• 攻防世界--re2-cpp-is-awesome


    测试文件:https://adworld.xctf.org.cn/media/task/attachments/c5802869b8a24033b4a80783a67c858b

    1.准备

    获取信息

    1. 64位文件

    2.IDA打开

     1 __int64 __fastcall main(int a1, char **a2, char **a3)
     2 {
     3   char *v3; // rbx
     4   __int64 v4; // rax
     5   __int64 v5; // rdx
     6   __int64 v6; // rax
     7   __int64 v7; // rdx
     8   _BYTE *v8; // rax
     9   __int64 i; // [rsp+10h] [rbp-60h]
    10   char v11; // [rsp+20h] [rbp-50h]
    11   char v12; // [rsp+4Fh] [rbp-21h]
    12   __int64 v13; // [rsp+50h] [rbp-20h]
    13   int v14; // [rsp+5Ch] [rbp-14h]
    14 
    15   if ( a1 != 2 )
    16   {
    17     v3 = *a2;
    18     v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Usage: ", a3);
    19     v6 = std::operator<<<std::char_traits<char>>(v4, v3, v5);
    20     std::operator<<<std::char_traits<char>>(v6, " flag
    ", v7);
    21     exit(0);
    22   }
    23   std::allocator<char>::allocator(&v12, a2, a3);
    24   std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v11, a2[1], &v12);
    25   std::allocator<char>::~allocator(&v12);
    26   v14 = 0;
    27   for ( i = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v11); ; sub_400D7A(&i) )
    28   {
    29     v13 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v11);
    30     if ( !(unsigned __int8)sub_400D3D(&i, &v13) )
    31       break;
    32     v8 = (_BYTE *)sub_400D9A(&i);
    33     if ( *v8 != off_6020A0[dword_6020C0[v14]] )
    34       sub_400B56();
    35     ++v14;
    36   }
    37   sub_400B73();
    38   std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v11);
    39   return 0LL;
    40 }

    3.代码分析

    实际上这堆代码,很大部分“垃圾代码”--不需要我们关注的

    我们只需要关注26行代码以下部分即可

    第27行代码,是一个for循环,没有结束条件,每次增加sub_400D7A(&i),即1字节

    _QWORD *__fastcall sub_400D7A(_QWORD *a1)
    {
      ++*a1;
      return a1;
    }
      for ( i = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v11); ; sub_400D7A(&i) )
      {
        v13 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v11);
        if ( !sub_400D3D((__int64)&i, (__int64)&v13) )// 循环结束条件
          break;
        v8 = (_BYTE *)sub_400D9A((__int64)&i);      // 进行某种赋值
        if ( *v8 != off_6020A0[dword_6020C0[v14]] ) // 重点!这里实际上就是一个数组套着数组
          sub_400B56(&i, &v13);
        ++v14;                                      // 数组下标
      }

    3.1条件中找flag

    通过对比sub_400B56(&i, &v13);和 sub_400B73(&i, &v13);函数,我们能够得到flag实际藏在if判断条件中

    void __fastcall __noreturn sub_400B56(__int64 a1, __int64 a2, __int64 a3)
    {
      std::operator<<<std::char_traits<char>>(&std::cout, "Better luck next time
    ", a3);
      exit(0);
    }
    __int64 __fastcall sub_400B73(__int64 a1, __int64 a2, __int64 a3)
    {
      return std::operator<<<std::char_traits<char>>(&std::cout, "You should have the flag by now
    ", a3);
    }

    进入off_6020A0和dword_6020C0我们可以看到

    .data:00000000006020A0 off_6020A0      dq offset aL3tMeT3llY0uS0
    .data:00000000006020A0                                         ; DATA XREF: main+D1↑r
    .data:00000000006020A0                                         ; "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{"...
    .data:00000000006020A8                 align 20h
    .rodata:0000000000400E58 aL3tMeT3llY0uS0 db 'L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t'
    .rodata:0000000000400E58                                         ; DATA XREF: .data:off_6020A0↓o

