go写的题,go语言个人认为很讨厌,所以函数全静态编译删除符号。说是为了不同平台版本上兼容,实际上如果有bug的话会很难处理。
起点都不知道在哪。从hex里搜flag啥的
00000000004CEE90: .rodata:00000000004CEE90 (ea at start-of-line=4CEE90) 66 6C 61 67 20 79 6F 75 20 69 6E 70 75 74 20 69 flag you input i
然后找调用它的位置(这不是串的起点,要找到起点)
.rodata:00000000004CEE7D unk_4CEE7D Congratulation the flag you input is correct
再往上找调用处
.rodata:00000000004E1140 off_4E1140 dq offset unk_4CEE7D
.text:0000000000495393 loc_495393: ; CODE XREF: sub_495150+1CC↑j
.text:0000000000495393 mov [rsp+100h+var_100], rdx
.text:0000000000495397 mov [rsp+100h+var_F8], rcx
.text:000000000049539C mov [rsp+100h+var_F0], rbx
.text:00000000004953A1 call sub_4023F0
.text:00000000004953A6 cmp byte ptr [rsp+100h+var_E8], 0
.text:00000000004953AB jz loc_49531E
.text:00000000004953B1 xorps xmm0, xmm0
.text:00000000004953B4 movups [rsp+100h+var_48], xmm0
.text:00000000004953BC lea rax, unk_4A6D00
.text:00000000004953C3 mov qword ptr [rsp+100h+var_48], rax
.text:00000000004953CB lea rax, off_4E1140 <-----引用在这里
.text:00000000004953D2 mov qword ptr [rsp+100h+var_48+8], rax
.text:00000000004953DA nop
.text:00000000004953DB mov rax, cs:qword_572B18
.text:00000000004953E2 lea rcx, off_4E28A0
.text:00000000004953E9 mov [rsp+100h+var_100], rcx
.text:00000000004953ED mov [rsp+100h+var_F8], rax
.text:00000000004953F2 lea rax, [rsp+100h+var_48]
.text:00000000004953FA mov [rsp+100h+var_F0], rax
.text:00000000004953FF mov [rsp+100h+var_E8], 1
.text:0000000000495408 mov [rsp+100h+var_E0], 1
.text:0000000000495411 call sub_4886B0
.text:0000000000495416 jmp loc_495383
这是输出正确信息的部分,再向前查判断对错的部分
.text:000000000049530D loc_49530D: ; CODE XREF: sub_495150+36A↓j
.text:000000000049530D mov rax, [rsp+100h+var_60]
.text:0000000000495315 mov rcx, [rax]
.text:0000000000495318 cmp [rax+8], rbx <------在这里判断对错,然后跳转
.text:000000000049531C jz short loc_495393
.text:000000000049531E
.text:000000000049531E loc_49531E: ; CODE XREF: sub_495150+25B↓j
.text:000000000049531E xorps xmm0, xmm0
.text:0000000000495321 movups [rsp+100h+var_58], xmm0
.text:0000000000495329 lea rax, unk_4A6D00
.text:0000000000495330 mov qword ptr [rsp+100h+var_58], rax
.text:0000000000495338 lea rax, off_4E1150
.text:000000000049533F mov qword ptr [rsp+100h+var_58+8], rax
.text:0000000000495347 nop
.text:0000000000495348 mov rax, cs:qword_572B18
.text:000000000049534F lea rcx, off_4E28A0
.text:0000000000495356 mov [rsp+100h+var_100], rcx
.text:000000000049535A mov [rsp+100h+var_F8], rax
.text:000000000049535F lea rax, [rsp+100h+var_58]
.text:0000000000495367 mov [rsp+100h+var_F0], rax
.text:000000000049536C mov [rsp+100h+var_E8], 1
.text:0000000000495375 mov [rsp+100h+var_E0], 1
.text:000000000049537E call sub_4886B0
.text:0000000000495383
.text:0000000000495383 loc_495383: ; CODE XREF: sub_495150+2C6↓j
.text:0000000000495383 mov rbp, [rsp+100h+var_8]
.text:000000000049538B add rsp, 100h
.text:0000000000495392 retn
.text:0000000000495393 ; ---------------------------------------------------------------------------
.text:0000000000495393
.text:0000000000495393 loc_495393: ; CODE XREF: sub_495150+1CC↑j
在495318 下断点,随便输入个值,然后观察断点情况,这里直接显示了正确的flag
[----------------------------------registers-----------------------------------]
RAX: 0xc0000641d0 --> 0xc000080030 ("flag{1234}")
RBX: 0x2a ('*')
RCX: 0xc000080030 ("flag{1234}")
RDX: 0xc00007c060 ("flag{92094daf-33c9-431e-a85a-8bfbd5df98ad}")
RSI: 0xc00007c060 ("flag{92094daf-33c9-431e-a85a-8bfbd5df98ad}")
RDI: 0x38 ('8')
RBP: 0xc000074f88 --> 0xc000074f90 --> 0x429b1c (mov eax,DWORD PTR [rip+0x16478e] # 0x58e2b0)
RSP: 0xc000074e90 --> 0xc000078580 ("6789_-abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345", '\377' <repeats 45 times>, "\005\377\377:;<=>?")
RIP: 0x495318 (cmp QWORD PTR [rax+0x8],rbx)
R8 : 0x0
R9 : 0x0
R10: 0x2a ('*')
R11: 0x2a ('*')
R12: 0xc00007c060 ("flag{92094daf-33c9-431e-a85a-8bfbd5df98ad}")
R13: 0xc000078580 ("6789_-abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345", '\377' <repeats 45 times>, "\005\377\377:;<=>?")
R14: 0x2a ('*')
R15: 0x40 ('@')
#flag{92094daf-33c9-431e-a85a-8bfbd5df98ad}