game

学委和b1ank带入的坑

image-20201227171144715

最终目的是执行这个函数,地址为 0xF66C

image-20201227171242219

F4F3 处下断点,用OD打开

image-20201227171501557

image-20201227171547573

eip 地址为 F66C 即可

image-20201227171652779

no-strings-attached

image-20201229183850954

在这里调用了decrypt函数,下断点

image-20201229184011691

运行一步,查看eax数值

image-20201229184044528

getit

#include <bits/stdc++.h>
using namespace std;

int i;
char s[] = "c61b68366edeb7bdce3c6820314b7498";
int v3;
char t[] = "harifCTF{????????????????????????????????}";

int main()
{
    for (i = 0; i < strlen(s); ++i)
    {
        if ((i & 1) != 0)
            v3 = 1;
        else
            v3 = -1;
        t[i + 9] = s[i] + v3;
    }
    cout << t << endl;
    return 0;
}

或者ida动调

csaw2013reversing2

直接运行会乱码

image-20201230012542887

401000应该是对乱码进行解码的函数

image-20201230012652469

将jnz改成jmp,并将int3 nop掉

image-20201230013100328

将jmp loc_4010EF改为4010B9

image-20201230013216285

最终结果,运行即得flag

image-20201230013250473

Last modification:December 30th, 2020 at 01:48 am