[ctf.show.reverse] re3

石氏是时试

已于 2022-04-13 18:07:59 修改

阅读量1k

点赞数

分类专栏： CTF reverse 文章标签： reverse

于 2022-04-13 17:24:21 首次发布

本文链接：https://blog.csdn.net/weixin_52640415/article/details/124152965

版权

CTF reverse 专栏收录该内容

134 篇文章 18 订阅

订阅专栏

逻辑很简单，但用python写的话由于python没有长度限制，直接用会有些问题需要解决。所以用gdb跟一下。

  v7 = 0x50;
  v8 = 0xFAE3;
  v9 = 0xD7D3F7B;
  v10 = 0xA43499F6;
  v11 = 5;
  v12 = 0x10;
  v13 = 0xEF9;
  v5 = 0;
  puts("plz input the key:");
  __isoc99_scanf("%s", s);
  v3 = strlen(s);
  strncpy(dest, v19, v3 - 6);                   // 去掉flag{
  dest[strlen(s) - 6] = 0;
  __isoc99_sscanf(dest, "%x", &v5);
  v17[0] = v7;
  v17[1] = v8;
  v17[2] = v9;
  v17[3] = v10;
  v17[4] = (v11 << 12) + v12;
  v17[5] = v13;
  v17[6] = v5;
  v16 = 0LL;
  for ( i = 0; i <= 6; ++i )
  {
    for ( v16 += (unsigned int)v17[i]; v16 > 0xFFFF; v16 = v15 + (unsigned int)(unsigned __int16)v16 )
    {
      v14 = (unsigned __int16)v16;
      v15 = v16 >> 16;
    }
  }
  if ( v16 == 0xFFFF )
    puts("OK");
  else
    puts("Error");   //断点下在这

在puts("Error")下断点，输入flag{0000}然后看v16的值，由于输入的是0，退出里得到v16的值与0xffff的差就是flag的值。

shi@ubuntu:~/xctf$ gdb ./r3
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./r3...
(No debugging symbols found in ./r3)
gdb-peda$ r
Starting program: /home/shi/xctf/r3 
plz input the key:
^C
Program received signal SIGINT, Interrupt.
......
gdb-peda$ vmmap
Start              End                Perm	Name
0x0000555555554000 0x0000555555555000 r-xp	/home/shi/xctf/r3
0x0000555555754000 0x0000555555755000 r--p	/home/shi/xctf/r3
0x0000555555755000 0x0000555555756000 rw-p	/home/shi/xctf/r3
......
gdb-peda$ b *0x00005555555549fc
Breakpoint 1 at 0x5555555549fc
gdb-peda$ r
Starting program: /home/shi/xctf/r3 
plz input the key:
flag{0000}
......
gdb-peda$ x/wx $rsp+0x38
0x7fffffffdee8:	0x0000e560
gdb-peda$ p 0xffff-0x0000e560
$1 = 0x1a9f
gdb-peda$ 

#flag{1a9f}

石氏是时试

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
2
评论
[ctf.show.reverse] re3

逻辑很简单，但用python写的话由于python没有长度限制，直接用会有些问题需要解决。所以用gdb跟一下。 v7 = 0x50; v8 = 0xFAE3; v9 = 0xD7D3F7B; v10 = 0xA43499F6; v11 = 5; v12 = 0x10; v13 = 0xEF9; v5 = 0; puts("plz input the key:"); __isoc99_scanf("%s", s); v3 = strlen(s); strnc
复制链接

扫一扫