Skip to content

Hw1

hw1

concept

  • normal work
    • 讀懂組語中加密函式的行為後便可以反向解出被加密的 flag

  • dirty work
    • 觀察到該程式是每次加密一個 byte,且每個 byte 互相獨立不影響加密計算。如此即可暴力窮舉出所有可視字元,依序破解每一個 byte

exploit

  • normal work
#!/usr/bin/env python

from struct import *

with open('flag') as fd: 
    data = fd.read()

data = unpack('<{}i'.format(len(data) / 4), data)

def encrypt(data):
    for idx, item in enumerate(data):
        tmp = (2 + idx) * 0xcccccccd
        D = tmp >> 32
        A = tmp & 0xffffffff
        D >>= 3
        A = D * 10
        C = (2 + idx - A) & 0xff
        D = idx + 1 
        D <<= C
        print hex(ord(item) * D + 0x2333)
    return

def decrypt(data):
    ans = ''
    for idx, item in enumerate(data):
        tmp = (2 + idx) * 0xcccccccd
        D = tmp >> 32
        A = tmp & 0xffffffff
        D >>= 3
        A = D * 10
        C = (2 + idx - A) & 0xff
        D = idx + 1 
        D <<= C
        ans += chr((item - 0x2333) / D)
    print ans 
    return

decrypt(data)
  • dirty work
#!/usr/bin/env python

from pwn import *
import string
import os

with open('ans') as fd: 
    ans = fd.read()

def gen_ans(data):
    os.system('echo \'{}\' | ./hw1 '.format(data))
    with open('flag') as fd: 
        res = fd.read()
    return res 

test_ans = 'FLAG{'

for k in xrange(33):
    for i in string.printable:
        if ans.startswith(gen_ans(test_ans + i)):
            test_ans += i
            break

print test_ans

flag

FLAG{Iost4SXskSmu53CbCAI5e52FBJkj1JKl}