无壳64位
用 IDA64 打开,查看主函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+14h] [rbp-Ch] BYREF
unsigned __int64 v5; // [rsp+18h] [rbp-8h]
v5 = __readfsqword(0x28u);
welcome(argc, argv, envp);
puts("_________________");
puts("try to patch me and find flag");
v4 = 0;
puts("please input a lucky number");
__isoc99_scanf("%d", &v4);
patch_me(v4);
puts("OK,see you again");
return 0;
}
一眼找到patch_me()函数
int __fastcall patch_me(int a1)
{
int result; // eax
if ( a1 % 2 == 1 )
result = puts("just finished");
else
result = get_flag();
return result;
}
如果输入的是偶数就进入get_flag()函数,继续跟踪
unsigned __int64 get_flag()
{
unsigned int v0; // eax
int i; // [rsp+4h] [rbp-3Ch]
int j; // [rsp+8h] [rbp-38h]
__int64 s; // [rsp+10h] [rbp-30h] BYREF
char v5; // [rsp+18h] [rbp-28h]
unsigned __int64 v6; // [rsp+38h] [rbp-8h]
v6 = __readfsqword(0x28u);
v0 = time(0LL);
srand(v0);
for ( i = 0; i <= 4; ++i )
{
switch ( rand() % 200 )
{
case 1:
puts("OK, it's flag:");
memset(&s, 0, 0x28uLL);
strcat((char *)&s, f1);
strcat((char *)&s, &f2);
printf("%s", (const char *)&s);
break;
case 2:
printf("Solar not like you");
break;
case 3:
printf("Solar want a girlfriend");
break;
case 4:
s = 0x7F666F6067756369LL;
v5 = 0;
strcat(&f2, (const char *)&s);
break;
case 5:
for ( j = 0; j <= 7; ++j )
{
if ( j % 2 == 1 )
*(&f2 + j) -= 2;
else
--*(&f2 + j);
}
break;
default:
puts("emmm,you can't find flag 23333");
break;
}
}
return __readfsqword(0x28u) ^ v6;
}
随机生成五个数然后执行switch语句
case2、case3、default不重要
case1将f1和f2连接作为flag
其中f1已知为GXY{do_not_
f2为空
case4将s = 0x7F666F6067756369LL复制给f2
由于小端序所以f2=[0x69,0x63,0x75,0x67,0x60,0x6F,0x66,0x7F]
case5对f2进行调整
奇数位-2,偶数位-1
猜测执行顺序应该是case4,case5,case1
脚本如下
f2=[0x69,0x63,0x75,0x67,0x60,0x6F,0x66,0x7F]
flag="GXY{do_not_"
for i in range(8):
if(i%2): flag+=chr(f2[i]-2)
else: flag+=chr(f2[i]-1)
print(flag)
flagGXY{do_not_hate_me}
提交上去是错的,改成flag{do_not_hate_me}就对了