98 || v41[15] != 48 || v41[16] != 56 || v41[17] != 57 || v41[18] != 56 || v41[19] != 98 || v41[20] != 99 || v41[21] != 52 || v41[22] != 102 || v41[23] != 48 || v41[24] != 50 || v41[25] != 50 || v41[26] != 53 || v41[27] != 57 || v41[28] != 51 || v41[29] != 53 || v41[30] != 99 || v41[31] != 48 ) { v23 = std::operator<<<std::char_traits<char>>(&std::cout,73LL); v24 = std::operator<<<std::char_traits<char>>(v23,110LL); v25 = std::operator<<<std::char_traits<char>>(v24,118LL); v26 = std::operator<<<std::char_traits<char>>(v25,97LL); v27 = std::operator<<<std::char_traits<char>>(v26,108LL); v28 = std::operator<<<std::char_traits<char>>(v27,105LL); v29 = std::operator<<<std::char_traits<char>>(v28,100LL); v30 = std::operator<<<std::char_traits<char>>(v29,32LL); v31 = std::operator<<<std::char_traits<char>>(v30,75LL); v32 = std::operator<<<std::char_traits<char>>(v31,101LL); v33 = std::operator<<<std::char_traits<char>>(v32,121LL); v34 = std::operator<<<std::char_traits<char>>(v33,33LL); v35 = std::operator<<<std::char_traits<char>>(v34,32LL); v36 = std::operator<<<std::char_traits<char>>(v35,58LL); v37 = std::operator<<<std::char_traits<char>>(v36,40LL); std::ostream::operator<<(v37,&std::endl<char,std::char_traits<char>>); result = 0; } else { v3 = std::operator<<<std::char_traits<char>>(&std::cout,84LL); v4 = std::operator<<<std::char_traits<char>>(v3,104LL); v5 = std::operator<<<std::char_traits<char>>(v4,101LL); v6 = std::operator<<<std::char_traits<char>>(v5,32LL); v7 = std::operator<<<std::char_traits<char>>(v6,107LL); v8 = std::operator<<<std::char_traits<char>>(v7,101LL); v9 = std::operator<<<std::char_traits<char>>(v8,121LL); v10 = std::operator<<<std::char_traits<char>>(v9,32LL); v11 = std::operator<<<std::char_traits<char>>(v10,105LL); v12 = std::operator<<<std::char_traits<char>>(v11,115LL); v13 = std::operator<<<std::char_traits<char>>(v12,32LL); v14 = std::operator<<<std::char_traits<char>>(v13,118LL); v15 = std::operator<<<std::char_traits<char>>(v14,97LL); v16 = std::operator<<<std::char_traits<char>>(v15,108LL); v17 = std::operator<<<std::char_traits<char>>(v16,105LL); v18 = std::operator<<<std::char_traits<char>>(v17,100LL); v19 = std::operator<<<std::char_traits<char>>(v18,32LL); v20 = std::operator<<<std::char_traits<char>>(v19,58LL); v21 = std::operator<<<std::char_traits<char>>(v20,41LL); std::ostream::operator<<(v21,std::char_traits<char>>); result = 0; } return result; } 可以看出来是先将输入的字符串进行md5加密 然后进行比对 正确就会输出一串字符 一开始我以为flag应该是输出的字符 于是: a=[84,104,101,32,107,121,105,115,118,97,108,100,58,41] s=‘‘ for i in a: s+=chr(i) print(s) 结果输出是: The key is valid :) ?okey....应该是考虑错了 那么就是md5这里: b=[55,56,48,52,51,53,98,54,50,57,99,102,48] s=‘‘ for i in b: s+=chr(i) print(s) 输出: 780438d5b6e29db0898bc4f0225935c0 这是md5加密后的值,把它解密:
输出是 grape 满心欢喜提交 错误...... 仔细看一下这个md5的类型: md5(md5($pass)) 也就是加密了之后又进行了一遍md5加密的 所以grape是最初的字符串 780438d5b6e29db0898bc4f0225935c0是最终的密文 那么我们的key应该就是中间加密一次得到的字符串! 将 grape 加密一遍得到: b781cbb29054db12f88f08c6e161c199 提交正确! (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
