Title address: https://buuoj.cn/challenges#Mysterious
The attachment to the title is an exe, let us enter something when running, try to enter some characters, no response
Open with Notepad to check whether the exe is 64-bit or 32-bit
PE...L...
It is a 32-bit exe file feature, use ida to open and Shift+F12
view characters
Click well done
to find a string similar to flag.
When Functions Window
you find this address, click to F5
disassemble to see the pseudo-C code
int __stdcall sub_401090(HWND hWnd, int a2, int a3, int a4)
{
char v5; // [esp+50h] [ebp-310h]
CHAR Text[4]; // [esp+154h] [ebp-20Ch]
char v7; // [esp+159h] [ebp-207h]
__int16 v8; // [esp+255h] [ebp-10Bh]
char v9; // [esp+257h] [ebp-109h]
int v10; // [esp+258h] [ebp-108h]
CHAR String; // [esp+25Ch] [ebp-104h]
char v12; // [esp+25Fh] [ebp-101h]
char v13; // [esp+260h] [ebp-100h]
char v14; // [esp+261h] [ebp-FFh]
memset(&String, 0, 0x104u);
v10 = 0;
if ( a2 == 16 )
{
DestroyWindow(hWnd);
PostQuitMessage(0);
}
else if ( a2 == 273 )
{
if ( a3 == 1000 )
{
GetDlgItemTextA(hWnd, 1002, &String, 260);
strlen(&String);
if ( strlen(&String) > 6 )
ExitProcess(0);
v10 = atoi(&String) + 1;
if ( v10 == 123 && v12 == 120 && v14 == 122 && v13 == 121 )
{
strcpy(Text, "flag");
memset(&v7, 0, 0xFCu);
v8 = 0;
v9 = 0;
_itoa(v10, &v5, 10);
strcat(Text, "{");
strcat(Text, &v5);
strcat(Text, "_");
strcat(Text, "Buff3r_0v3rf|0w");
strcat(Text, "}");
MessageBoxA(0, Text, "well done", 0);
}
SetTimer(hWnd, 1u, 0x3E8u, TimerFunc);
}
if ( a3 == 1001 )
KillTimer(hWnd, 1u);
}
return 0;
}
Satisfy
if ( v10 == 123 && v12 == 120 && v14 == 122 && v13 == 121 )
Input can not exceed the length of the character 6
, or the end of the program, v10
is atoi()
converted to an integer and the function number +1
, then meet the conditions v10
should 122
, v12
, v13
, v14
Ascii character corresponding to xyz
, the input
122xyz
You can get the flag
The flag can also be obtained from pseudo-C code according to the program splicing
flag{
123_Buff3r_0v3rf|0w}