攻防re2-cpp-is-awesome(c++干扰我,align 8作用)

攻防re2-cpp-is-awesome

拖入ida

看到一堆冗长的我看不懂的代码

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char *v3; // rbx
  __int64 v4; // rax
  __int64 v5; // rdx
  __int64 v6; // rax
  __int64 v7; // rdx
  __int64 v8; // rdx
  __int64 v10[2]; // [rsp+10h] [rbp-60h] BYREF
  char v11[47]; // [rsp+20h] [rbp-50h] BYREF
  char v12; // [rsp+4Fh] [rbp-21h] BYREF
  __int64 v13; // [rsp+50h] [rbp-20h] BYREF
  int v14; // [rsp+5Ch] [rbp-14h]

  if ( a1 != 2 )
  {
    v3 = *a2;
    v4 = std::operator<<>(&std::cout, "Usage: ", a3);
    v6 = std::operator<<>(v4, v3, v5);
    std::operator<<>(v6, " flag\n", v7);
    exit(0);
  }
  std::allocator::allocator(&v12, a2, a3);
  std::__cxx11::basic_string,std::allocator>::basic_string(v11, a2[1], &v12);
  std::allocator::~allocator(&v12);
  v14 = 0;
  v10[0] = std::__cxx11::basic_string,std::allocator>::begin(v11);
  while ( 1 )
  {
    v13 = std::__cxx11::basic_string,std::allocator>::end(v11);
    if ( !sub_400D3D(v10, &v13) )
      break;
    v8 = *sub_400D9A(v10);
    if ( v8 != off_6020A0[dword_6020C0[v14]] )
      sub_400B56(v10, &v13, v8);
    ++v14;
    sub_400D7A(v10);
  }
  sub_400B73();
  std::__cxx11::basic_string,std::allocator>::~basic_string(v11);
  return 0LL;
}

再linux中运行,会输出

Better luck next time\n

跟踪字符串找到其所在的函数 : sub_400B56

void __fastcall __noreturn sub_400B56(__int64 a1, __int64 a2, __int64 a3)
{
  std::operator<<>(&std::cout, "Better luck next time\n", a3);
  exit(0);
}

再看一看其周围的主函数部分:

可以推断出关键部分如下

if ( v8 != off_6020A0[dword_6020C0[v14]] )
      sub_400B56(v10, &v13, v8);
    ++v14;
    sub_400D7A(v10);
  }

这里我也不知道v8是什么v13等等是什么

所以先猜测 : off_6020A0[dword_6020C0[v14]] 是和flag有密切关系的字符数组

off_6020A0:

L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t

dword_6020C0[v14]:

