Blaise

点击此处获得更好的阅读体验


WriteUp来源

https://dunsp4rce.github.io/csictf-2020/reversing/2020/07/22/Blaise.html

by AnandSaminathan

题目描述

I recovered a binary from my teacher's computer. I tried to reverse it but I couldn't.

题目考点

解题思路

On decompiling the binary using Ghidra:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
ulong process(uint param_1)
{
int iVar1;
ulong uVar2;
undefined4 extraout_var;
long in_FS_OFFSET;
int local_1c;
int local_18;
uint local_14;
long local_10;

local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_18 = 1;
local_14 = 0;
while (uVar2 = (ulong)local_14, (int)local_14 <= (int)param_1) {
__isoc99_scanf(&DAT_00102008,&local_1c);
iVar1 = C((ulong)param_1,(ulong)local_14,(ulong)local_14);
if (iVar1 != local_1c) {
local_18 = 0;
}
local_14 = local_14 + 1;
}
if (local_18 == 1) {
iVar1 = system("cat flag.txt");
uVar2 = CONCAT44(extraout_var,iVar1);
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return uVar2;
}
undefined8 main(void)
{
uint uVar1;
time_t tVar2;

setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
tVar2 = time((time_t *)0x0);
srand((uint)tVar2);
uVar1 = display_number(0xf,0x14,0x14);
process((ulong)uVar1);
return 0;
}

In summary, the main function calls a function called process with a random number as input. The process function prints the random number generated and has a while loop, in each iteration i an integer x is read and C(input, i) == x is checked, C is nothing but nCr. So if we give the correct nCr values for the given random number, the flag will be printed. We copy pasted the input manually using a simple function:

1
2
def C(n, r):
return fact(n) / (fact(r) * fact(n - r))

Flag

1
csictf{y0u_d1sc0v3r3d_th3_p4sc4l's_tr14ngl3}