[ctf.show.reverse] re3

逻辑很简单，但用python写的话由于python没有长度限制，直接用会有些问题需要解决。所以用gdb跟一下。

  v7 = 0x50;v8 = 0xFAE3;v9 = 0xD7D3F7B;v10 = 0xA43499F6;v11 = 5;v12 = 0x10;v13 = 0xEF9;v5 = 0;puts("plz input the key:");__isoc99_scanf("%s", s);v3 = strlen(s);strncpy(dest, v19, v3 - 6);                   // 去掉flag{dest[strlen(s) - 6] = 0;__isoc99_sscanf(dest, "%x", &v5);v17[0] = v7;v17[1] = v8;v17[2] = v9;v17[3] = v10;v17[4] = (v11 << 12) + v12;v17[5] = v13;v17[6] = v5;v16 = 0LL;for ( i = 0; i <= 6; ++i ){for ( v16 += (unsigned int)v17[i]; v16 > 0xFFFF; v16 = v15 + (unsigned int)(unsigned __int16)v16 ){v14 = (unsigned __int16)v16;v15 = v16 >> 16;}}if ( v16 == 0xFFFF )puts("OK");elseputs("Error");   //断点下在这

在puts("Error")下断点，输入flag{0000}然后看v16的值，由于输入的是0，退出里得到v16的值与0xffff的差就是flag的值。

shi@ubuntu:~/xctf$ gdb ./r3
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:<http://www.gnu.org/software/gdb/documentation/>.For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./r3...
(No debugging symbols found in ./r3)
gdb-peda$ r
Starting program: /home/shi/xctf/r3
plz input the key:
^C
Program received signal SIGINT, Interrupt.
......
gdb-peda$ vmmap
Start              End                Perm  Name
0x0000555555554000 0x0000555555555000 r-xp  /home/shi/xctf/r3
0x0000555555754000 0x0000555555755000 r--p  /home/shi/xctf/r3
0x0000555555755000 0x0000555555756000 rw-p  /home/shi/xctf/r3
......
gdb-peda$ b *0x00005555555549fc
Breakpoint 1 at 0x5555555549fc
gdb-peda$ r
Starting program: /home/shi/xctf/r3
plz input the key:
flag{0000}
......
gdb-peda$ x/wx $rsp+0x38
0x7fffffffdee8: 0x0000e560
gdb-peda$ p 0xffff-0x0000e560
$1 = 0x1a9f
gdb-peda$ #flag{1a9f}

[ctf.show.reverse] re3相关推荐

[ctf.show.reverse] 红包六
下来是个压缩包,解开后一个原码,解码后是notflag,发现压缩包有5k大而解出的java文件只有1k,显然包里还有内容未解出用010打开包发现有两个EzJar.class文件,手工切出解压 imp ...
[ctf.show.reverse] re2
签到完了就一个小题,本身不繁杂但是有点长. 先是要求输入一个串然后逐位与0x1f异或后检查密钥是否正确 char __cdecl sub_401A70(char *Str, char *Str1) { ...
[ctf.show.reverse] 吃鸡杯 ezmore,有手就行,EzAutoRe
ezmore 动调的题,跟进去在4019d6下断点看比较情况得到neft输入后得到flag组成提示有手就行一上来就猜入口是_main然后解到一个fake s2 = [99,23,113,2,106 ...
[ctf.show.reverse] 月饼杯 re1_西北望乡、re2_归心、re3_若无月
re1_西北望乡主程序很容易看明白,格式是flag{....}长45,然后把3,6,13,36拿出来作为系数,这些字符每5个一组分别乘系数后的和给定了.然后就是怎么解了. if ( strlen(f ...
[ctf.show.reverse] 来一个派森，好好学习天天向上
来一个派森根据名字来看是一个编译成exe的python程序, 用py \tools\pyinstxtractor.py checkme.exe 将其解包, 然后将struct文件头部E3前的部分插入 ...
XCTF-攻防世界CTF平台-Reverse逆向类——52、handcrafted-pyc（Python的pyc文件逆向）
下载题目附件之后,查看附件52: 发现它就是一个Python代码文件 #!/usr/bin/env python # -*- coding: utf-8 -*-import marshal, zlib ...
[ctf.show.reverse] 吃瓜杯签层饼，Tea_tube_pot
签层饼真有一千层函数呀,沿着输入存入的两个变量找,找到3个函数: 主函数给出了flag的组织方式, check1说number2<882408, check2说number1 = number ...
XCTF-攻防世界CTF平台-Reverse逆向类——56、tar-tar-binks（Mac平台下的64位动态链接共享库.dylib逆向）
目录标题一.解压缩二.查看文件三.分析程序四.程序主要逻辑: 五.逆向思路: 步骤一: 步骤二: 六.解密代码: 题目提供了两个文件flag.tar和libarchive.dylib 一.解压 ...
XCTF-攻防世界CTF平台-Reverse逆向类——57、re5-packed-movement（linux32位ELF文件、movfuscator代码混淆）
目录标题方法一:搜索字节序列方法二:IDC脚本方法三:Python脚本: 方法四:bgrep工具先查看文件信息: 是linux下的32位ELF文件,且被加了UPX的壳下载最新版的UP ...

[ctf.show.reverse] re3

[ctf.show.reverse] re3相关推荐

最新文章

热门文章