.data:00000000006020C0 dword_6020C0    dd 24h                  ; DATA XREF: main+DD↑r
.data:00000000006020C4                 align 8
.data:00000000006020C8                 db    5
.data:00000000006020C9                 db    0
.data:00000000006020CA                 db    0
.data:00000000006020CB                 db    0
.data:00000000006020CC                 db  36h ; 6
.data:00000000006020CD                 db    0
.data:00000000006020CE                 db    0
.data:00000000006020CF                 db    0
.data:00000000006020D0                 db  65h ; e
.data:00000000006020D1                 db    0
.data:00000000006020D2                 db    0
.data:00000000006020D3                 db    0
.data:00000000006020D4                 db    7
.data:00000000006020D5                 db    0
.data:00000000006020D6                 db    0
.data:00000000006020D7                 db    0
.data:00000000006020D8                 db  27h ; '
.data:00000000006020D9                 db    0
.data:00000000006020DA                 db    0
.data:00000000006020DB                 db    0
.data:00000000006020DC                 db  26h ; &
.data:00000000006020DD                 db    0
.data:00000000006020DE                 db    0
.data:00000000006020DF                 db    0
.data:00000000006020E0                 db  2Dh ; -
.data:00000000006020E1                 db    0
.data:00000000006020E2                 db    0
.data:00000000006020E3                 db    0
.data:00000000006020E4                 db    1
.data:00000000006020E5                 db    0
.data:00000000006020E6                 db    0
.data:00000000006020E7                 db    0
.data:00000000006020E8                 db    3
.data:00000000006020E9                 db    0
.data:00000000006020EA                 db    0
.data:00000000006020EB                 db    0
.data:00000000006020EC                 db    0
.data:00000000006020ED                 db    0
.data:00000000006020EE                 db    0
.data:00000000006020EF                 db    0
.data:00000000006020F0                 db  0Dh
.data:00000000006020F1                 db    0
.data:00000000006020F2                 db    0
.data:00000000006020F3                 db    0
.data:00000000006020F4                 db  56h ; V
.data:00000000006020F5                 db    0
.data:00000000006020F6                 db    0
.data:00000000006020F7                 db    0
.data:00000000006020F8                 db    1
.data:00000000006020F9                 db    0
.data:00000000006020FA                 db    0
.data:00000000006020FB                 db    0
.data:00000000006020FC                 db    3
.data:00000000006020FD                 db    0
.data:00000000006020FE                 db    0
.data:00000000006020FF                 db    0
.data:0000000000602100                 db  65h ; e
.data:0000000000602101                 db    0
.data:0000000000602102                 db    0
.data:0000000000602103                 db    0
.data:0000000000602104                 db    3
.data:0000000000602105                 db    0
.data:0000000000602106                 db    0
.data:0000000000602107                 db    0
.data:0000000000602108                 db  2Dh ; -
.data:0000000000602109                 db    0
.data:000000000060210A                 db    0
.data:000000000060210B                 db    0
.data:000000000060210C                 db  16h
.data:000000000060210D                 db    0
.data:000000000060210E                 db    0
.data:000000000060210F                 db    0
.data:0000000000602110                 db    2
.data:0000000000602111                 db    0
.data:0000000000602112                 db    0
.data:0000000000602113                 db    0
.data:0000000000602114                 db  15h
.data:0000000000602115                 db    0
.data:0000000000602116                 db    0
.data:0000000000602117                 db    0
.data:0000000000602118                 db    3
.data:0000000000602119                 db    0
.data:000000000060211A                 db    0
.data:000000000060211B                 db    0
.data:000000000060211C                 db  65h ; e
.data:000000000060211D                 db    0
.data:000000000060211E                 db    0
.data:000000000060211F                 db    0
.data:0000000000602120                 db    0
.data:0000000000602121                 db    0
.data:0000000000602122                 db    0
.data:0000000000602123                 db    0
.data:0000000000602124                 db  29h ; )
.data:0000000000602125                 db    0
.data:0000000000602126                 db    0
.data:0000000000602127                 db    0
.data:0000000000602128                 db  44h ; D
.data:0000000000602129                 db    0
.data:000000000060212A                 db    0
.data:000000000060212B                 db    0
.data:000000000060212C                 db  44h ; D
.data:000000000060212D                 db    0
.data:000000000060212E                 db    0
.data:000000000060212F                 db    0
.data:0000000000602130                 db    1
.data:0000000000602131                 db    0
.data:0000000000602132                 db    0
.data:0000000000602133                 db    0
.data:0000000000602134                 db  44h ; D
.data:0000000000602135                 db    0
.data:0000000000602136                 db    0
.data:0000000000602137                 db    0
.data:0000000000602138                 db  2Bh ; +
.data:0000000000602139                 db    0
.data:000000000060213A                 db    0
.data:000000000060213B                 db    0

于是尝试按照题目中数组嵌套的方法输出一下看是否是flag

注意一点就是 上面的

align 8

意思就是表示两个数间隔8位,也就是两数之间有7个0

所以在提取数字的时候注意,开头的 24 和 5 之间还应该有个0

写下脚本解题

#include 
int main()
{
	int i;
	char a[] = "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t";
	char b[] = {0x24,0x00,0x05,0x36, 0x65,0x07, 0x27, 0x26,0x2D,0x01,0x03,0x00,0x0D,   
	0x56, 0x01, 0x03, 0x65, 0x03,   0x2D, 0x16, 0x02, 0x15, 0x03,   0x65, 0x00,  0x29, 0x44, 0x44,   0x01, 0x44, 0x2B,};
	char flag[31];
	for(i=0;i<31;i++)
	{
		flag[i] = a[b[i]];
	}
	
	printf("%s",flag);
	return 0;
}

输出

ALEXCTF{W3_L0v3_C_W1th_CL45535}
--------------------------------
Process exited after 0.07204 seconds with return value 0
请按任意键继续. . .

你可能感兴趣的:(一些题目的wp,安全,学习)