用IDA打开,发现是有加壳的。所以需要先去壳(这里我用的是kali自带的upx脱壳)
因为找不到入口,所以先去找flag的关键词
最终找到关键函数sub_400E28
__int64 sub_400E28()
{
const char *v0; // rdi
__int64 result; // rax
__int64 v2; // rdx
unsigned __int64 v3; // rt1
__int64 v4; // [rsp+0h] [rbp-30h]
__int64 v5; // [rsp+8h] [rbp-28h]
__int64 v6; // [rsp+10h] [rbp-20h]
__int64 v7; // [rsp+18h] [rbp-18h]
unsigned __int64 v8; // [rsp+28h] [rbp-8h]
v8 = __readfsqword(0x28u);
v4 = 0LL;
v5 = 0LL;
v6 = 0LL;
v7 = 0LL;
sub_40F950((unsigned __int64)"input your flag:");
sub_40FA80((unsigned __int64)"%s");
if ( (unsigned int)sub_4009AE(&v4, &v4) )
{
v0 = "Correct!";
sub_410350("Correct!");
}
else
{
v0 = "Wrong!";
sub_410350("Wrong!");
}
result = 0LL;
v3 = __readfsqword(0x28u);
v2 = v3 ^ v8;
if ( v3 != v8 )
sub_443550(v0, &v4, v2);
return result;
}
可以看出获取flag需要这个if为真
if ( (unsigned int)sub_4009AE(&v4, &v4) )
{
v0 = "Correct!"