攻防re_secret-galaxy-300
拖入ida看到
int __cdecl main(int argc, const char **argv, const char **envp)
{
__main();
fill_starbase(&starbase);
print_starbase(&starbase);
return 0;
}
点开print那个函数看看:
int __cdecl print_starbaseint a1)
{
int result; // eax
const char *v2; // edx
int i; // [esp+1Ch] [ebp-Ch]
puts("--------------GALAXY DATABASE-------------");
printf("%10s | %s | %s\n", "Galaxy name", "Existence of life", "Distance from Earth");
result = puts("-------------------------------------------");
for ( i = 0; i <= 4; ++i )
{
if ( *(24 * i + a1 + 8) == 1 )
v2 = "INHABITED";
else
v2 = "IS NOT INHABITED";
result = printf("%11s | %17s | %d\n", *(24 * i + a1), v2, *(24 * i + a1 + 4));
}
return result;
}
发现会打印出来一堆东西,但貌似与flag无关
于是查看一下字符串看一看他们也没有什么关联(貌似没有)
于是调试运行一下看看输出:将断点设在print函数的return处
和ida中字符串列表对比发现没有
.rdata:0040A093 00000013 C DARK SECRET GALAXY
所以ctrl + x 跟踪到汇编
.text:004013ED mov edx, off_409014 ; "DARK SECRET GALAXY"
方法一,动态调试
此处设断点,在od中调试直到该函数结束:
004013E | 55 | push ebp |
004013E | 89E5 | mov ebp,esp |
004013E | 83EC 10 | sub esp,10 |
004013E | C745 FC 98DA4000 | mov dword ptr ss:[ebp-4],task10_x | [ebp-4]:&"DARK SECRET GALAXY", 40DA98:&"DARK SECRET GALAXY"
004013E | 8B15 14904000 | mov edx,dword ptr ds:[409014] | edx:"DARK SECRET GALAXY", 00409014:&"DARK SECRET GALAXY"
004013F | 8B45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:&"DARK SECRET GALAXY"
004013F | 8910 | mov dword ptr ds:[eax],edx | edx:"DARK SECRET GALAXY"
004013F | 8B45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:&"DARK SECRET GALAXY"
004013F | C740 0C C0DA4000 | mov dword ptr ds:[eax+C],task10_x | 40DAC0:"aliens_are_around_us"
0040140 | 8B45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:&"DARK SECRET GALAXY"
0040140 | C740 04 697A0000 | mov dword ptr ds:[eax+4],7A69 |
0040140 | 8B45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:&"DARK SECRET GALAXY"
0040140 | C740 08 01000000 | mov dword ptr ds:[eax+8],1 |
0040141 | A1 04904000 | mov eax,dword ptr ds:[409004] | 00409004:&"Andromeda"
0040141 | 0FB640 08 | movzx eax,byte ptr ds:[eax+8] |
0040141 | A2 C0DA4000 | mov byte ptr ds:[40DAC0],al | 0040DAC0:"aliens_are_around_us"
0040142 | A1 10904000 | mov eax,dword ptr ds:[409010] | 00409010:&"Triangulum"
0040142 | 0FB640 07 | movzx eax,byte ptr ds:[eax+7] |
0040142 | A2 C1DA4000 | mov byte ptr ds:[40DAC1],al | 0040DAC1:"liens_are_around_us"
0040143 | A1 08904000 | mov eax,dword ptr ds:[409008] | 00409008:&"Messier"
0040143 | 0FB640 04 | movzx eax,byte ptr ds:[eax+4] |
0040143 | A2 C2DA4000 | mov byte ptr ds:[40DAC2],al | 0040DAC2:"iens_are_around_us"
0040144 | A1 04904000 | mov eax,dword ptr ds:[409004] | 00409004:&"Andromeda"
0040144 | 0FB640 06 | movzx eax,byte ptr ds:[eax+6] |
0040144 | A2 C3DA4000 | mov byte ptr ds:[40DAC3],al | 0040DAC3:"ens_are_around_us"
0040144 | A1 04904000 | mov eax,dword ptr ds:[409004] | 00409004:&"Andromeda"
0040145 | 0FB640 01 | movzx eax,byte ptr ds:[eax+1] |
0040145 | A2 C4DA4000 | mov byte ptr ds:[40DAC4],al | 0040DAC4:"ns_are_around_us"
0040145 | A1 08904000 | mov eax,dword ptr ds:[409008] | 00409008:&"Messier"
0040146 | 0FB640 02 | movzx eax,byte ptr ds:[eax+2] |
0040146 | A2 C5DA4000 | mov byte ptr ds:[40DAC5],al | 0040DAC5:"s_are_around_us"
0040146 | C605 C6DA4000 5F | mov byte ptr ds:[40DAC6],5F | 0040DAC6:"_are_around_us", 5F:'_'
0040147 | A1 04904000 | mov eax,dword ptr ds:[409004] | 00409004:&"Andromeda"
0040147 | 0FB640 08 | movzx eax,byte ptr ds:[eax+8] |
0040147 | A2 C7DA4000 | mov byte ptr ds:[40DAC7],al | 0040DAC7:"are_around_us"
0040147 | A1 04904000 | mov eax,dword ptr ds:[409004] | 00409004:&"Andromeda"
0040148 | 0FB640 03 | movzx eax,byte ptr ds:[eax+3] |
0040148 | A2 C8DA4000 | mov byte ptr ds:[40DAC8],al | 0040DAC8:"re_around_us"
