一、二进制文件
二、IDA分析
1 // local variable allocation has failed, the output may be wrong! 2 int __cdecl main(int argc, const char **argv, const char **envp) 3 { 4 int v4; // [rsp+14h] [rbp-Ch] 5 unsigned __int64 v5; // [rsp+18h] [rbp-8h] 6 7 v5 = __readfsqword(0x28u); 8 welcome(*(_QWORD *)&argc, argv, envp); 9 puts("_________________"); 10 puts("try to patch me and find flag"); 11 v4 = 0; 12 puts("please input a lucky number"); 13 __isoc99_scanf("%d", &v4); 14 patch_me(v4); //关键函数 15 puts("OK,see you again"); 16 return 0; 17 }
进入关键函数
1 int __fastcall patch_me(int a1) 2 { 3 int result; // eax 4 5 if ( a1 % 2 == 1 ) 6 result = puts("just finished"); 7 else 8 result = get_flag(); //关键函数 9 return result; 10 }
进入关键函数
1 unsigned __int64 get_flag() 2 { 3 unsigned int v0; // eax 4 char v1; // al 5 signed int i; // [rsp+4h] [rbp-3Ch] 6 signed int j; // [rsp+8h] [rbp-38h] 7 __int64 s; // [rsp+10h] [rbp-30h] 8 char v6; // [rsp+18h] [rbp-28h] 9 unsigned __int64 v7; // [rsp+38h] [rbp-8h] 10 11 v7 = __readfsqword(0x28u); 12 v0 = time(0LL); 13 srand(v0); 14 for ( i = 0; i <= 4; ++i ) 15 { 16 switch ( rand() % 200 ) 17 { 18 case 1: 19 puts("OK, it's flag:"); 20 memset(&s, 0, 0x28uLL); 21 strcat((char *)&s, f1); 22 strcat((char *)&s, &f2); 23 printf("%s", &s); 24 break; 25 case 2: 26 printf("Solar not like you"); 27 break; 28 case 3: 29 printf("Solar want a girlfriend"); 30 break; 31 case 4: 32 v6 = 0; 33 s = 'fo`guci'; ///注意此处为小端标记法 34 strcat(&f2, (const char *)&s); 35 break; 36 case 5: 37 for ( j = 0; j <= 7; ++j ) 38 { 39 if ( j % 2 == 1 ) 40 v1 = *(&f2 + j) - 2; 41 else 42 v1 = *(&f2 + j) - 1; 43 *(&f2 + j) = v1; 44 } 45 break; 46 default: 47 puts("emmm,you can't find flag 23333"); 48 break; 49 } 50 } 51 return __readfsqword(0x28u) ^ v7; 52 }
简单分析 flag=f1+f2
f1的值为
f2的值 为
在case4 f2=s
在case5 对f2进行操作
解题脚本如下:
f1='GXY{do_not_' s0='fo`guci' s=s0[::-1] print(s) key="" flag="" for i in range(8): if i%2==1: key+=chr(ord(s[i])-2) else: key+=chr(ord(s[i])-1) i=s[i] flag=f1+key print(flag)
三、flag
GXY{do_not_hate_me}