zoukankan      html  css  js  c++  java
  • buuctf re [ACTF新生赛2020]Oruga

    __int64 __fastcall main(int a1, char **a2, char **a3)
    {
      int i; // [rsp+0h] [rbp-40h]
      char s1[6]; // [rsp+4h] [rbp-3Ch] BYREF
      char s2[6]; // [rsp+Ah] [rbp-36h] BYREF
      char s[40]; // [rsp+10h] [rbp-30h] BYREF
      unsigned __int64 v8; // [rsp+38h] [rbp-8h]
    
      v8 = __readfsqword(0x28u);
      memset(s, 0, 0x19uLL);
      printf("Tell me the flag:");
      scanf("%s", s);
      strcpy(s2, "actf{");
      for ( i = 0; i <= 4; ++i )
        s1[i] = s[i];
      s1[5] = 0;
      if ( !strcmp(s1, s2) )
      {
        if ( sub_78A((__int64)s) )
          printf("That's True Flag!");
        else
          printf("don't stop trying...");
        return 0LL;
      }
      else
      {
        printf("Format false!");
        return 0LL;
      }
    }
    

    查看函数sub_78A((__int64)s)

    _BOOL8 __fastcall sub_78A(__int64 a1)
    {
      int v2; // [rsp+Ch] [rbp-Ch]
      int v3; // [rsp+10h] [rbp-8h]
      int v4; // [rsp+14h] [rbp-4h]
    
      v2 = 0;
      v3 = 5;
      v4 = 0;
      while ( byte_201020[v2] != 33 )
      {
        v2 -= v4;
        if ( *(_BYTE *)(v3 + a1) != 87 || v4 == -16 )    w
        {
          if ( *(_BYTE *)(v3 + a1) != 69 || v4 == 1 )     e
          {
            if ( *(_BYTE *)(v3 + a1) != 77 || v4 == 16 )   m
            {
              if ( *(_BYTE *)(v3 + a1) != 74 || v4 == -1 )  j
                return 0LL;
              v4 = -1;
            }
            else
            {
              v4 = 16;
            }
          }
          else
          {
            v4 = 1;
          }
        }
        else
        {
          v4 = -16;
        }
        ++v3;
        while ( !byte_201020[v2] )
        {
          if ( v4 == -1 && (v2 & 0xF) == 0 )
            return 0LL;
          if ( v4 == 1 && v2 % 16 == 15 )
            return 0LL;
          if ( v4 == 16 && (unsigned int)(v2 - 240) <= 0xF )
            return 0LL;
          if ( v4 == -16 && (unsigned int)(v2 + 15) <= 0x1E )
            return 0LL;
          v2 += v4;
        }
      }
      return *(_BYTE *)(v3 + a1) == 125;
    }
    

    由 while ( byte_201020[v2] != 33 ) 可看出是0x21为终点

    byte_201020     db 4 dup(0), 23h, 7 dup(0), 4 dup(23h), 3 dup(0), 2 dup(23h)
    .data:0000000000201020                                         ; DATA XREF: sub_78A+23↑o
    .data:0000000000201020                                         ; sub_78A+DC↑o
    .data:0000000000201020                 db 3 dup(0), 2 dup(4Fh), 0Eh dup(0), 2 dup(4Fh), 0, 2 dup(50h)
    .data:0000000000201020                 db 6 dup(0), 4Ch, 0, 2 dup(4Fh), 0, 2 dup(4Fh), 0, 2 dup(50h)
    .data:0000000000201020                 db 6 dup(0), 4Ch, 0, 2 dup(4Fh), 0, 2 dup(4Fh), 0, 50h
    .data:0000000000201020                 db 6 dup(0), 2 dup(4Ch), 0, 2 dup(4Fh), 4 dup(0), 50h
    .data:0000000000201020                 db 9 dup(0), 2 dup(4Fh), 4 dup(0), 50h, 4 dup(0), 23h
    .data:0000000000201020                 db 1Bh dup(0), 23h, 9 dup(0), 3 dup(4Dh), 3 dup(0), 23h
    .data:0000000000201020                 db 0Ah dup(0), 3 dup(4Dh), 4 dup(0), 2 dup(45h), 3 dup(0)
    .data:0000000000201020                 db 30h, 0, 4Dh, 0, 4Dh, 0, 4Dh, 4 dup(0), 45h, 0Fh dup(0)
    .data:0000000000201020                 db 2 dup(45h), 3 dup(54h), 49h, 0, 4Dh, 0, 4Dh, 0, 4Dh
    .data:0000000000201020                 db 4 dup(0), 45h, 2 dup(0), 54h, 0, 49h, 0, 4Dh, 0, 4Dh
    .data:0000000000201020                 db 0, 4Dh, 4 dup(0), 45h, 2 dup(0), 54h, 0, 49h, 0, 4Dh
    .data:0000000000201020                 db 0, 4Dh, 0, 4Dh, 21h, 3 dup(0), 2 dup(45h)
    

    迷宫如上表所示

    00 00 00 00 23 00 00 00 00 00 00 00 23 23 23 23
    00 00 00 23 23 00 00 00 4F 4F 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 4F 4F 00 50 50 00 00 00
    00 00 00 4C 00 4F 4F 00 4F 4F 00 50 50 00 00 00
    00 00 00 4C 00 4F 4F 00 4F 4F 00 50 00 00 00 00
    00 00 4C 4C 00 4F 4F 00 00 00 00 50 00 00 00 00
    00 00 00 00 00 4F 4F 00 00 00 00 50 00 00 00 00
    23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00
    00 00 00 00 00 00 4D 4D 4D 00 00 00 23 00 00 00
    00 00 00 00 00 00 00 4D 4D 4D 00 00 00 00 45 45
    00 00 00 30 00 4D 00 4D 00 4D 00 00 00 00 45 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 45
    54 54 54 49 00 4D 00 4D 00 4D 00 00 00 00 45 00
    00 54 00 49 00 4D 00 4D 00 4D 00 00 00 00 45 00
    00 54 00 49 00 4D 00 4D 00 4D 21 00 00 00 45 45
    

    MEWEMEWJMEWJM

  • 相关阅读:
    WEBAPI 增加身份验证
    C# Image与Base64编码互转函数
    WebApi 接口传参接参
    Spring.Net依赖注入(属性注入)学习笔记
    ASP.NET MVC5+EF6+EasyUI 后台管理系统(30)-本地化(多语言)
    文件各种上传,离不开的表单
    linux下yum命令出现Loaded plugins: fastestmirror
    linux系统快速安装宝塔
    微信小程序实现watch属性监听数据变化
    chrome调试微信
  • 原文地址:https://www.cnblogs.com/socialbiao/p/15714243.html
Copyright © 2011-2022 走看看