Offense and defense in the world reverse reverse-for-the-holy-grail-350

reverse-for-the-holy-grail-350   tu-ctf-2016

Program is a simple process, it is a test function:

 1 __int64 __fastcall stringMod(__int64 *a1)
 2 {
 3   __int64 length; // r9
 4   char *c_str; // r10
 5   __int64 i; // rcx
 6   signed int v4; // er8
 7   int *temp_2; // rdi
 8   int *temp_3; // rsi
 9   signed int t; // ecx
10   signed int j; // er9
11   int index; // er10
12   unsigned int tmp; // eax
13   int sign; // esi
14   int v12; // esi
15   int temp[24]; // [rsp+0h] [rbp-60h]
16 
17   memset(temp, 0, 0x48uLL);
18   length = a1[1];
19   if ( length )
20   {
21     c_str = (char *)*a1;
22     i = 0LL;
23     v4 = 0;
24     do
25     {
26       v12 = c_str[i];
27       temp[i] = v12;
28       if ( 3 * ((unsigned int)i / 3) == (_DWORD)i && v12 != firstchar[(unsigned int)i / 3] )// 当i是3的倍数时，str=first[i/3]
29                                                 // { 65, 105, 110, 69, 111, 97}
30         v4 = -1;
31       ++i;
32     }
33     while ( i != length );
34   }
35   else
36   {
37     v4 = 0;
38   }
39   temp_2 = temp;
40   temp_3 = temp;
41   t = 666;
42   do
43   {
44     *temp_3 = t ^ *(unsigned __int8 *)temp_3;
45     t += t % 5;
46     ++temp_3;
47   }
48   while ( &temp[18] != temp_3 );                //XOR operation 
49    J = . 1 ;
 50    index = 0 ;
 51 is    tmp = . 1 ;
 52 is    Sign = 0 ;
 53 is    do                                             // 0,1,2 every three validation number 
54 is    {
 55      IF (Sign == 2 )
 56 is      {
 57 is        IF (! * temp_2 thirdchar = [index])         // {751, 708, 732, 711, 734, 764, 0, 0}
 58                                                  // TEMP [2] = 
59          V4 = - . 1 ;
 60        IF ( tmp % *temp_2 != masterArray[index] )// { 471, 12, 580, 606, 147, 108 }
61                                                 // 
62                                                 // temp[0]*temp[1]%temp[2]=
63         v4 = -1;
64       ++index;
65       tmp = 1;
66       sign = 0;
67     }
68     else                                        // sign  0,1,
69     {
70       tmp *= *temp_2;                           // 0 tmp=temp[0]   
71                                                 // 1 tmp=temp[0]*temp[1]
72       if ( ++sign == 3 )
73         sign = 0;
74     }
75     ++j;
76     ++temp_2;
77   }
78   while ( j != 19 );                            // 18循环
79   return (unsigned int)(t * v4);
80 }

 

wp:

 1 firstchar=[65, 105, 110, 69, 111, 97]
 2 thirdchar=[751, 708, 732, 711, 734, 764]
 3 masterArray=[471, 12, 580, 606, 147, 108 ]
 4 t=[]
 5 x=666
 6 for i in range(18):
 7     t.append(x)
 8     x+=x%5
 9 flag=[0 for i in range(18)]
10 index=0
11 for i in range(0,18,3):
12     flag[i]=firstchar[index]  #0,3,6
13     index+=1
14 index=0
15 for i in range(2,18,3):
16     flag[i]=thirdchar[index]^t[i]  #2 5,8
17     index+=1
18 index=0
19 for i in range(1,18,3):
20     for f in range(32,126):  #常用可输入字符
21         if (flag[i-1]^t[i-1])*(f^t[i])%(flag[i+1]^t[i+1])==masterArray[index]:
22             flag[i]=f
23             index+=1
24             break;
25 
26 print('tuctf{'+''.join(map(chr,flag))+'}')

tuctf{AfricanOrEuropean?}