Linux-C特性逆向题

做题

[HNCTF 2022 WEEK3]Double

双进程

1
2
3
4
5
6
7
8
9
10
11
12
13
pipe(pipedes);//不同进程间传参,pipedes[0]为出口,pipedes[1]为入口
if(fork()){
    //后执行
    close(pipedes[1]);
    read(pipedes[0],&buf,1uLL);
    close(pipedes[0]);
}
else{
    //先执行
    close(pipedes[0]);
    write(pipedes[1],&s[j],1uLL);
    close(pipedes[1]);
};

几分钟整了一个脚本把数据段dump出来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
//把定义复制过来,去掉换行,要转成十六进制,没有h的0转不出来,dup要自己删掉自己改
#include <cstdio>
#include <iostream>
#include <string>
using namespace std;
string map;
int chk;
int main(void){
    getline(cin,map);
    printf("\n\n\n");
    for(register int i=0;i<map.length();i++)
        if(map[i]=='h'){
            chk=0;
            for(register int j=1;j<=8;j++)
                if(!(((map[i-j]>=48)&&(map[i-j]<=57))||((map[i-j]>=65)&&(map[i-j]<=70)))){
                    chk=j;
                    break;
                };
            printf("0x");
            for(register int j=i-chk+1;j<=i-1;j++)
                printf("%c",map[j]);
            printf(",");
        };
    return 0;
};

exp:

1
2
3
4
5
enc=[0x1FAC,0x4F91,0x3796,0x0B584,0x0E18,0x0C1E2,0x7370,0x1FAC,0x0A880,0x0B8F1,0x233B,0x7370,0x27B8,0x4F91,0x0EB08,0x8BAC,0x5900,0x3081,0x4E1A,0x599D,0x5BE3,0x5C49,0x0F53B,0x0FFDA,0x0BA6F,0x3E5D,0x27B8,0x5B51,0x8A30,0x2A10]
arr=[0x3C0E,0x0C68C,0x4EE7,0x7BD6,0x0C318,0x0CF83,0x0EB1D,0x304F,0x0FF00,0x2C3A,0x666D,0x6798,0x0D015,0x1E56,0x562A,0x8A81,0x5C95,0x78A0,0x60ED,0x1114,0x0ADDB,0x732C,0x5190,0x1135,0x0E353,0x0E9C9,0x0AAF,0x2818,0x2636,0x9B26,0x3D09,0x18BF,0x2A64,0x4F3D,0x0AE5F,0x4E1A,0x496A,0x0DB84,0x24C3,0x0FFDA,0x378B,0x1F5E,0x0D071,0x8C71,0x62E,0x0D6D9,0x8F74,0x0E856,0x0EA45,0x0BEC4,0x486,0x0F140,0x729A,0x7FFD,0x0AFED,0x5F38,0x6FC,0x4BBD,0x3322,0x64DE,0x458F,0x8A30,0x7514,0x8BAC,0x0B584,0x0B8F1,0x72BC,0x0C1E2,0x0B0B0,0x5C49,0x0ABBF,0x539B,0x0DBD0,0x0DAC,0x0EB08,0x5BE3,0x3B32,0x0D535,0x1FAC,0x0FB63,0x0E18,0x3796,0x4F91,0x6644,0x97A8,0x0E06,0x0FB99,0x0A880,0x0C982,0x889B,0x4F89,0x3FE4,0x0EE7E,0x0BE7,0x8ACD,0x3208,0x2A10,0x6332,0x2AD6,0x3D0,0x0F53B,0x5900,0x16E,0x0F928,0x5B51,0x27B8,0x0BEEF,0x233B,0x17E,0x63F0,0x0C025,0x0E51D,0x3D44,0x6F36,0x16F9,0x3081,0x705F,0x0B776,0x599D,0x4EDC,0x6557,0x0BE16,0x8F0E,0x0BA6F,0x3E5D,0x7370,0x1746,0x6C0C,0x712B,0x5CBB,0x6359,0x8CAF,0x4ED7,0x0AEC8,0x0FBA7,0x74BD,0x0E3B1,0x5D37,0x4D4E,0x8104,0x0B410,0x8656,0x2176,0x23BB,0x245E,0x0A92E,0x0AD1A,0x0E530,0x0D77C,0x0E043,0x9116,0x0EDDC,0x0AB12,0x0D67,0x7685,0x3CB9,0x0BFCE,0x5A2B,0x39F9,0x908B,0x0FE3E,0x0BD18,0x0DB54,0x0CAB,0x3C56,0x0FE73,0x0D974,0x0F08,0x5B88,0x0A0F2,0x3D88,0x9DE4,0x935,0x52B4,0x0A340,0x0EA88,0x0BE72,0x6DCE,0x6A2B,0x3146,0x358,0x0F4F,0x0FA60,0x25EB,0x0DAC7,0x76A,0x3D67,0x43F0,0x9F9C,0x5B66,0x7163,0x8F3B,0x7EBB,0x5D1,0x62C4,0x9F95,0x1E06,0x5D58,0x0E984,0x75B3,0x0D5F,0x0EE58,0x2390,0x0FB91,0x28AA,0x87DD,0x0F5EA,0x443C,0x6742,0x1999,0x88E9,0x0FD0E,0x0C8BD,0x55F8,0x0BB09,0x6C10,0x8068,0x0CDD4,0x29A6,0x0DD9F,0x0CEC3,0x6217,0x0BE28,0x3E7A,0x0E71E,0x0C573,0x42B,0x0DE06,0x0C934,0x35D1,0x0EF49,0x63A3,0x0F08F,0x26E1,0x0E61E,0x2710,0x0B6B3,0x10E0,0x0BD36,0x499C,0x8446,0x0B614,0x0E921,0x0DB2D,0x4AB8,0x4C8B,0x0D1A8,0x6A9B,0x0D817,0x0F349,0x0CE92,0x7F8D,0x4C66,0x0CF40,0x9169,0]
for i in range(30):
    tmp=arr.index(enc[i])^i
    print(chr(tmp),end='')