攻防re2-cpp-is-awesome(c++干扰我,align 8作用)
攻防re2-cpp-is-awesome
拖入ida
看到一堆冗长的我看不懂的代码
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char *v3; // rbx
__int64 v4; // rax
__int64 v5; // rdx
__int64 v6; // rax
__int64 v7; // rdx
__int64 v8; // rdx
__int64 v10[2]; // [rsp+10h] [rbp-60h] BYREF
char v11[47]; // [rsp+20h] [rbp-50h] BYREF
char v12; // [rsp+4Fh] [rbp-21h] BYREF
__int64 v13; // [rsp+50h] [rbp-20h] BYREF
int v14; // [rsp+5Ch] [rbp-14h]
if ( a1 != 2 )
{
v3 = *a2;
v4 = std::operator<<>(&std::cout, "Usage: ", a3);
v6 = std::operator<<>(v4, v3, v5);
std::operator<<>(v6, " flag\n", v7);
exit(0);
}
std::allocator::allocator(&v12, a2, a3);
std::__cxx11::basic_string,std::allocator>::basic_string(v11, a2[1], &v12);
std::allocator::~allocator(&v12);
v14 = 0;
v10[0] = std::__cxx11::basic_string,std::allocator>::begin(v11);
while ( 1 )
{
v13 = std::__cxx11::basic_string,std::allocator>::end(v11);
if ( !sub_400D3D(v10, &v13) )
break;
v8 = *sub_400D9A(v10);
if ( v8 != off_6020A0[dword_6020C0[v14]] )
sub_400B56(v10, &v13, v8);
++v14;
sub_400D7A(v10);
}
sub_400B73();
std::__cxx11::basic_string,std::allocator>::~basic_string(v11);
return 0LL;
}
再linux中运行,会输出
Better luck next time\n
跟踪字符串找到其所在的函数 : sub_400B56
void __fastcall __noreturn sub_400B56(__int64 a1, __int64 a2, __int64 a3)
{
std::operator<<>(&std::cout, "Better luck next time\n", a3);
exit(0);
}
再看一看其周围的主函数部分:
可以推断出关键部分如下
if ( v8 != off_6020A0[dword_6020C0[v14]] )
sub_400B56(v10, &v13, v8);
++v14;
sub_400D7A(v10);
}
这里我也不知道v8是什么v13等等是什么
所以先猜测 : off_6020A0[dword_6020C0[v14]] 是和flag有密切关系的字符数组
off_6020A0:
L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t
dword_6020C0[v14]:
.data:00000000006020C0 dword_6020C0 dd 24h ; DATA XREF: main+DD↑r
.data:00000000006020C4 align 8
.data:00000000006020C8 db 5
.data:00000000006020C9 db 0
.data:00000000006020CA db 0
.data:00000000006020CB db 0
.data:00000000006020CC db 36h ; 6
.data:00000000006020CD db 0
.data:00000000006020CE db 0
.data:00000000006020CF db 0
.data:00000000006020D0 db 65h ; e
.data:00000000006020D1 db 0
.data:00000000006020D2 db 0
.data:00000000006020D3 db 0
.data:00000000006020D4 db 7
.data:00000000006020D5 db 0
.data:00000000006020D6 db 0
.data:00000000006020D7 db 0
.data:00000000006020D8 db 27h ; '
.data:00000000006020D9 db 0
.data:00000000006020DA db 0
.data:00000000006020DB db 0
.data:00000000006020DC db 26h ; &
.data:00000000006020DD db 0
.data:00000000006020DE db 0
.data:00000000006020DF db 0
.data:00000000006020E0 db 2Dh ; -
.data:00000000006020E1 db 0
.data:00000000006020E2 db 0
.data:00000000006020E3 db 0
.data:00000000006020E4 db 1
.data:00000000006020E5 db 0
.data:00000000006020E6 db 0
.data:00000000006020E7 db 0
.data:00000000006020E8 db 3
.data:00000000006020E9 db 0
.data:00000000006020EA db 0
.data:00000000006020EB db 0
.data:00000000006020EC db 0
.data:00000000006020ED db 0
.data:00000000006020EE db 0
.data:00000000006020EF db 0
.data:00000000006020F0 db 0Dh
.data:00000000006020F1 db 0
.data:00000000006020F2 db 0
.data:00000000006020F3 db 0
.data:00000000006020F4 db 56h ; V
.data:00000000006020F5 db 0
.data:00000000006020F6 db 0
.data:00000000006020F7 db 0
.data:00000000006020F8 db 1
.data:00000000006020F9 db 0
.data:00000000006020FA db 0
.data:00000000006020FB db 0
.data:00000000006020FC db 3
.data:00000000006020FD db 0
.data:00000000006020FE db 0
.data:00000000006020FF db 0
.data:0000000000602100 db 65h ; e
.data:0000000000602101 db 0
.data:0000000000602102 db 0
.data:0000000000602103 db 0
.data:0000000000602104 db 3
.data:0000000000602105 db 0
.data:0000000000602106 db 0
.data:0000000000602107 db 0
.data:0000000000602108 db 2Dh ; -
.data:0000000000602109 db 0
.data:000000000060210A db 0
.data:000000000060210B db 0
.data:000000000060210C db 16h
.data:000000000060210D db 0
.data:000000000060210E db 0
.data:000000000060210F db 0
.data:0000000000602110 db 2
.data:0000000000602111 db 0
.data:0000000000602112 db 0
.data:0000000000602113 db 0
.data:0000000000602114 db 15h
.data:0000000000602115 db 0
.data:0000000000602116 db 0
.data:0000000000602117 db 0
.data:0000000000602118 db 3
.data:0000000000602119 db 0
.data:000000000060211A db 0
.data:000000000060211B db 0
.data:000000000060211C db 65h ; e
.data:000000000060211D db 0
.data:000000000060211E db 0
.data:000000000060211F db 0
.data:0000000000602120 db 0
.data:0000000000602121 db 0
.data:0000000000602122 db 0
.data:0000000000602123 db 0
.data:0000000000602124 db 29h ; )
.data:0000000000602125 db 0
.data:0000000000602126 db 0
.data:0000000000602127 db 0
.data:0000000000602128 db 44h ; D
.data:0000000000602129 db 0
.data:000000000060212A db 0
.data:000000000060212B db 0
.data:000000000060212C db 44h ; D
.data:000000000060212D db 0
.data:000000000060212E db 0
.data:000000000060212F db 0
.data:0000000000602130 db 1
.data:0000000000602131 db 0
.data:0000000000602132 db 0
.data:0000000000602133 db 0
.data:0000000000602134 db 44h ; D
.data:0000000000602135 db 0
.data:0000000000602136 db 0
.data:0000000000602137 db 0
.data:0000000000602138 db 2Bh ; +
.data:0000000000602139 db 0
.data:000000000060213A db 0
.data:000000000060213B db 0
于是尝试按照题目中数组嵌套的方法输出一下看是否是flag
注意一点就是 上面的
align 8
意思就是表示两个数间隔8位,也就是两数之间有7个0
所以在提取数字的时候注意,开头的 24 和 5 之间还应该有个0
写下脚本解题
#include 输出
ALEXCTF{W3_L0v3_C_W1th_CL45535}
--------------------------------
Process exited after 0.07204 seconds with return value 0
请按任意键继续. . .