攻防世界WP-reverse-school-ctf-winter-2015-simple-check-100

内有三个文件，一个exe，两个elf。其中exe有坑，ida伪代码后有一个参数和解md5有关，但是又解不出来。所以直接看elf文件。
关键函数为interesting_function((__int64)&v7);

int __fastcall interesting_function(__int64 a1)
{
  int *v1; // rax
  unsigned int v3; // [rsp+1Ch] [rbp-24h]
  int i; // [rsp+20h] [rbp-20h]
  int j; // [rsp+24h] [rbp-1Ch]
  __int64 v6; // [rsp+28h] [rbp-18h]
  int *v7; // [rsp+30h] [rbp-10h]
  unsigned __int64 v8; // [rsp+38h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  LODWORD(v1) = a1;
  v6 = a1;
  for ( i = 0; i <= 6; ++i )
  {
    v3 = *(_DWORD *)(4LL * i + v6) ^ 0xDEADBEEF;
    v1 = (int *)&v3;
    v7 = (int *)&v3;
    for ( j = 3; j >= 0; --j )
      LODWORD(v1) = putchar((char)(*((_BYTE *)v7 + j) ^ flag_data[4 * i + j]));
  }
  return (signed int)v1;
}

运行会把flag打印出来putchar
我们一步步分析。
首先看v3 = *(_DWORD *)(4LL * i + v6) ^ 0xDEADBEEF;，将v6与一个固定的值异或，v6=v1值是传进来的。我们出去看看。
这块没有弄清楚，v7-v35都是char类型，interesting_function((__int64)&v7)将参数进行类型转换，那转换之前的参数是如何知道其长度的。
然后我们将10进制的数字转成16进制。v6[]={0xE37EC854,0x9A16C764,0x326511CD,0x43D3E32D,0xD29DA992,0xD32C6DE6,0x6AFEBDB6};
flag_data的值没什么好说的，进去就看到了.
最终的代码如下

#include 
using namespace std;
typedef unsigned int    uint32;
typedef unsigned char   uint8;
#define _DWORD uint32
#define LODWORD(x)  (*((_DWORD*)&(x)))
#define _BYTE  uint8
int main()
{
	int i,j;
	unsigned int v3;
	__int64 v6[]={0xE37EC854,0x9A16C764,0x326511CD,0x43D3E32D,0xD29DA992,0xD32C6DE6,0x6AFEBDB6};
	int *v7;
	int *v1;
	char flag_data[] ={0xDC,0x17,0x0BF,0x5B,0xD4,0x0A,0xD2,0x1B,0x7D,0xDA,0xA7,0x95,0xB5,0x32,0x10,0xF6,0x1C,0x65,0x53,0x53,0x67,0xBA,0x0EA,0x6E,0x78,0x22,0x72,0xD3};

	for (int i = 0; i <= 6; ++i )
	{
		v3 = *(_DWORD *)( i + v6) ^ 0xDEADBEEF;//注意，伪代码里面i*4，但是这里我已经把4个字节放一起了，所以就不用乘4了。
		v7 = (int *)&v3;
		for ( j = 3; j >= 0; --j )
			LODWORD(v1) = putchar((char)(*((_BYTE *)v7 + j) ^ flag_data[4 * i + j]));
	}
	system("pause");
	return 0;
}

flag如下