1.查壳
64位ELF文件
2.拖入IDA
找到main函数,反编译
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v3; // al
__int64 v5; // [rsp+0h] [rbp-40h]
int i; // [rsp+4h] [rbp-3Ch]
FILE *stream; // [rsp+8h] [rbp-38h]
char filename[8]; // [rsp+10h] [rbp-30h]
unsigned __int64 v9; // [rsp+28h] [rbp-18h]
v9 = __readfsqword(40u);
LODWORD(v5) = 0;
while ( (signed int)v5 < strlen(s) )
{
if ( v5 & 1 )
v3 = 1;
else
v3 = -1;
*(&t + (signed int)v5 + 10) = s[(signed int)v5] + v3;// s='c61b68366edeb7bdce3c6820314b7498'
LODWORD(v5) = v5 + 1; // t=SharifCTF{????????????????????????????????}
}
strcpy(filename, "/tmp/flag.txt");
stream = fopen(filename, "w");
fprintf(stream, "%s\n", u, v5);
for ( i = 0; i < strlen(&t); ++i )
{
fseek(stream, p[i], 0);
fputc(*(&t + p[i]), stream);
fseek(stream, 0LL, 0);
fprintf(stream, "%s\n", u);
}
fclose(stream);
remove(filename);
return 0;
}
这些代码里面,从
strcpy(filename, "/tmp/flag.txt");
开始就是写数据到flag.txt了,所以这一段没必要看
再看上面的代码
while ( (signed int)v5 < strlen(s) )
{
if ( v5 & 1 )
v3 = 1;
else
v3 = -1;
*(&t + (signed int)v5 + 10) = s[(signed int)v5] + v3;
LODWORD(v5) = v5 + 1;
}
while循环里的这一块代码才是关键代码,对t赋值,t的值来源于s
双击t和s,找到它们的值
要注意,t不仅仅是harifCTF{???},上面还有一个53h,转换成字符也就是‘S’,所以t应该是SharifCTF{????????????????????????????????}
同样的,s也是一个字符串
s='c61b68366edeb7bdce3c6820314b7498'
找完常量之后,剩下的就很简单了,只需要照搬while循环中的代码就可以得出flag了
用C语言写出来如下
#include <stdio.h>
#include <string.h>
int main()
{
char s[]="c61b68366edeb7bdce3c6820314b7498";
char t[]="SharifCTF{????????????????????????????????}";
int v5=0;
int v3=0;
while(v5<strlen(s))
{
if(v5&1)
v3=1;
else
v3=-1;
t[v5+10]=s[v5]+v3;
v5+=1;
}
printf("%s",t);
return 0;
}
运行结果如图
得到flag