BUUCTF xor RE
用Die查看发现无壳64位
用ida64 打开,F5反编译main函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
int i; // [rsp+2Ch] [rbp-124h]
char __b[264]; // [rsp+40h] [rbp-110h] BYREF
memset(__b, 0, 0x100uLL);
printf("Input your flag:\n");
get_line(__b, 256LL);
if ( strlen(__b) != 33 )
goto LABEL_7;
for ( i = 1; i < 33; ++i )
__b[i] ^= __b[i - 1];
if ( !strncmp(__b, global, 0x21uLL) )
printf("Success");
else
LABEL_7:
printf("Failed");
return 0;
}
加密逻辑就是对一个长度为33的字符串每一个字符与前一位进行异或操作
现在重点就是global的值
双击globa,在汇编界面定位global的值
定位到这一串汇编代码
__cstring:0000000100000F6E
__cstring:0000000100000F6E ; Segment type: Pure data
__cstring:0000000100000F6E ; Segment permissions: Read/Execute
__cstring:0000000100000F6E __cstring segment byte public 'DATA' use64
__cstring:0000000100000F6E assume cs:__cstring
__cstring:0000000100000F6E ;org 100000F6Eh
__cstring:0000000100000F6E aFKWOXZUPFVMDGH db 'f',0Ah ; DATA XREF: __data:_global↓o
__cstring:0000000100000F6E db 'k',0Ch,'w&O.@',11h,'x',0Dh,'Z;U',11h,'p',19h,'F',1Fh,'v"M#D',0Eh,'g'
__cstring:0000000100000F6E db 6,'h',0Fh,'G2O',0
shift+E提取出global的值为
global=[0x66, 0x0A, 0x6B, 0x0C, 0x77, 0x26, 0x4F, 0x2E, 0x40, 0x11,
0x78, 0x0D, 0x5A, 0x3B, 0x55, 0x11, 0x70, 0x19, 0x46, 0x1F,
0x76, 0x22, 0x4D, 0x23, 0x44, 0x0E, 0x67, 0x06, 0x68, 0x0F,
0x47, 0x32, 0x4F, 0x00]
简单写个脚本得到flag
点击查看代码
a = [0x66, 0x0A, 0x6B, 0x0C, 0x77, 0x26, 0x4F, 0x2E, 0x40, 0x11,
0x78, 0x0D, 0x5A, 0x3B, 0x55, 0x11, 0x70, 0x19, 0x46, 0x1F,
0x76, 0x22, 0x4D, 0x23, 0x44, 0x0E, 0x67, 0x06, 0x68, 0x0F,
0x47, 0x32, 0x4F, 0x00]
for i in range(len(a)):
if(type(a[i])==int): a[i]=chr(a[i])
a = "".join(a)
flag="f"
for i in range(1,len(a)):
flag+=chr(ord(a[i]) ^ ord(a[i-1]))
print(flag)
flag{QianQiuWanDai_YiTongJiangHu}
本文来自博客园,作者:{Tree_24},转载请注明原文链接:{https://www.cnblogs.com/Tree-24/}