BUUCTF_Re_[ACTF新生赛2020]easyre

有个upx的壳,脱掉后,主函数代码:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[12]; // [esp+12h] [ebp-2Eh] BYREF
  int v5[3]; // [esp+1Eh] [ebp-22h]
  char v6[5]; // [esp+2Ah] [ebp-16h] BYREF
  int v7; // [esp+2Fh] [ebp-11h]
  int v8; // [esp+33h] [ebp-Dh]
  int v9; // [esp+37h] [ebp-9h]
  char v10; // [esp+3Bh] [ebp-5h]
  int i; // [esp+3Ch] [ebp-4h]

  __main();
  qmemcpy(v4, "*F'\"N,\"(I?+@", sizeof(v4));
  printf("Please input:");
  scanf("%s", v6);
  if ( v6[0] != 'A' || v6[1] != 'C' || v6[2] != 'T' || v6[3] != 'F' || v6[4] != '{' || v10 != '}' )
    return 0;
  v5[0] = v7;
  v5[1] = v8;
  v5[2] = v9;
  for ( i = 0; i <= 11; ++i )
  {
    if ( v4[i] != _data_start__[*((char *)v5 + i) - 1] )
      return 0;
  }
  printf("You are correct!");
  return 0;
}

重点就是在

v4[i]!=_data_start_

判断是否相等,

然后找到_data_start的值:

 

 就是把在data里找v4

脚本:

v4="*F'\"N,\"(I?+@"
data = '~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(\'&%$# !"'
flag=''
for i in range(len(v4)):
    flag+=chr(data.find(v4[i])+1)
print(flag)

得到:U9X_1S_W6@T?

包上flag{U9X_1S_W6@T?}

posted @ 2022-04-09 17:22  Luccky  阅读(89)  评论(0编辑  收藏  举报