攻防re2"/>
攻防re2
攻防re2-cpp-is-awesome
拖入ida
看到一堆冗长的我看不懂的代码
__int64 __fastcall main(int a1, char **a2, char **a3)
{char *v3; // rbx__int64 v4; // rax__int64 v5; // rdx__int64 v6; // rax__int64 v7; // rdx__int64 v8; // rdx__int64 v10[2]; // [rsp+10h] [rbp-60h] BYREFchar v11[47]; // [rsp+20h] [rbp-50h] BYREFchar v12; // [rsp+4Fh] [rbp-21h] BYREF__int64 v13; // [rsp+50h] [rbp-20h] BYREFint v14; // [rsp+5Ch] [rbp-14h]if ( a1 != 2 ){v3 = *a2;v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Usage: ", a3);v6 = std::operator<<<std::char_traits<char>>(v4, v3, v5);std::operator<<<std::char_traits<char>>(v6, " flag\n", v7);exit(0);}std::allocator<char>::allocator(&v12, a2, a3);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v11, a2[1], &v12);std::allocator<char>::~allocator(&v12);v14 = 0;v10[0] = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(v11);while ( 1 ){v13 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(v11);if ( !sub_400D3D(v10, &v13) )break;v8 = *sub_400D9A(v10);if ( v8 != off_6020A0[dword_6020C0[v14]] )sub_400B56(v10, &v13, v8);++v14;sub_400D7A(v10);}sub_400B73();std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v11);return 0LL;
}
再linux中运行,会输出
Better luck next time\n
跟踪字符串找到其所在的函数 : sub_400B56
void __fastcall __noreturn sub_400B56(__int64 a1, __int64 a2, __int64 a3)
{std::operator<<<std::char_traits<char>>(&std::cout, "Better luck next time\n", a3);exit(0);
}
再看一看其周围的主函数部分:
可以推断出关键部分如下
if ( v8 != off_6020A0[dword_6020C0[v14]] )sub_400B56(v10, &v13, v8);++v14;sub_400D7A(v10);}
这里我也不知道v8是什么v13等等是什么
所以先猜测 : off_6020A0[dword_6020C0[v14]] 是和flag有密切关系的字符数组
off_6020A0:
L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t
dword_6020C0[v14]:
.data:00000000006020C0 dword_6020C0 dd 24h ; DATA XREF: main+DD↑r
.data:00000000006020C4 align 8
.data:00000000006020C8 db 5
.data:00000000006020C9 db 0
.data:00000000006020CA db 0
.data:00000000006020CB db 0
.data:00000000006020CC db 36h ; 6
.data:00000000006020CD db 0
.data:00000000006020CE db 0
.data:00000000006020CF db 0
.data:00000000006020D0 db 65h ; e
.data:00000000006020D1 db 0
.data:00000000006020D2 db 0
.data:00000000006020D3 db 0
.data:00000000006020D4 db 7
.data:00000000006020D5 db 0
.data:00000000006020D6 db 0
.data:00000000006020D7 db 0
.data:00000000006020D8 db 27h ; '
.data:00000000006020D9 db 0
.data:00000000006020DA db 0
.data:00000000006020DB db 0
.data:00000000006020DC db 26h ; &
.data:00000000006020DD db 0
.data:00000000006020DE db 0
.data:00000000006020DF db 0
.data:00000000006020E0 db 2Dh ; -
.data:00000000006020E1 db 0
.data:00000000006020E2 db 0
.data:00000000006020E3 db 0
.data:00000000006020E4 db 1
.data:00000000006020E5 db 0
.data:00000000006020E6 db 0
.data:00000000006020E7 db 0
.data:00000000006020E8 db 3
.data:00000000006020E9 db 0
.data:00000000006020EA db 0
.data:00000000006020EB db 0
.data:00000000006020EC db 0
.data:00000000006020ED db 0
