当前位置:网站首页>[buuctf.reverse] 159_ [watevrCTF 2019]Watshell
[buuctf.reverse] 159_ [watevrCTF 2019]Watshell
2022-07-06 04:46:00 【Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi】
This question should be called c Introduction to language
__int64 __fastcall main(int a1, char **a2, char **a3)
{
int v4; // [rsp+Ch] [rbp-3A4h]
const char *nptr; // [rsp+18h] [rbp-398h]
char *s1; // [rsp+20h] [rbp-390h]
FILE *stream; // [rsp+28h] [rbp-388h]
char v8[32]; // [rsp+30h] [rbp-380h] BYREF
char v9[32]; // [rsp+50h] [rbp-360h] BYREF
__int64 v10[25]; // [rsp+70h] [rbp-340h] BYREF
char delim[2]; // [rsp+13Eh] [rbp-272h] BYREF
char v12[80]; // [rsp+140h] [rbp-270h] BYREF
char s[504]; // [rsp+190h] [rbp-220h] BYREF
unsigned __int64 v14; // [rsp+388h] [rbp-28h]
v14 = __readfsqword(0x28u);
signal(14, handler);
alarm(0x3Cu);
strcpy(delim, " ");
v4 = 0;
sub_13A5();
sub_157F();
puts("Welcome to watshell, we ofcourse use our own super secure cryptographic functions to ensure user privacy!");
printf("%s", "Command: ");
fflush(stdout);
fgets(s, 500, stdin);
strlen(s);
for ( nptr = strtok(s, delim); nptr && v4 != 25; nptr = strtok(0LL, delim) )// Space separated numbers
v10[v4++] = atol(nptr);
sub_EB7(v8, v9);
s1 = (char *)sub_11AF(v10, 8 * (v4 + 1), (__int64)(8 * (v4 + 1)) >> 63, v9);
if ( !strcmp(s1, "give_me_the_flag_please") )
{
stream = fopen("/home/ctf/flag.txt", "r");
if ( !stream )
printf("The file does not exist!");
fgets(v12, 74, stream);
printf("Alright, alright %s\n", v12);
fclose(stream);
}
free(s1);
return 0LL;
}
stay main Directly separate the input with spaces , Then convert to integer . It uses a function that is not commonly used but is introductory strok, This function will space ( Separator ) The position of is changed to 0 And return the pointer of the previous paragraph each time .
then sub_EB7() Can't understand , But because the input content is not used , So it must be a fixed value , use gdb Follow here and you will get the result .
And then call 11AF To encrypt , Process the integer just transferred one by one
for ( i = 0uLL; size >> 3 > i; i += 1uLL )
ptr[i] = sub_DC3(*(_QWORD *)(8 * i + a1), a4[2], *a4);// encryption pow(n,0x71,0x8f)
sub_DC3 It is also an entry-level Algorithm : Fast power reduction method
__int64 __fastcall sub_DC3(__int64 a1, __int64 a2, __int64 a3)
{
__int64 result; // rax
__int64 v4; // [rsp+18h] [rbp-8h]
if ( a1 < 0 || a2 < 0 || a3 <= 0 )
exit(1);
v4 = a1 % a3;
if ( !a2 )
return 1LL;
if ( a2 == 1 )
return a1 % a3;
if ( (a2 & 1) == 0 )
return sub_DC3(v4 * v4 % a3, a2 / 2, a3) % a3;
result = a2 % 2;
if ( a2 % 2 == 1 )
return v4 * sub_DC3(v4, a2 - 1, a3) % a3;
return result;
}
The method of program encryption is very clear : You are required to enter a string of numbers separated by spaces , Then each number is Rsa encryption (e:0x71,n:0x8f) Get a string "give_me_the_flag_please" Then the backstage will flag Give it out .
The sparrow is all ready .
边栏推荐
- I'd like to ask about the current MySQL CDC design. In the full volume phase, if a chunk's binlog backfill phase,
- Is the mode of education together - on campus + off campus reliable
- NPM command -- install dependent packages -- Usage / explanation
- ISP learning (2)
- [Zhao Yuqiang] deploy kubernetes cluster with binary package
- Programmers' position in the Internet industry | daily anecdotes
- MPLS experiment
- Coreldraw2022 new version new function introduction cdr2022
- 麦斯克电子IPO被终止:曾拟募资8亿 河南资产是股东
- How does vs change the project type?
猜你喜欢
CADD课程学习(8)-- 化合物库虚拟筛选(Virtual Screening)
DMA use of stm32
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
Etcd database source code analysis -- etcdserver bootstrap initialization storage
比尔·盖茨晒18岁个人简历,48年前期望年薪1.2万美元
满足多元需求:捷码打造3大一站式开发套餐,助力高效开发
Bill Gates posted his 18-year-old resume and expected an annual salary of $12000 48 years ago
Database - MySQL storage engine (deadlock)
Redis - redis in action - redis actual combat - actual combat Chapter 1 - SMS login function based on redis - redis + token shared session application - with code
[Zhao Yuqiang] deploy kubernetes cluster with binary package
随机推荐
[Yu Yue education] reference materials of complex variable function and integral transformation of Northwestern Polytechnic University
flink sql 能同时读多个topic吗。with里怎么写
[try to hack] John hash cracking tool
Database - MySQL storage engine (deadlock)
web工程导入了mysql驱动jar包却无法加载到驱动的问题
几种RS485隔离通讯的方案介绍
Platformio create libopencm3 + FreeRTOS project
Excellent PM must experience these three levels of transformation!
Easyrecovery reliable and toll free data recovery computer software
MPLS experiment
ETCD数据库源码分析——etcdserver bootstrap初始化存储
Jd.com 2: how to prevent oversold in the deduction process of commodity inventory?
Patent | subject classification method based on graph convolution neural network fusion of multiple human brain maps
Knowledge consolidation source code implementation 3: buffer ringbuffer
ISP learning (2)
npm命令--安装依赖包--用法/详解
Programmers' position in the Internet industry | daily anecdotes
After learning classes and objects, I wrote a date class
饼干(考试版)
Certbot failed to update certificate solution