BUU_RE_[GXYCTF2019]luck_guy
阿新 • • 發佈:2022-03-06
64位,無殼
字串查詢到一半的flag,雙擊跟進:
在函式get_flag中,虛擬碼:
unsigned __int64 get_flag() { unsigned int v0; // eax int i; // [rsp+4h] [rbp-3Ch] int j; // [rsp+8h] [rbp-38h] __int64 s; // [rsp+10h] [rbp-30h] BYREF char v5; // [rsp+18h] [rbp-28h] unsigned __int64 v6; // [rsp+38h] [rbp-8h] v6 = __readfsqword(0x28u); v0= time(0LL); srand(v0); for ( i = 0; i <= 4; ++i ) { switch ( rand() % 200 ) { case 1: puts("OK, it's flag:"); memset(&s, 0, 0x28uLL); strcat((char *)&s, f1); strcat((char *)&s, &f2); printf("%s", (const char *)&s);break; case 2: printf("Solar not like you"); break; case 3: printf("Solar want a girlfriend"); break; case 4: s = 0x7F666F6067756369LL; v5 = 0; strcat(&f2, (const char *)&s); break; case 5: for ( j = 0; j <= 7; ++j ) { if ( j % 2 == 1 ) *(&f2 + j) -= 2; else --*(&f2 + j); } break; default: puts("emmm,you can't find flag 23333"); break; } } return __readfsqword(0x28u) ^ v6; }
看到case1中,輸出的flag由字串和一個變數f2組成,現在求解f2