攻防世界--re2-cpp-is-awesome
測試文件:https://adworld.xctf.org.cn/media/task/attachments/c5802869b8a24033b4a80783a67c858b數組
1.準備
獲取信息函數
- 64位文件
2.IDA打開
1 __int64 __fastcall main(int a1, char **a2, char **a3) 2 { 3 char *v3; // rbx 4 __int64 v4; // rax 5 __int64 v5; // rdx 6 __int64 v6; // rax 7 __int64 v7; // rdx 8 _BYTE *v8; // rax 9 __int64 i; // [rsp+10h] [rbp-60h] 10 char v11; // [rsp+20h] [rbp-50h] 11 char v12; // [rsp+4Fh] [rbp-21h] 12 __int64 v13; // [rsp+50h] [rbp-20h] 13 int v14; // [rsp+5Ch] [rbp-14h] 14 15 if ( a1 != 2 ) 16 { 17 v3 = *a2; 18 v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Usage: ", a3); 19 v6 = std::operator<<<std::char_traits<char>>(v4, v3, v5); 20 std::operator<<<std::char_traits<char>>(v6, " flag\n", v7); 21 exit(0); 22 } 23 std::allocator<char>::allocator(&v12, a2, a3); 24 std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v11, a2[1], &v12); 25 std::allocator<char>::~allocator(&v12); 26 v14 = 0; 27 for ( i = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v11); ; sub_400D7A(&i) ) 28 { 29 v13 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v11); 30 if ( !(unsigned __int8)sub_400D3D(&i, &v13) ) 31 break; 32 v8 = (_BYTE *)sub_400D9A(&i); 33 if ( *v8 != off_6020A0[dword_6020C0[v14]] ) 34 sub_400B56(); 35 ++v14; 36 } 37 sub_400B73(); 38 std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v11); 39 return 0LL; 40 }
3.代碼分析
實際上這堆代碼,很大部分「垃圾代碼」--不須要咱們關注的測試
咱們只須要關注26行代碼如下部分便可spa
第27行代碼,是一個for循環,沒有結束條件,每次增長sub_400D7A(&i),即1字節code
_QWORD *__fastcall sub_400D7A(_QWORD *a1) { ++*a1; return a1; }
for ( i = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v11); ; sub_400D7A(&i) ) { v13 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v11); if ( !sub_400D3D((__int64)&i, (__int64)&v13) )// 循環結束條件 break; v8 = (_BYTE *)sub_400D9A((__int64)&i); // 進行某種賦值 if ( *v8 != off_6020A0[dword_6020C0[v14]] ) // 重點!這裏實際上就是一個數組套着數組 sub_400B56(&i, &v13); ++v14; // 數組下標 }
3.1條件中找flag
經過對比sub_400B56(&i, &v13);和 sub_400B73(&i, &v13);函數,咱們可以獲得flag實際藏在if判斷條件中blog
void __fastcall __noreturn sub_400B56(__int64 a1, __int64 a2, __int64 a3) { std::operator<<<std::char_traits<char>>(&std::cout, "Better luck next time\n", a3); exit(0); }
__int64 __fastcall sub_400B73(__int64 a1, __int64 a2, __int64 a3) { return std::operator<<<std::char_traits<char>>(&std::cout, "You should have the flag by now\n", a3); }
進入off_6020A0和dword_6020C0咱們能夠看到v8
.data:00000000006020A0 off_6020A0 dq offset aL3tMeT3llY0uS0 .data:00000000006020A0 ; DATA XREF: main+D1↑r .data:00000000006020A0 ; "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{"... .data:00000000006020A8 align 20h
.rodata:0000000000400E58 aL3tMeT3llY0uS0 db 'L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t' .rodata:0000000000400E58 ; DATA XREF: .data:off_6020A0↓o
這實際上就是一段字符串字符串
.data:00000000006020C0 dword_6020C0 dd 24h ; DATA XREF: main+DD↑r .data:00000000006020C4 align 8 .data:00000000006020C8 db 5 .data:00000000006020C9 db 0 .data:00000000006020CA db 0 .data:00000000006020CB db 0 .data:00000000006020CC db 36h ; 6 .data:00000000006020CD db 0 .data:00000000006020CE db 0 .data:00000000006020CF db 0 .data:00000000006020D0 db 65h ; e .data:00000000006020D1 db 0 .data:00000000006020D2 db 0 .data:00000000006020D3 db 0 .data:00000000006020D4 db 7 .data:00000000006020D5 db 0 .data:00000000006020D6 db 0 .data:00000000006020D7 db 0 .data:00000000006020D8 db 27h ; ' .data:00000000006020D9 db 0 .data:00000000006020DA db 0 .data:00000000006020DB db 0 .data:00000000006020DC db 26h ; & .data:00000000006020DD db 0 .data:00000000006020DE db 0 .data:00000000006020DF db 0 .data:00000000006020E0 db 2Dh ; - .data:00000000006020E1 db 0 .data:00000000006020E2 db 0 .data:00000000006020E3 db 0 .data:00000000006020E4 db 1 .data:00000000006020E5 db 0 .data:00000000006020E6 db 0 .data:00000000006020E7 db 0 .data:00000000006020E8 db 3 .data:00000000006020E9 db 0 .data:00000000006020EA db 0 .data:00000000006020EB db 0 .data:00000000006020EC db 0 .data:00000000006020ED db 0 .data:00000000006020EE db 0 .data:00000000006020EF db 0 .data:00000000006020F0 db 0Dh .data:00000000006020F1 db 0 .data:00000000006020F2 db 0 .data:00000000006020F3 db 0 .data:00000000006020F4 db 56h ; V .data:00000000006020F5 db 0 .data:00000000006020F6 db 0 .data:00000000006020F7 db 0 .data:00000000006020F8 db 1 .data:00000000006020F9 db 0 .data:00000000006020FA db 0 .data:00000000006020FB db 0 .data:00000000006020FC db 3 .data:00000000006020FD db 0 .data:00000000006020FE db 0 .data:00000000006020FF db 0 .data:0000000000602100 db 65h ; e .data:0000000000602101 db 0 .data:0000000000602102 db 0 .data:0000000000602103 db 0 .data:0000000000602104 db 3 .data:0000000000602105 db 0 .data:0000000000602106 db 0 .data:0000000000602107 db 0 .data:0000000000602108 db 2Dh ; - .data:0000000000602109 db 0 .data:000000000060210A db 0 .data:000000000060210B db 0 .data:000000000060210C db 16h .data:000000000060210D db 0 .data:000000000060210E db 0 .data:000000000060210F db 0 .data:0000000000602110 db 2 .data:0000000000602111 db 0 .data:0000000000602112 db 0 .data:0000000000602113 db 0 .data:0000000000602114 db 15h .data:0000000000602115 db 0 .data:0000000000602116 db 0 .data:0000000000602117 db 0 .data:0000000000602118 db 3 .data:0000000000602119 db 0 .data:000000000060211A db 0 .data:000000000060211B db 0 .data:000000000060211C db 65h ; e .data:000000000060211D db 0 .data:000000000060211E db 0 .data:000000000060211F db 0 .data:0000000000602120 db 0 .data:0000000000602121 db 0 .data:0000000000602122 db 0 .data:0000000000602123 db 0 .data:0000000000602124 db 29h ; ) .data:0000000000602125 db 0 .data:0000000000602126 db 0 .data:0000000000602127 db 0 .data:0000000000602128 db 44h ; D .data:0000000000602129 db 0 .data:000000000060212A db 0 .data:000000000060212B db 0 .data:000000000060212C db 44h ; D .data:000000000060212D db 0 .data:000000000060212E db 0 .data:000000000060212F db 0 .data:0000000000602130 db 1 .data:0000000000602131 db 0 .data:0000000000602132 db 0 .data:0000000000602133 db 0 .data:0000000000602134 db 44h ; D .data:0000000000602135 db 0 .data:0000000000602136 db 0 .data:0000000000602137 db 0 .data:0000000000602138 db 2Bh ; + .data:0000000000602139 db 0 .data:000000000060213A db 0 .data:000000000060213B db 0 .data:000000000060213B _data ends
這裏就至關因而一連串的整數get
所以咱們能夠分析得出,經過v15/v14做爲內部數組下標,循環獲到的整數再做爲外部數組的下標,獲取到須要的字符串。string
這裏值得注意的一點是,algn 8表示兩個數之間間隔8位,至關於在兩個數之間插了7個0,也就至關於在頭兩個數之間還有一個'0'
4.腳本獲取flag
S = 'L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_' N = [0x24,0x0,0x5,0x36,0x65,0x7,0x27,0x26,0x2d,0x1,0x3,0x0,0x0d,0x56,0x1,0x3,0x65,0x3,0x2d,0x16,0x2,0x15,0x3,0x65,0x0,0x29,0x44,0x44,0x1,0x44,0x2b] x = '' for i in N: x += S[i] print(x)
5.get flag!
ALEXCTF{W3_L0v3_C_W1th_CL45535}
相關文章
- 1. 攻防世界
- 2. 攻防世界web
- 3. Web攻防世界
- 4. 攻防世界-web
- 5. 攻防世界XCTF:bug
- 6. 攻防世界cookie
- 7. 攻防世界cat
- 8. 攻防世界-upload1
- 9. 攻防世界--The_Maya_Society
- 10. 攻防世界get_post
- 更多相關文章...
- • 使用TCP協議檢測防火牆 - TCP/IP教程
- • 防止使用TCP協議掃描端口 - TCP/IP教程
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • 互聯網組織的未來:剖析GitHub員工的任性之源
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 攻防世界
- 2. 攻防世界web
- 3. Web攻防世界
- 4. 攻防世界-web
- 5. 攻防世界XCTF:bug
- 6. 攻防世界cookie
- 7. 攻防世界cat
- 8. 攻防世界-upload1
- 9. 攻防世界--The_Maya_Society
- 10. 攻防世界get_post