0040148 | A1 0C904000 | mov eax,dword ptr ds:[40900C] | 0040900C:&"Sombrero"
0040149 | 0FB640 05 | movzx eax,byte ptr ds:[eax+5] |
0040149 | A2 C9DA4000 | mov byte ptr ds:[40DAC9],al | 0040DAC9:"e_around_us"
0040149 | C605 CADA4000 5F | mov byte ptr ds:[40DACA],5F | 0040DACA:"_around_us", 5F:'_'
004014A | A1 04904000 | mov eax,dword ptr ds:[409004] | 00409004:&"Andromeda"
004014A | 0FB640 08 | movzx eax,byte ptr ds:[eax+8] |
004014A | A2 CBDA4000 | mov byte ptr ds:[40DACB],al | 0040DACB:"around_us"
004014B | A1 04904000 | mov eax,dword ptr ds:[409004] | 00409004:&"Andromeda"
004014B | 0FB640 03 | movzx eax,byte ptr ds:[eax+3] |
004014B | A2 CCDA4000 | mov byte ptr ds:[40DACC],al | 0040DACC:"round_us"
004014B | A1 04904000 | mov eax,dword ptr ds:[409004] | 00409004:&"Andromeda"
004014C | 0FB640 04 | movzx eax,byte ptr ds:[eax+4] |
004014C | A2 CDDA4000 | mov byte ptr ds:[40DACD],al | 0040DACD:"ound_us"
004014C | A1 10904000 | mov eax,dword ptr ds:[409010] | 00409010:&"Triangulum"
004014D | 0FB640 06 | movzx eax,byte ptr ds:[eax+6] |
004014D | A2 CEDA4000 | mov byte ptr ds:[40DACE],al | 0040DACE:"und_us"
004014D | A1 10904000 | mov eax,dword ptr ds:[409010] | 00409010:&"Triangulum"
004014D | 0FB640 04 | movzx eax,byte ptr ds:[eax+4] |
004014E | A2 CFDA4000 | mov byte ptr ds:[40DACF],al | 0040DACF:"nd_us"
004014E | A1 04904000 | mov eax,dword ptr ds:[409004] | 00409004:&"Andromeda"
004014E | 0FB640 02 | movzx eax,byte ptr ds:[eax+2] |
004014F | A2 D0DA4000 | mov byte ptr ds:[40DAD0],al | 0040DAD0:"d_us"
004014F | C605 D1DA4000 5F | mov byte ptr ds:[40DAD1],5F | 0040DAD1:"_us", 5F:'_'
004014F | A1 10904000 | mov eax,dword ptr ds:[409010] | 00409010:&"Triangulum"
0040150 | 0FB640 06 | movzx eax,byte ptr ds:[eax+6] |
0040150 | A2 D2DA4000 | mov byte ptr ds:[40DAD2],al |
0040150 | A1 08904000 | mov eax,dword ptr ds:[409008] | 00409008:&"Messier"
0040151 | 0FB640 03 | movzx eax,byte ptr ds:[eax+3] |
0040151 | A2 D3DA4000 | mov byte ptr ds:[40DAD3],al |
0040151 | C605 D4DA4000 00 | mov byte ptr ds:[40DAD4],0 |
0040152 | C9 | leave |
发现一些醒目的字符串:
尝试一下,发现这正是flag
aliens_are_around_us
方法二 脚本运行
跟踪到"DARK SECRET GALAXY" 之后查看伪代码
int __libc_csu_gala()
{
int result; // eax
sc[0] = off_409014;
sc[3] = &byte_40DAC0;
sc[1] = 'zi';
sc[2] = 1;
byte_40DAC0 = off_409004[0][8];
byte_40DAC1 = off_409010[0][7];
byte_40DAC2 = off_409008[0][4];
byte_40DAC3 = off_409004[0][6];
byte_40DAC4 = off_409004[0][1];
byte_40DAC5 = off_409008[0][2];
byte_40DAC6 = '_';
byte_40DAC7 = off_409004[0][8];
byte_40DAC8 = off_409004[0][3];
byte_40DAC9 = off_40900C[0][5];
byte_40DACA = 95;
byte_40DACB = off_409004[0][8];
byte_40DACC = off_409004[0][3];
byte_40DACD = off_409004[0][4];
byte_40DACE = off_409010[0][6];
byte_40DACF = off_409010[0][4];
byte_40DAD0 = off_409004[0][2];
byte_40DAD1 = 95;
byte_40DAD2 = off_409010[0][6];
result = *((unsigned __int8 *)off_409008[0] + 3);
byte_40DAD3 = off_409008[0][3];
byte_40DAD4 = 0;
return result;
}
根据执行其方法发现加密的函数中有四个数组
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-D1YtoGHq-1649038820820)(C:\Users\春\AppData\Roaming\Typora\typora-user-images\image-20220401133558278.png)]分别储存字符串,通过每次取其中的某个字符来获得flag,于是编写脚本如下:
#include <stdio.h>
int main()
{
char o4[20] = "Andromeda";
char o10[20] = "Triangulum";
char o8[20] = "Messier";
char oc[20] = "Sombrero";
char flag[20] = {"o"};
flag[0] = o4[8];
flag[1] = o10[7];
flag[2] = o8[4];
flag[3] = o4[6];
flag[4] = o4[1];
flag[5] = o8[2];
flag[6] = '_';
flag[7] = o4[8];
flag[8] = o4[3];
flag[9] = oc[5];
flag[10] = '_';
flag[11] = o4[8];
flag[12] = o4[3];
flag[13] = o4[4];
flag[14] = o10[6];
flag[15] = o10[ 4];
flag[16] = o4[2];
flag[17] = '_';
flag[18] = o10[6];
flag[19] = o8[3];
printf("%s",flag);
return 0;
}
运行得到flag:aliens_are_around_us