BUUCTF_Re_[ACTF新生赛2020]easyre
有个upx的壳,脱掉后,主函数代码:
int __cdecl main(int argc, const char **argv, const char **envp) { char v4[12]; // [esp+12h] [ebp-2Eh] BYREF int v5[3]; // [esp+1Eh] [ebp-22h] char v6[5]; // [esp+2Ah] [ebp-16h] BYREF int v7; // [esp+2Fh] [ebp-11h] int v8; // [esp+33h] [ebp-Dh] int v9; // [esp+37h] [ebp-9h] char v10; // [esp+3Bh] [ebp-5h] int i; // [esp+3Ch] [ebp-4h] __main(); qmemcpy(v4, "*F'\"N,\"(I?+@", sizeof(v4)); printf("Please input:"); scanf("%s", v6); if ( v6[0] != 'A' || v6[1] != 'C' || v6[2] != 'T' || v6[3] != 'F' || v6[4] != '{' || v10 != '}' ) return 0; v5[0] = v7; v5[1] = v8; v5[2] = v9; for ( i = 0; i <= 11; ++i ) { if ( v4[i] != _data_start__[*((char *)v5 + i) - 1] ) return 0; } printf("You are correct!"); return 0; }
重点就是在
v4[i]!=_data_start_
判断是否相等,
然后找到_data_start的值:
就是把在data里找v4
脚本:
v4="*F'\"N,\"(I?+@" data = '~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(\'&%$# !"' flag='' for i in range(len(v4)): flag+=chr(data.find(v4[i])+1) print(flag)
得到:U9X_1S_W6@T?
包上flag{U9X_1S_W6@T?}