RE-实验吧defcamp

Alikas-0x04

题目：实验吧defcamp

File一下，64位 ELF

file r200.bak
r200.bak: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=22e68980e521b43c90688ed0693df78150b10211, stripped

运行一下，要求我们输入password

./r200.bak
Enter the password:

拖进IDA，追踪字符串到main函数:(为了便于观看，我修改了函数名）

 v7 = __readfsqword(0x28u);
  for ( i = 1; i <= 10; ++i )
  {
    v3 = malloc(0x10uLL);
    *v3 = i;
    *(v3 + 4) = *v3 + 109;
    a3 = qword_601080;
    *(v3 + 1) = qword_601080;
    qword_601080 = v3;
  }
  printf("Enter the password: ", a2, a3);
  if ( !fgets(&s, 7, stdin) )
    return 0LL;
  if ( check_password(&s) )
  {
    puts("Incorrect password!");
    result = 1LL;
  }
  else
  {
    puts("Nice!");
    result = 0LL;
  }

要打印出Nice！不打印Incorrect password!那重点应该让check_password()返回0咯，进去,代码如下

  v6 = 0LL;
  v7 = 0LL;
  v8 = 0LL;
  v9[0] = 5;
  v9[1] = 2;
  v9[2] = 7;
  v9[3] = 2;
  v9[4] = 5;
  v9[5] = 6;
  for ( i = 0; i <= 5; ++i )
  {
    v5 = qword_601080;
    v4 = 0;
    while ( v5 )
    {
      if ( *(v5 + 4) == *(i + a1) )
      {
        v4 = *v5;
        break;
      }
      v5 = *(v5 + 8);
    }
    *(&v6 + i) = v4;
  }
  for ( j = 0; j <= 5; ++j )
  {
    if ( *(&v6 + j) != v9[j] )
      return 1LL;
  }
  return 0LL;
}

理解一下，输入的值转换之后要等于5，2，7，2，5，6，我们理解一下转换算法就可以得到flag了。

看到v5=qword_60180,而qword_60180在主函数也出现过，过去主函数看一下:

for ( i = 1; i <= 10; ++i )
  {
    v3 = malloc(0x10uLL);
    *v3 = i;
    *(v3 + 4) = *v3 + 109;
    a3 = qword_601080;
    *(v3 + 1) = qword_601080;
    qword_601080 = v3;
  }

我们看到表中共有10个元素，每个元素16个字节，而每个元素对应的值则加上109，那反过来想[5，2，7，2，5，6]对应的就应该是[114，111，116，111，114，115],ASCII码转换一下得rotors

./r200.bak
Enter the password: rotors
Nice!

结果就很Nice！