unsigned __int64 sub_C220()
{
__int64 (__fastcall ***v0)(); // rdi
char v2; // [rsp+7h] [rbp-239h]
unsigned __int8 v3; // [rsp+13h] [rbp-22Dh]
int i; // [rsp+14h] [rbp-22Ch]
char v5; // [rsp+1Bh] [rbp-225h]
char v6; // [rsp+2Fh] [rbp-211h] BYREF
__int64 v7[66]; // [rsp+30h] [rbp-210h] BYREF
v7[65] = __readfsqword(0x28u);
std::ifstream::basic_ifstream(v7, "flag.txt", 8LL); // 读取当前目录下'flag.txt'中的字符
if ( (std::ifstream::is_open(v7) & 1) == 0 )
{
std::operator<<<std::char_traits<char>>(&std::cout, "Could not find credentials\n");
exit(-1);
}
v5 = 1;
for ( i = 0; ; ++i )
{
v2 = 0;
if ( (unsigned __int64)i < 25 ) // flag长度为25
v2 = std::ios::good((char *)v7 + *(_QWORD *)(v7[0] - 24));
if ( (v2 & 1) == 0 )
break;
std::istream::get((std::istream *)v7, &v6);
v0 = off_17880[byte_E090[i]];
v3 = ((__int64 (__fastcall *)(__int64 (__fastcall ***)()))**v0)(v0);
if ( v6 != v3 )
v5 = 0;
}
if ( (v5 & 1) != 0 )
std::operator<<<std::char_traits<char>>(&std::cout, "Credentials Accepted! Vault Unlocking...\n");
else
std::operator<<<std::char_traits<char>>(&std::cout, "Incorrect Credentials - Anti Intruder Sequence Activated...\n");
std::ifstream::~ifstream(v7);
return __readfsqword(0x28u);
}
在当前目录下创建一个txt文件,输入25个任意字符,然后gdb调试
动态编译先获取下基地址
set stop-on-solib-events 1
r
vmmap
q
获取基地址后,重新进入gdb调试,直接在比较flag处下断
b *(0x0000555555554000 + 0xC3A1)
r
此时RAX中存放的是flag.txt
中的字符,RCX中存放的是真正的flag
用c
命令多次执行获取flag的值
HTB{vt4bl3s_4r3_c00l_huh}