题目描述:菜鸡发现这个程序偷偷摸摸在自己的机器上搞事情,它决定一探究竟
拿去IDA看一下主函数伪代码
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v3; // al
__int64 v5; // [rsp+0h] [rbp-40h]
int i; // [rsp+4h] [rbp-3Ch]
FILE *stream; // [rsp+8h] [rbp-38h]
char filename[8]; // [rsp+10h] [rbp-30h]
unsigned __int64 v9; // [rsp+28h] [rbp-18h]
v9 = __readfsqword(0x28u);
LODWORD(v5) = 0;//赋值
while ( (signed int)v5 < strlen(s) )//s=c61b68366edeb7bdce3c6820314b7498
{ //strlen(s)=32
if ( v5 & 1 )
v3 = 1;
else
v3 = -1;
*(&t + (signed int)v5 + 10) = s[(signed int)v5] + v3;
//t=SharifCTF{????????????????????????????????}
LODWORD(v5) = v5 + 1;
}
strcpy(filename, "/tmp/flag.txt");
// /tmp是Linux下的存储临时文件的目录,程序运行完即自动删除该程序的文件
stream = fopen(filename, "w");
fprintf(stream, "%s\n", u, v5);
//u=*******************************************,写这一串进去意味给flag加密
for ( i = 0; i < strlen(&t); ++i )
{
fseek(stream, p[i], 0);
fputc(*(&t + p[i]), stream);
fseek(stream, 0LL, 0);
fprintf(stream, "%s\n", u);
}
fclose(stream);
remove(filename);
return 0;
}
编写脚本
s='c61b68366edeb7bdce3c6820314b7498'
flag='SharifCTF{'
t=''
a='}'
for i in range(len(s)):
if i & 1:
v3=1
else:
v3=-1
t+=chr(ord(s[i])+v3)
print(flag + t + a)
#SharifCTF{b70c59275fcfa8aebf2d5911223c6589}