点击此处 获得更好的阅读体验
WriteUp来源
https://dunsp4rce.github.io/csictf-2020/reversing/2020/07/22/Blaise.html
by AnandSaminathan
题目描述
I recovered a binary from my teacher's computer. I tried to reverse it but I couldn't.
题目考点
解题思路
On decompiling the binary using Ghidra:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 ulong process (uint param_1) int iVar1; ulong uVar2; undefined4 extraout_var; long in_FS_OFFSET; int local_1c; int local_18; uint local_14; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28 ); local_18 = 1 ; local_14 = 0 ; while (uVar2 = (ulong)local_14, (int )local_14 <= (int )param_1) { __isoc99_scanf(&DAT_00102008,&local_1c); iVar1 = C((ulong)param_1,(ulong)local_14,(ulong)local_14); if (iVar1 != local_1c) { local_18 = 0 ; } local_14 = local_14 + 1 ; } if (local_18 == 1 ) { iVar1 = system("cat flag.txt" ); uVar2 = CONCAT44(extraout_var,iVar1); } if (local_10 != *(long *)(in_FS_OFFSET + 0x28 )) { __stack_chk_fail(); } return uVar2; } undefined8 main (void ) uint uVar1; time_t tVar2; setbuf(stdout ,(char *)0x0 ); setbuf(stdin ,(char *)0x0 ); setbuf(stderr ,(char *)0x0 ); tVar2 = time((time_t *)0x0 ); srand((uint)tVar2); uVar1 = display_number(0xf ,0x14 ,0x14 ); process ((ulong)uVar1); return 0 ; }
In summary, the main function calls a function called process with a random number as input. The process function prints the random number generated and has a while loop, in each iteration i an integer x is read and C(input, i) == x is checked, C is nothing but nCr. So if we give the correct nCr values for the given random number, the flag will be printed. We copy pasted the input manually using a simple function:
1 2 def C (n, r) : return fact(n) / (fact(r) * fact(n - r))
Flag
1 csictf{y0u_d1sc0v3r3d_th3_p4sc4l's_tr14ngl3}