4chan

Re

0%

GXYCTF2019 luck_guy

发表于 更新于 分类于 Valine:

链接:https://pan.baidu.com/s/1hoU9 uQsSeGr-6p7RBSm56w
提取码:ed2z

0x01 查看有无加壳

1

没有加壳,64位文件

0x02 打开IDA64,查看main函数,F5反编译

2

3

0x03 进入patch_me函数,接着进入get_flag函数界面

4

5

0x04 进行代码分析 😞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
__int64 get_flag()
{
  unsigned int v0; // eax@1
  signed int i; // [sp+4h] [bp-3Ch]@1
  signed int j; // [sp+8h] [bp-38h]@7
  __int64 s; // [sp+10h] [bp-30h]@3
  char v5; // [sp+18h] [bp-28h]@6
  __int64 v6; // [sp+38h] [bp-8h]@1

  v6 = *MK_FP(__FS__, 40LL);
  v0 = time(0LL);               //得到时间
  srand(v0);                    //使用时间作为种子生成随机数字
  for ( i = 0; i <= 4; ++i )
  {
    switch ( rand() % 200 )      // 产生1-199之间的随机数
    {
      case 1:
        puts("OK, it's flag:");      
        memset(&s, 0, 0x28uLL); 
        strcat((char *)&s, f1);   // f1='GXY{do_not_'
        strcat((char *)&s, &f2);  //f2初始为空
        printf("%s", &s);
        break;
      case 2:
        printf("Solar not like you");
        break;
      case 3:
        printf("Solar want a girlfriend");
        break;
      case 4:
        v5 = 0;
        s = 9180147350284624745LL;  //在IDA里面选中9180147350284624745LL按H键转换16进制为0x69,0x63,0x75,0x67,0x60,0x6f,0x66,0x7f    
        strcat(&f2, (const char *)&s);  //f2和s拼接
        break;
      case 5:
        for ( j = 0; j <= 7; ++j )
        {
          if ( ((((unsigned int)((unsigned __int64)j >> 32) >> 31) + (_BYTE)j) & 1)
             - ((unsigned int)((unsigned __int64)j >> 32) >> 31) == 1 )
            *(&f2 + j) -= 2;
          else
            --*(&f2 + j);
        }
        break;
      default:
        puts("emmm,you can't find flag 23333");
        break;
    }
  }
  return *MK_FP(__FS__, 40LL) ^ v6;
}

6

分析可知flag是由f1f2组成,f1已经告诉,现在只需要求f2就行。

  • case4给f2赋值

  • case5对f2进行处理

swich函数需要排序和,因此顺序是: case5>case4>case1

0x05 脚本构建 🍔

由于IDA是反编译C语言,s=0x69,0x63,0x75,0x67,0x60,0x6f,0x66,0x7f应该逆序成s = 0x7F666F6067756369LL作为小端储存,关于大小端推荐师傅的**文章**

1
2
3
4
5
6
7
8
9
10
11
flag = 'GXY{do_not_'
f2 = [0x7F, 0x66, 0x6F, 0x60, 0x67, 0x75, 0x63, 0x69][::-1]
s = ''
for i in range(8):
    if i % 2 == 1:
        s = chr(int(f2[i]) - 2)
    else:
        s = chr(int(f2[i]) - 1)
    flag += s
print(flag)

7

1
GXY{do_not_hate_me}

欢迎关注我的其它发布渠道