BUU_RE_[GXYCTF2019]luck_guy
64位,无壳
字符串查找到一半的flag,双击跟进:
在函数get_flag中,伪代码:
unsigned __int64 get_flag() { unsigned int v0; // eax int i; // [rsp+4h] [rbp-3Ch] int j; // [rsp+8h] [rbp-38h] __int64 s; // [rsp+10h] [rbp-30h] BYREF char v5; // [rsp+18h] [rbp-28h] unsigned __int64 v6; // [rsp+38h] [rbp-8h] v6 = __readfsqword(0x28u); v0 = time(0LL); srand(v0); for ( i = 0; i <= 4; ++i ) { switch ( rand() % 200 ) { case 1: puts("OK, it's flag:"); memset(&s, 0, 0x28uLL); strcat((char *)&s, f1); strcat((char *)&s, &f2); printf("%s", (const char *)&s); break; case 2: printf("Solar not like you"); break; case 3: printf("Solar want a girlfriend"); break; case 4: s = 0x7F666F6067756369LL; v5 = 0; strcat(&f2, (const char *)&s); break; case 5: for ( j = 0; j <= 7; ++j ) { if ( j % 2 == 1 ) *(&f2 + j) -= 2; else --*(&f2 + j); } break; default: puts("emmm,you can't find flag 23333"); break; } } return __readfsqword(0x28u) ^ v6; }
看到case1中,输出的flag由字符串和一个变量f2组成,现在求解f2
case4给f2赋值,case5对f2处理
把s转换成字符串
再写脚本
s='\x7Ffo`guci' flag='' for i in range(8): if i%2==0: flag+=chr(ord(s[i])-2) else: flag+=chr(ord(s[i])-1) print(flag[::-1])
最后倒过来是因为,
因为不熟大端小端,所以只好猜猜
flag
flag{do_not_hate_me}
