getit
查看一下,ELF文件,64位
拉入64位ida,找到main函数,F5查看伪代码
v9 = __readfsqword(0x28u);
LODWORD(v5) = 0;
while ( (signed int)v5 < strlen(s) )
{
if ( v5 & 1 )
v3 = 1;
else
v3 = -1;
*(&t + (signed int)v5 + 10) = s[(signed int)v5] + v3;
LODWORD(v5) = v5 + 1;
}
strcpy(filename, "/tmp/flag.txt");
stream = fopen(filename, "w");
fprintf(stream, "%s\n", u, v5);
for ( i = 0; i < strlen(&t); ++i )
{
fseek(stream, p[i], 0);
fputc(*(&t + p[i]), stream);
fseek(stream, 0LL, 0);
fprintf(stream, "%s\n", u);
}
fclose(stream);
remove(filename);
return 0;
整体意思就是存进去一个文件在/tmp/flag.txt,之后再移除,下图是char s,t
要找的一定是???的区域,那么t就是flag
写脚本
s='c61b68366edeb7bdce3c6820314b7498'
flag=''
v5=0
while v5<len(s):
if v5 & 1 :
v3=1
else:
v3=-1
flag += chr(ord(s[v5])+v3)
v5+=1
print(flag)
的到b70c59275fcfa8aebf2d5911223c6589