[ctf.show.reverse] re3

逻辑很简单,但用python写的话由于python没有长度限制,直接用会有些问题需要解决。所以用gdb跟一下。

  v7 = 0x50;
  v8 = 0xFAE3;
  v9 = 0xD7D3F7B;
  v10 = 0xA43499F6;
  v11 = 5;
  v12 = 0x10;
  v13 = 0xEF9;
  v5 = 0;
  puts("plz input the key:");
  __isoc99_scanf("%s", s);
  v3 = strlen(s);
  strncpy(dest, v19, v3 - 6);                   // 去掉flag{
  dest[strlen(s) - 6] = 0;
  __isoc99_sscanf(dest, "%x", &v5);
  v17[0] = v7;
  v17[1] = v8;
  v17[2] = v9;
  v17[3] = v10;
  v17[4] = (v11 << 12) + v12;
  v17[5] = v13;
  v17[6] = v5;
  v16 = 0LL;
  for ( i = 0; i <= 6; ++i )
  {
    for ( v16 += (unsigned int)v17[i]; v16 > 0xFFFF; v16 = v15 + (unsigned int)(unsigned __int16)v16 )
    {
      v14 = (unsigned __int16)v16;
      v15 = v16 >> 16;
    }
  }
  if ( v16 == 0xFFFF )
    puts("OK");
  else
    puts("Error");   //断点下在这

在puts("Error")下断点,输入flag{0000}然后看v16的值,由于输入的是0,退出里得到v16的值与0xffff的差就是flag的值。

shi@ubuntu:~/xctf$ gdb ./r3
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
    .

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./r3...
(No debugging symbols found in ./r3)
gdb-peda$ r
Starting program: /home/shi/xctf/r3 
plz input the key:
^C
Program received signal SIGINT, Interrupt.
......
gdb-peda$ vmmap
Start              End                Perm	Name
0x0000555555554000 0x0000555555555000 r-xp	/home/shi/xctf/r3
0x0000555555754000 0x0000555555755000 r--p	/home/shi/xctf/r3
0x0000555555755000 0x0000555555756000 rw-p	/home/shi/xctf/r3
......
gdb-peda$ b *0x00005555555549fc
Breakpoint 1 at 0x5555555549fc
gdb-peda$ r
Starting program: /home/shi/xctf/r3 
plz input the key:
flag{0000}
......
gdb-peda$ x/wx $rsp+0x38
0x7fffffffdee8:	0x0000e560
gdb-peda$ p 0xffff-0x0000e560
$1 = 0x1a9f
gdb-peda$ 

#flag{1a9f}

你可能感兴趣的:(CTF,reverse,reverse)