De1ctf——evil_boost

发表于 分类于 阅读次数:

题目分析

该题是将输入的参数数进行解析然后取出进行计算

然后后面有一个验证(cpp + py * js) ^ *(name + i)) != *(&v148 + i + 8)

用ida-python解出

1
2
3
4
5
6
flag = [0x4c,0x70,0x71,0x6b,0x38,0x71,0x6b,0x38,0x6c,0x70,0x7d,0x38,0x6f,0x6a,0x77,0x76,0x7f,0x38,0x7e,0x74,0x79,0x7f,0x36,0x36,0x36]
dest = ""

for i in flag:
    dest+=chr(i^0x18)
print dest

很明显This is the wrong flag...

继续往下看

输入的name为11位

然后开始对输入的那么进行识别

计算出0~8,b~z的个数,并且如果输入的name不为0~8,b~z就必须是- / * ( )

然后验证0~8,b~z的个数是否为5,1 第二位是否为b~z

最后一个验证result是否等于24
很容易看出这是在进行24点的运算
0~8- / * ( )还有一个字母应该是e

脚本

我的17小时脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import itertools
import os

result = []
for num in itertools.product([0,1,2,3,4,5,6,7,8], repeat=5):
    for ops in itertools.product('-*/', repeat=3):
        bds = []
        bds.append('{0}e{1}{5}({2}{6}{3}){7}{4}'.format(*num, *ops)) # AeB#(C#D)#E
        bds.append('{0}e{1}{5}({2}{6}{3}{7}{4})'.format(*num, *ops))  # AeB#(C#D#E)
        bds.append('{0}e{1}{5}{2}{6}({3}{7}{4})'.format(*num, *ops)) # AeB#C#(D#E)
        for bd in bds:
            try:
                os.system("cls")
                print("processing...{:.3f}%".format((10000*num[0]+1000*num[1]+100*num[2]+10*num[3]+num[4])/1000))
                for i in result:
                    print(i)
                if abs(eval(bd) - 24.0) < 1e-10:
                    result.append(bd)
            except ZeroDivisionError:  # 零除错误!
                continue

poker师傅的5秒脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from hashlib import md5
from tqdm import tqdm

def solved1():
	case1 = ['-', '*', '/', '+']
	case2 = map(str, range(9))
	for n1 in tqdm(case2):
		for n2 in case2:
			for n3 in case2:
				for n4 in case2:
					for n5 in case2:
						for c1 in case1:
							for c2 in case1:
								for c3 in case1:
									exp = 'de1ctf{' + ''.join([n1, 'e', n2, c1, '(', n3, c2, n4, ')', c3, n5]) + '}'
									if md5(exp).hexdigest() == '293316bfd246fa84e566d7999df88e79':
										print exp
										exit()


def solved2():
	case1 = ['-', '*', '/', '+']
	case2 = map(str, range(9))
	for n1 in tqdm(case2):
		for n2 in case2:
			for n3 in case2:
				for n4 in case2:
					for n5 in case2:
						for c1 in case1:
							for c2 in case1:
								for c3 in case1:
									exp = 'de1ctf{' + ''.join([n1, 'e', n2, c1, '(', n3, c2, n4, c3, n5, ')']) + '}'
									if md5(exp).hexdigest() == '293316bfd246fa84e566d7999df88e79':
										print exp
										exit()


if __name__ == '__main__':
	solved1()
	solved2()

总结

脚本写了很久去问了poker师傅,然后发现原来那个e是科学记数法,我一直以为是自然底数。。。mmp