    这实际上就是一段字符串

    .data:00000000006020C0 dword_6020C0    dd 24h                  ; DATA XREF: main+DD↑r
    .data:00000000006020C4                 align 8
    .data:00000000006020C8                 db    5
    .data:00000000006020C9                 db    0
    .data:00000000006020CA                 db    0
    .data:00000000006020CB                 db    0
    .data:00000000006020CC                 db  36h ; 6
    .data:00000000006020CD                 db    0
    .data:00000000006020CE                 db    0
    .data:00000000006020CF                 db    0
    .data:00000000006020D0                 db  65h ; e
    .data:00000000006020D1                 db    0
    .data:00000000006020D2                 db    0
    .data:00000000006020D3                 db    0
    .data:00000000006020D4                 db    7
    .data:00000000006020D5                 db    0
    .data:00000000006020D6                 db    0
    .data:00000000006020D7                 db    0
    .data:00000000006020D8                 db  27h ; '
    .data:00000000006020D9                 db    0
    .data:00000000006020DA                 db    0
    .data:00000000006020DB                 db    0
    .data:00000000006020DC                 db  26h ; &
    .data:00000000006020DD                 db    0
    .data:00000000006020DE                 db    0
    .data:00000000006020DF                 db    0
    .data:00000000006020E0                 db  2Dh ; -
    .data:00000000006020E1                 db    0
    .data:00000000006020E2                 db    0
    .data:00000000006020E3                 db    0
    .data:00000000006020E4                 db    1
    .data:00000000006020E5                 db    0
    .data:00000000006020E6                 db    0
    .data:00000000006020E7                 db    0
    .data:00000000006020E8                 db    3
    .data:00000000006020E9                 db    0
    .data:00000000006020EA                 db    0
    .data:00000000006020EB                 db    0
    .data:00000000006020EC                 db    0
    .data:00000000006020ED                 db    0
    .data:00000000006020EE                 db    0
    .data:00000000006020EF                 db    0
    .data:00000000006020F0                 db  0Dh
    .data:00000000006020F1                 db    0
    .data:00000000006020F2                 db    0
    .data:00000000006020F3                 db    0
    .data:00000000006020F4                 db  56h ; V
    .data:00000000006020F5                 db    0
    .data:00000000006020F6                 db    0
    .data:00000000006020F7                 db    0
    .data:00000000006020F8                 db    1
    .data:00000000006020F9                 db    0
    .data:00000000006020FA                 db    0
    .data:00000000006020FB                 db    0
    .data:00000000006020FC                 db    3
    .data:00000000006020FD                 db    0
    .data:00000000006020FE                 db    0
    .data:00000000006020FF                 db    0
    .data:0000000000602100                 db  65h ; e
    .data:0000000000602101                 db    0
    .data:0000000000602102                 db    0
    .data:0000000000602103                 db    0
    .data:0000000000602104                 db    3
    .data:0000000000602105                 db    0
    .data:0000000000602106                 db    0
    .data:0000000000602107                 db    0
    .data:0000000000602108                 db  2Dh ; -
    .data:0000000000602109                 db    0
    .data:000000000060210A                 db    0
    .data:000000000060210B                 db    0
    .data:000000000060210C                 db  16h
    .data:000000000060210D                 db    0
    .data:000000000060210E                 db    0
    .data:000000000060210F                 db    0
    .data:0000000000602110                 db    2
    .data:0000000000602111                 db    0
    .data:0000000000602112                 db    0
    .data:0000000000602113                 db    0
    .data:0000000000602114                 db  15h
    .data:0000000000602115                 db    0
    .data:0000000000602116                 db    0
    .data:0000000000602117                 db    0
    .data:0000000000602118                 db    3
    .data:0000000000602119                 db    0
    .data:000000000060211A                 db    0
    .data:000000000060211B                 db    0
    .data:000000000060211C                 db  65h ; e
    .data:000000000060211D                 db    0
    .data:000000000060211E                 db    0
    .data:000000000060211F                 db    0
    .data:0000000000602120                 db    0
    .data:0000000000602121                 db    0
    .data:0000000000602122                 db    0
    .data:0000000000602123                 db    0
    .data:0000000000602124                 db  29h ; )
    .data:0000000000602125                 db    0
    .data:0000000000602126                 db    0
    .data:0000000000602127                 db    0
    .data:0000000000602128                 db  44h ; D
    .data:0000000000602129                 db    0
    .data:000000000060212A                 db    0
    .data:000000000060212B                 db    0
    .data:000000000060212C                 db  44h ; D
    .data:000000000060212D                 db    0
    .data:000000000060212E                 db    0
    .data:000000000060212F                 db    0
    .data:0000000000602130                 db    1
    .data:0000000000602131                 db    0
    .data:0000000000602132                 db    0
    .data:0000000000602133                 db    0
    .data:0000000000602134                 db  44h ; D
    .data:0000000000602135                 db    0
    .data:0000000000602136                 db    0
    .data:0000000000602137                 db    0
    .data:0000000000602138                 db  2Bh ; +
    .data:0000000000602139                 db    0
    .data:000000000060213A                 db    0
    .data:000000000060213B                 db    0
    .data:000000000060213B _data           ends

    这里就相当于是一连串的整数

    因此我们可以分析得出,通过v15/v14作为内部数组下标,循环获到的整数再作为外部数组的下标,获取到需要的字符串。

    这里值得注意的一点是,algn 8表示两个数之间间隔8位,相当于在两个数之间插了7个0,也就相当于在头两个数之间还有一个'0'

    4.脚本获取flag

    S = 'L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_'
    
    N = [0x24,0x0,0x5,0x36,0x65,0x7,0x27,0x26,0x2d,0x1,0x3,0x0,0x0d,0x56,0x1,0x3,0x65,0x3,0x2d,0x16,0x2,0x15,0x3,0x65,0x0,0x29,0x44,0x44,0x1,0x44,0x2b]
    
    x = ''
    
    for i in N:
        x += S[i]
    
    print(x)

    5.get flag!

    ALEXCTF{W3_L0v3_C_W1th_CL45535}

  • 相关阅读:
    h.264宏块与子宏块类型
    h.264语法结构分析
    [傅里叶变换及其应用学习笔记] 关于任何信号都能表现成傅里叶级数形式的推导
    [傅里叶变换及其应用学习笔记] 课程概览
    [傅里叶变换及其应用学习笔记] 三十. 拉东变换
    [傅里叶变换及其应用学习笔记] 二十九. 高维Ш函数修改版
    后端解决 微信H5支付 商户参数格式错误 方法
    PhpStorm一次性折叠所有函数或者方法
    js生成的cookie在yii2中获取不到的解决办法
    Android webview 调起H5微信支付
  • 原文地址:https://www.cnblogs.com/Mayfly-nymph/p/11495087.html
Copyright © 2020-2023  润新知