alexctf-2017：re2-cpp-is-awesome

下載附件，爲elf文件

在Linux中查看

64位的ELF文件，輸入錯誤的flag時，輸出Better luck next time。

 

將文件拖入IDA64，反編譯，分析代碼

找出圖中關鍵代碼

 

跟進sub_400B56函數

void __fastcall __noreturn sub_400B56(__int64 a1, __int64 a2, __int64 a3)
{
  std::operator<<<std::char_traits<char>>(&std::cout, "Better luck next time\n", a3);
  exit(0);
}

輸出：Better luck next time

進一步確認，if 語句中的判斷條件爲解題關鍵。

 

提取 off_6020A0 和 dword_6020C0 中的數據

 

off_6020A0：

 

dword_6020C0：

align 8：8字節對齊，此處不太直觀在Hex View跟進。

 

提取結果：

off="L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t"
dword = [0x24, 0x0, 0x5, 0x36, 0x65, 0x7, 0x27, 0x26, 0x2d, 0x1, 0x3, 0x0, 0xd, 0x56, 0x1,0x3, 0x65, 0x3, 0x2d, 0x16, 0x2, 0x15, 0x3, 0x65, 0x0, 0x29, 0x44, 0x44, 0x1, 0x44, 0x2b]

 

編寫python代碼：

off = "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t"
dword = [0x24, 0x0, 0x5, 0x36, 0x65, 0x7, 0x27, 0x26, 0x2d, 0x1, 0x3, 0x0, 0xd, 0x56, 0x1,
         0x3, 0x65, 0x3, 0x2d, 0x16, 0x2, 0x15, 0x3, 0x65, 0x0, 0x29, 0x44, 0x44, 0x1, 0x44, 0x2b]
flag = ""
for i in dword:
    flag += off[i]
print(flag)

 

輸出：ALEXCTF{W3_L0v3_C_W1th_CL45535}

 

解題完畢！

 

收穫：瞭解 align (n) 的相關知識