攻防世界elrond32題解
- 使用exeinfope查看檔案資訊
- 分析反匯編代碼
- 撰寫代碼獲取flag
使用exeinfope查看檔案資訊
查看后發現是一個32位的ELF可執行檔案,丟進IDA32查看反匯編代碼
分析反匯編代碼
首先找到main函式,F5查看偽代碼
看見Access granted顯然可知sub_8048538()函式是輸出flag的函式,點開看看
看代碼發現我們需要得到陣列a2的值,于是回到main函式,發現a2與sub_8048414()函式有關,點開看看
分析函式,寫出代碼,得到a2陣列
int a1[20]={105,101,0,110,100,97,103,115,0,114,0,0};
for(int i=0;;i=7*(i+1)%11,k++){
a2[k]=a1[i];
printf("*%d\n",i);
if(i==2||i==8||i>9)break;
}
-->a2={105,115,101,110,103,97,114,100,0}
繼續分析sub_8048538()函式,發現我們還需要知道v2陣列的值,根據代碼
qmemcpy(v2, &unk_8048760, sizeof(v2));
知道v2是從unk_8048760處復制了33個int
查看unk_8048760的值
一個int占4個記憶體,所以剩下3個的記憶體用0填充,最后得出
int v2[33]={0x0F,0x1F,0x04,0x09,0x1C,0x12,0x42,0x09,0x0C,0x44,0x0D,0x07,0x09,0x06,0x2D,0x37,0x59,0x1E,0x00,0x59,0x0F,0x08,0x1C,0x23,0x36,0x07,0x55,0x02,0x0C,0x08,0x41,0x0A,0x14};
撰寫代碼獲取flag
#include<iostream>
#include<cstdio>
#include<cstring>
#include<algorithm>
int a1[20]={105,101,0,110,100,97,103,115,0,114};
int main()
{
int a2[20],k=0;
int v2[33]={0x0F,0x1F,0x04,0x09,0x1C,0x12,0x42,0x09,0x0C,0x44,0x0D,0x07,0x09,0x06,0x2D,0x37,0x59,0x1E,0x00,0x59,0x0F,0x08,0x1C,0x23,0x36,0x07,0x55,0x02,0x0C,0x08,0x41,0x0A,0x14};
for(int i=0;;i=7*(i+1)%11,k++){
a2[k]=a1[i];
if(i==2||i==8||i>9)break;
}
for ( int i = 0; i <= 32; ++i )
putchar(v2[i] ^ a2[i % 8]);
}
-->flag{s0me7hing_S0me7hinG_t0lki3n}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/29722.html
標籤:其他