原来以为这东西很少见,看来作的题还是少。
IDA快不工作了,函数太多,从got表看到就只用了putc,往上跟发现一共就两种函数,一种是下边的直接call调用,另一种是上边的调用putc再调用call。这样整个程序如果运行了就是call....然后输出flag的1个字符。这函数跳来跳动的,你知道哪些字符也排不出来,必需得按照调用的顺序来处理一下。
.text:000000000041B90B sub_41B90B proc near ; CODE XREF: sub_2BCB2D2+10↓p
.text:000000000041B90B push rbp
.text:000000000041B90C mov rbp, rsp
.text:000000000041B90F sub rsp, 0
.text:000000000041B916 mov eax, 39h ; '9'
.text:000000000041B91B mov rdi, rax
.text:000000000041B91E call _putchar
.text:000000000041B923 mov eax, 0
.text:000000000041B928 call sub_10BC20A
.text:000000000041B92D leave
.text:000000000041B92E retn
.text:000000000041B92E sub_41B90B endp
.text:000000000041B92E
.text:000000000041B92F
.text:000000000041B92F ; =============== S U B R O U T I N E =======================================
.text:000000000041B92F
.text:000000000041B92F ; Attributes: bp-based frame
.text:000000000041B92F
.text:000000000041B92F sub_41B92F proc near ; CODE XREF: sub_228AF75+10↓p
.text:000000000041B92F push rbp
.text:000000000041B930 mov rbp, rsp
.text:000000000041B933 sub rsp, 0
.text:000000000041B93A mov eax, 0
.text:000000000041B93F call sub_4FE27E
.text:000000000041B944 leave
.text:000000000041B945 retn
.text:000000000041B945 sub_41B92F endp
用一个小程序处理一下,按照每个代码的字节数从文件里找
from pwn import u32
data = open('RUN_THE_ELF', 'rb').read()
def getc():
global ptr,flag
ptr+= 1+3+7+1 #mov eax, xxxx
mov_eax = u32(data[ptr: ptr+4])
if mov_eax == 0:
ptr +=4+1
else:
flag +=chr(mov_eax)
print(flag)
ptr +=4+3+5+5+1
call = u32(data[ptr: ptr+4]) #call xxxx
if call& 0x80000000 != 0:
call-=0x100000000
#print('call', hex(ptr+call+4))
ptr += call+4
ptr = 0x3c1
flag = ''
while True:
getc()
#flag{Just_A_Straight_IN_Program_5853e2fe-52c9-469b-85d2-8ddcff9b0faf}