logmein
难度系数: 3.0
题目来源: RC3 CTF 2016
题目描述:菜鸡开始接触一些基本的算法逆向了
题目附件: 附件1
查一下壳,无壳,ELF程序
拖入IDA查看,找到main函数,F5反汇编
void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
size_t v3; // rsi
int i; // [rsp+3Ch] [rbp-54h]
char s[36]; // [rsp+40h] [rbp-50h]
int v6; // [rsp+64h] [rbp-2Ch]
__int64 v7; // [rsp+68h] [rbp-28h]
char v8[8]; // [rsp+70h] [rbp-20h]
int v9; // [rsp+8Ch] [rbp-4h]
v9 = 0;
strcpy(v8, ":"AL_RT^L*.?+6/46");
v7 = 28537194573619560LL;
v6 = 7;
printf("Welcome to the RC3 secure password guesser.
", a2, a3);
printf("To continue, you must enter the correct password.
");
printf("Enter your guess: ");
__isoc99_scanf("%32s", s);
v3 = strlen(s);
if ( v3 < strlen(v8) )
sub_4007C0(v8);
for ( i = 0; i < strlen(s); ++i )
{
if ( i >= strlen(v8) )
((void (*)(void))sub_4007C0)();
if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
((void (*)(void))sub_4007C0)();
}
sub_4007F0();
}
这里逻辑很明确,sub_4007C0 是输出失败的函数,而sub_4007F0()是flag正确的函数。
那么其实flag就主要要符合 s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) 这一句
BYTE是一种数据类型,在windows.h头文件下,由此编写EXP
EXP在此!
#include <stdio.h>
#include <string.h>
#include <windows.h>
main(){
int i,len;
long long v7=28537194573619560LL;
char v8[50] ,s[36];
strcpy(v8, ":"AL_RT^L*.?+6/46");
len = strlen(v8);
for ( i = 0; i < len; ++i )
{
s[i] = (char)(*((BYTE *)&v7 + i % 7) ^ v8[i]);
printf("%c",s[i]);
}
}