buu reverse reverse3

reverse3

查看一下32位，无壳

拉入32位ida，找到main函数，F5查看伪代码

 for ( i = 0; i < 100; ++i )
  {
    if ( (unsigned int)i >= 0x64 )
      j____report_rangecheckfailure(a1, a2, a3);
    Dest[i] = 0;
  }
  sub_41132F("please enter the flag:");
  sub_411375("%20s", &Str);
  v3 = j_strlen(&Str);
  v4 = (const char *)sub_4110BE((int)&Str, v3, (int)&v14);
  strncpy(Dest, v4, 0x28u);
  v11 = j_strlen(Dest);
  for ( j = 0; j < v11; ++j )
    Dest[j] += j;
  v5 = j_strlen(Dest);
  if ( !strncmp(Dest, Str2, v5) )
    sub_41132F("rigth flag!\n");
  else
    sub_41132F("wrong flag!\n");
  HIDWORD(v7) = v6;
  LODWORD(v7) = 0;
  return v7;

倒着推，第一个if，Dest与str2比较，说明Dest位flag，找到str2
中间有sub_4110BE，查看，发现一直在用

查看，有看是64位，猜测base64
写脚本

import base64
x=''
flag=''
str2="e3nifIH9b_C@n@dH"

for i in range(0,len(str2)):
    x += chr(ord(str2[i])-i)

print(x)

flag = base64.b64decode(x)
print(flag)

输出，如图，大括号内就是flag

flag{i_l0ve_you}