跳转至

SHELLCTF2022 swift

1 题目:

$ ./swift 
alright here you go: 
wbppcugz{F4zp0i5_w3l1p5_sW_4_xHhO7j0r}
wait, do you not want to know the key?

原题见https://github.com/S-H-E-L-L/S.H.E.L.L-CTF-2022/tree/main/rev/swift

#include <stdio.h>

// shellctf{T4yl0r5_s3r1e5_oF_4_fUnC7i0n}
double func(int x)
{
    double sum = 1, oldsum = 0, term = 1;

    int i = 1;
    while(sum != oldsum)
    {
        oldsum = sum;
        term *= (double)x / i;
        sum += term;

        i++;
    }
    return sum;
}

void encrypt(char key[13]) // EULERSNUMBER
{
    double vals[12];

    //int offset[12] = {-2, -1, 1, 2, -3, 0, 5, -1, -1, 1, 3, 5}
    char offset[12] = "GVKCUSIVNABM";
    for(int i = 0; i < 12; i++)
    {
        vals[i] = func(key[i] - offset[i]);
        printf("%f ", vals[i]);
    }
    printf("\n");
}

int main()
{
    char flag[39] = "wbppcugz{F4zp0i5_w3l1p5_sW_4_xHhO7j0r}";
    printf("%s\n%s\n%s\n", "alright here you go: ", flag, "wait, do you not want to know the key?");
    encrypt("EULERSNUMBER");
}

2 调试:

GDB调试直接调用encrypt函数:

gef➤  p (size_t) encrypt("abcdefghij")
195729609428.838745 162754.791419 26489122129.843460 214643579785916.031250 8886110.520508 178482300.963187 10686474581524.464844 65659969.137331 532048240601.799072 639843493530054656.000000 -10496412488.786388 -24318586602600160.00000

构造与v4 = GVKCUSIVNABM差为 -11 ~ 0, 0 ~ 11的结果:

v4 = "GVKCUSIVNABM"
r = []
q = []
cnt = 0
for x in v4:
   r.append(chr(ord(x) + cnt))
   q.append(chr(ord(x) - cnt))
   cnt = cnt + 1

print("".join(r))
print("".join(q))

获得结果GWMFYXO]VJLXGUI@QNCOF88B,

GWMFYXO]VJLX
gef➤  p (size_t) encrypt("GWMFYXO]VJLX")
1.000000 2.718282 7.389056 20.085537 54.598150 148.413159 403.428793 1096.633158 2980.957987 8103.083928 22026.465795 59874.141715

GUI@QNCOF88B
gef➤  p (size_t) encrypt("GUI@QNCOF88B")
1.000000 0.367879 0.135335 0.049787 0.018316 0.006738 0.002479 0.000912 0.000335 0.000123 0.000045 0.000017

从out.txt中的输出,整理出差值:

c=[0.135335,0.367879,2.718282,7.389056,0.049787,1.000000,148.413159,0.367879,0.367879,2.718282,20.085537,148.413159]
调用的是:fun([-2, -1, 1, 2, -3, 0, 5, -1, -1, 1, 3, 5])

r = []
v4 = b"GVKCUSIVNABM"
i = 0
for x in [-2, -1, 1, 2, -3, 0, 5, -1, -1, 1, 3, 5]:
    r.append(v4[i] + x)
    i = i + 1

print(bytes(r))
输出EULERSNUMBER,在gdb中验证:

gef➤  p (size_t) encrypt("EULERSNUMBER")
0.135335 0.367879 2.718282 7.389056 0.049787 1.000000 148.413159 0.367879 0.367879 2.718282 20.085537 148.413159 

3 flag

解密wbppcugz{F4zp0i5_w3l1p5_sW_4_xHhO7j0r}:

onsite https://planetcalc.com/2468/, KEY : EULERSNUMBER make Transformed text shellctf{t4yl0r5_s3r1e5_of_4_func7i0n}, which is not correct flag

Site : https://www.dcode.fr/vigenere-cipher shellctf{T4yl0r5_s3r1e5_oF_4_fUnC7i0n}