# for j in range(len(index1)): # for i in range(0x20, 0x7e): # if i % 23 == index1[j] and i // 23 == index2[j]: # name += chr(i) # break # print name # private: char * __thiscall R0Pxx::My_Aut0_PWN(unsigned char *) # ?表示模板 # * P # char D; unsigned char E # private near A # 64位编程时, 唯一可用的调用协议的编码是A # @: 形参表结束标志 # Z: 缺省的异常规范 # PAE unsiged char * # PAD 返回类型 # A表示private的成员函数;A表示非只读成员函数;E表示thiscall # ?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z
s1 = "1234567890abcdefghijklmnopqrstu" s2 = "fg8hi94jk0lma52nobpqc6rsdtue731" dic = [] for i inrange(len(s1)): for j inrange(len(s2)): if s1[i] == s2[j]: dic.append(j)
# print dic
name = "?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z" input = "" for i inrange(len(name)): input += name[dic[i]] # print input
defmd5(str): import hashlib m = hashlib.md5() m.update(str) return m.hexdigest()
deff(v): s = "" while v != 0: v, r = divmod(v, 255) s = chr(r) + s return s
n = 139907262641720884635250105449327463531131227516500497307311002094885245322386805049406878643982216326493527702414689439930090794753345844178528356178539094825247389836142928474607108262267087850211322640806135698076207986818086837911361480181444157057782599277473843153161174504240064610043962720953514451563 c = 79981856490856999850671700360733120831999995589421207460490185876531860518527597767905168099182891345123878966403548022646956365158864209467614850251731806682037300712511185681164865174187586907707195428804234739667769742078793162639867922056194688917569369338005327309973680573581158754297630654105882382426
for i inrange(2, 100): r = pow(c, i, n) s = f(r) if s.startswith("flag"): print(s)