elf文件,ida分析,定位到main函数
开始判断开头四个字符为actf{
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
__int64 result; // rax
__int64 v4; // [rsp+0h] [rbp-40h]
char v5; // [rsp+9h] [rbp-37h]
char s2[4]; // [rsp+Ah] [rbp-36h]
char s[40]; // [rsp+10h] [rbp-30h]
unsigned __int64 v8; // [rsp+38h] [rbp-8h]
v8 = __readfsqword(0x28u);
memset(s, 0, 0x19uLL);
printf("Tell me the flag:", 0LL);
scanf("%s", s); // 输入点
strcpy(s2, "actf{"); // 前四个字符
LODWORD(v4) = 0;
while ( (signed int)v4 <= 4 )
{
*((_BYTE *)&v4 + (signed int)v4 + 4) = s[(signed int)v4];// v4[4] = s[0]
// v4[5] = s[1]
// v4[6] = s[2]
// v4[7] = s[3]
LODWORD(v4) = v4 + 1;
}
v5 = 0;
if ( !strcmp((const char *)&v4 + 4, s2) ) // 确定前四个字符
{
if ( (unsigned __int8)sub_78A((__int64)s) ) // 关键算法
printf("That's True Flag!", s2, v4);
else
printf("don't stop trying...", s2, v4);
result = 0LL;
}
else
{
printf("Format false!", s2, v4);
result = 0LL;
}
return result;
}
进入关键函数分析算法
发现是个迷宫算法
_BOOL8 __fastcall sub_78A(__int64 a1)
{
int v2; // [rsp+Ch] [rbp-Ch]
signed int v3; // [rsp+10h] [rbp-8h]
signed int v4; // [rsp+14h] [rbp-4h]
v2 = 0;
v3 = 5;
v4 = 0