[NISACTF 2022]sign-ezc++ | NSSCTF——命名空间
1.前言
这里是[NISACTF 2022]sign-ezc++ | NSSCTF的题解。这是一道c++题。
2.解题思路
首先在把文件拖到IDA里面。F5反编译,发现不少奇奇怪怪的命名空间,依次查找
int __cdecl main(int argc, const char **argv, const char **envp)
{
Man *v3; // rbx
Human *v4; // rbx
std::string name; // [rsp+20h] [rbp-20h] BYREF
char v7; // [rsp+37h] [rbp-9h] BYREF
Human *m; // [rsp+38h] [rbp-8h]
_main();
std::allocator<char>::allocator(&v7);
std::string::string(&name, "NISACTF", &v7);
v3 = (Man *)operator new(0x18ui64);
Man::Man(v3, (std::string)&name, 4);
m = v3;
std::string::~string(&name);
std::allocator<char>::~allocator(&v7);
(*((void (__fastcall **)(Human *))m->_vptr_Human + 1))(m);
v4 = m;
if ( m )
{
Human::~Human(m);
operator delete(v4);
}
return 0;
}
在Functions name中点击Ctrl+F查找Human发现give_flag
可以看出flag经历了异或,直接追踪flag获取其值(异或后的值)。
有了值之后就变成了很简单的异或题,写一个脚本得到真正的flag
exp:
s = '44h, 59h, 59h, 49h, 5Eh, 4Ch, 71h, 7Eh, 62h, 63h, 79h, 55h, 63h, 79h, 55h, 44h, 43h, 59h, 4Bh, 55h, 78h, 6Fh, 55h, 79h, 63h, 6Dh, 64h, 77'
value = s.split('h, ')
value = [int(i,16) for i in value]
for i in value:
print(chr(i^0xA),end = '')
flag:NSSCTF{this_is_NISA_re_sign}