攻防世界elrond32题解
使用exeinfope查看文件信息
查看后发现是一个32位的ELF可执行文件,丢进IDA32查看反汇编代码
分析反汇编代码
首先找到main函数,F5查看伪代码
看见Access granted显然可知sub_8048538()函数是输出flag的函数,点开看看
看代码发现我们需要得到数组a2的值,于是回到main函数,发现a2与sub_8048414()函数有关,点开看看
分析函数,写出代码,得到a2数组
int a1[20]={
105,101,0,110,100,97,103,115,0,114,0,0};
for(int i=0;;i=7*(i+1)%11,k++){
a2[k]=a1[i];
printf("*%d\n",i);
if(i==2||i==8||i>9)break;
}
-->a2={
105,115,101,110,103,97,114,100,0}
继续分析sub_8048538()函数,发现我们还需要知道v2数组的值,根据代码
qmemcpy(v2, &unk_8048760, sizeof(v2));
知道v2是从unk_8048760处复制了33个int
查看unk_8048760的值
一个int占4个内存,所以剩下3个的内存用0填充,最后得出
int v2[33]={
0x0F,0x1F,0x04,0x09,0x1C,0x12,0x42,0x09,0x0C,0x44,0x0D,0x07,0x09,0x06,0x2D,0x37,0x59,0x1E,0x00,0x59,0x0F,0x08,0x1C,0x23,0x36,0x07,0x55,0x02,0x0C,0x08,0x41,0x0A,0x14};
编写代码获取flag
#include<iostream>
#include<cstdio>
#include<cstring>
#include<algorithm>
int a1[20]={
105,101,0,110,100,97,103,115,0,114};
int main()
{
int a2[20],k=0;
int v2[33]={
0x0F,0x1F,0x04,0x09,0x1C,0x12,0x42,0x09,0x0C,0x44,0x0D,0x07,0x09,0x06,0x2D,0x37,0x59,0x1E,0x00,0x59,0x0F,0x08,0x1C,0x23,0x36,0x07,0x55,0x02,0x0C,0x08,0x41,0x0A,0x14};
for(int i=0;;i=7*(i+1)%11,k++){
a2[k]=a1[i];
if(i==2||i==8||i>9)break;
}
for ( int i = 0; i <= 32; ++i )
putchar(v2[i] ^ a2[i % 8]);
}
-->flag{
s0me7hing_S0me7hinG_t0lki3n}