20211024gfsj_re_re2cpp

关键代码for循环，C++看得我头昏脑胀

  for ( i = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v12); ; sub_400D7A(&i) )
  {
    v14 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v12);
    if ( !sub_400D3D((__int64)&i, (__int64)&v14) )
      break;
    v9 = *(unsigned __int8 *)sub_400D9A((__int64)&i);
    if ( (_BYTE)v9 != off_6020A0[dword_6020C0[v15]] )
      sub_400B56((__int64)&i, (__int64)&v14, v9);
    ++v15;
  }
  sub_400B73((__int64)&i, (__int64)&v14, v8);0

dword_6020C0[]是从6020C0到60213B

00000000006020C0  24 00 00 00 00 00 00 00  05 00 00 00 36 00 00 00 
00000000006020D0  65 00 00 00 07 00 00 00  27 00 00 00 26 00 00 00 
00000000006020E0  2D 00 00 00 01 00 00 00  03 00 00 00 00 00 00 00 
00000000006020F0  0D 00 00 00 56 00 00 00  01 00 00 00 03 00 00 00 
0000000000602100  65 00 00 00 03 00 00 00  2D 00 00 00 16 00 00 00 
0000000000602110  02 00 00 00 15 00 00 00  03 00 00 00 65 00 00 00 
0000000000602120  00 00 00 00 29 00 00 00  44 00 00 00 44 00 00 00 
0000000000602130  01 00 00 00 44 00 00 00  2B 00 00 00 ?? ?? ?? ?? 

off_6020A0[]

.rodata:0000000000400E58 aL3tMeT3llY0uS0 db 'L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t'
.rodata:0000000000400E58                                         ; DATA XREF: .data:off_6020A0↓o
.rodata:0000000000400E58                 db '_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t',0

即从off_6020A0[dword_6020C0[i]]中取字符组成flag。

exp

int a[31]={0x24,0,0x05,0x36,0x65,0x07,0x27,0x26,0x2D,0x01,0x03,0,0x0D,0x56,0x01,0x03,0x65,0x03,0x2D,0x16,0x02,0x15,0x03,0x65,0,0x29,0x44,0x44,0x01,0x44,0x2B};
char b[]="L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t";
char flag[31];
int i;
for(i=0; i<31; i++)
{
    flag[i]=b[a[i]];
    printf("%c",flag[i]);
}
//ALEXCTF{W3_L0v3_C_W1th_CL45535}