本文最后更新于1888天前,其中的信息可能已经有所发展或是发生改变。
非常简单的题目,没有加壳:
main函数伪代码:
// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
const char *v3; // rdi
int result; // eax
__int64 v5; // rdx
unsigned __int64 v6; // rt1
char v7; // [rsp+4h] [rbp-3Ch]
int i; // [rsp+8h] [rbp-38h]
unsigned int v9; // [rsp+Ch] [rbp-34h]
char v10; // [rsp+10h] [rbp-30h]
unsigned __int64 v11; // [rsp+28h] [rbp-18h]
v11 = __readfsqword(0x28u);
v9 = sub_400680(*(_QWORD *)&argc, argv, envp);
if (v9)
{
sub_400660(v9, &v7, 0LL);
}
else
{
for (i = 0; i <= (unsigned __int64)sub_400600(flag); ++i)
{
if (flag[i] == 105 || flag[i] == 114)
flag[i] = 49;
}
}
sub_400620("input the flag:");
sub_400670("%20s", &v10);
if ((unsigned int)sub_400640(flag, &v10))
{
v3 = "wrong flag!";
result = sub_4005F0("wrong flag!");
}
else
{
v3 = "this is the right flag!";
result = sub_4005F0("this is the right flag!");
}
v6 = __readfsqword(0x28u);
v5 = v6 ^ v11;
if (v6 != v11)
result = sub_400610(v3, &v10, v5);
return result;
}可以看到将Flag中的r和i进行了替换1:
for (i = 0; i <= (unsigned __int64)sub_400600(flag); ++i)
{
if (flag[i] == 105 || flag[i] == 114)
flag[i] = 49;
}很明显答案在flag中
; main+44↑r ...
.data:0000000000601081 db 68h ; h
.data:0000000000601082 db 61h ; a
.data:0000000000601083 db 63h ; c
.data:0000000000601084 db 6Bh ; k
.data:0000000000601085 db 69h ; i
.data:0000000000601086 db 6Eh ; n
.data:0000000000601087 db 67h ; g
.data:0000000000601088 db 5Fh ; _
.data:0000000000601089 db 66h ; f
.data:000000000060108A db 6Fh ; o
.data:000000000060108B db 72h ; r
.data:000000000060108C db 5Fh ; _
.data:000000000060108D db 66h ; f
.data:000000000060108E db 75h ; u
.data:000000000060108F db 6Eh ; n
.data:0000000000601090 db 7Dh ; }
hacking_for_fun替换后得到Flag
hack1ng_fo1_funHits: 592