.data:00000000006020EE db 0
.data:00000000006020EF db 0
.data:00000000006020F0 db 0Dh
.data:00000000006020F1 db 0
.data:00000000006020F2 db 0
.data:00000000006020F3 db 0
.data:00000000006020F4 db 56h ; V
.data:00000000006020F5 db 0
.data:00000000006020F6 db 0
.data:00000000006020F7 db 0
.data:00000000006020F8 db 1
.data:00000000006020F9 db 0
.data:00000000006020FA db 0
.data:00000000006020FB db 0
.data:00000000006020FC db 3
.data:00000000006020FD db 0
.data:00000000006020FE db 0
.data:00000000006020FF db 0
.data:0000000000602100 db 65h ; e
.data:0000000000602101 db 0
.data:0000000000602102 db 0
.data:0000000000602103 db 0
.data:0000000000602104 db 3
.data:0000000000602105 db 0
.data:0000000000602106 db 0
.data:0000000000602107 db 0
.data:0000000000602108 db 2Dh ; -
.data:0000000000602109 db 0
.data:000000000060210A db 0
.data:000000000060210B db 0
.data:000000000060210C db 16h
.data:000000000060210D db 0
.data:000000000060210E db 0
.data:000000000060210F db 0
.data:0000000000602110 db 2
.data:0000000000602111 db 0
.data:0000000000602112 db 0
.data:0000000000602113 db 0
.data:0000000000602114 db 15h
.data:0000000000602115 db 0
.data:0000000000602116 db 0
.data:0000000000602117 db 0
.data:0000000000602118 db 3
.data:0000000000602119 db 0
.data:000000000060211A db 0
.data:000000000060211B db 0
.data:000000000060211C db 65h ; e
.data:000000000060211D db 0
.data:000000000060211E db 0
.data:000000000060211F db 0
.data:0000000000602120 db 0
.data:0000000000602121 db 0
.data:0000000000602122 db 0
.data:0000000000602123 db 0
.data:0000000000602124 db 29h ; )
.data:0000000000602125 db 0
.data:0000000000602126 db 0
.data:0000000000602127 db 0
.data:0000000000602128 db 44h ; D
.data:0000000000602129 db 0
.data:000000000060212A db 0
.data:000000000060212B db 0
.data:000000000060212C db 44h ; D
.data:000000000060212D db 0
.data:000000000060212E db 0
.data:000000000060212F db 0
.data:0000000000602130 db 1
.data:0000000000602131 db 0
.data:0000000000602132 db 0
.data:0000000000602133 db 0
.data:0000000000602134 db 44h ; D
.data:0000000000602135 db 0
.data:0000000000602136 db 0
.data:0000000000602137 db 0
.data:0000000000602138 db 2Bh ; +
.data:0000000000602139 db 0
.data:000000000060213A db 0
.data:000000000060213B db 0
于是尝试按照题目中数组嵌套的方法输出一下看是否是flag
注意一点就是 上面的
align 8
意思就是表示两个数间隔8位,也就是两数之间有7个0
所以在提取数字的时候注意,开头的 24 和 5 之间还应该有个0
写下脚本解题
#include <stdio.h>
int main()
{int i;char a[] = "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t";char b[] = {0x24,0x00,0x05,0x36, 0x65,0x07, 0x27, 0x26,0x2D,0x01,0x03,0x00,0x0D, 0x56, 0x01, 0x03, 0x65, 0x03, 0x2D, 0x16, 0x02, 0x15, 0x03, 0x65, 0x00, 0x29, 0x44, 0x44, 0x01, 0x44, 0x2B,};char flag[31];for(i=0;i<31;i++){flag[i] = a[b[i]];}printf("%s",flag);return 0;
}
输出
ALEXCTF{W3_L0v3_C_W1th_CL45535}
--------------------------------
Process exited after 0.07204 seconds with return value 0
请按任意键继续. . .
更多推荐
攻防re2
发布评论