alexctf-2017：re2-cpp-is-awesome

Posted 2022-01-20 muzishiye

下载附件，为elf文件

在Linux中查看

64位的ELF文件，输入错误的flag时，输出Better luck next time。

 

将文件拖入IDA64，反编译，分析代码

找出图中关键代码

 

跟进sub_400B56函数

void __fastcall __noreturn sub_400B56(__int64 a1, __int64 a2, __int64 a3)

  std::operator<<<std::char_traits<char>>(&std::cout, "Better luck next time\\n", a3);
  exit(0);

输出：Better luck next time

进一步确认，if 语句中的判断条件为解题关键。

 

提取 off_6020A0 和 dword_6020C0 中的数据

 

off_6020A0：

 

dword_6020C0：

align 8：8字节对齐，此处不太直观在Hex View跟进。

 

提取结果：

off="L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_FL4G_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t"
dword = [0x24, 0x0, 0x5, 0x36, 0x65, 0x7, 0x27, 0x26, 0x2d, 0x1, 0x3, 0x0, 0xd, 0x56, 0x1,0x3, 0x65, 0x3, 0x2d, 0x16, 0x2, 0x15, 0x3, 0x65, 0x0, 0x29, 0x44, 0x44, 0x1, 0x44, 0x2b]

 

编写python代码：

off = "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_FL4G_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t"
dword = [0x24, 0x0, 0x5, 0x36, 0x65, 0x7, 0x27, 0x26, 0x2d, 0x1, 0x3, 0x0, 0xd, 0x56, 0x1,
         0x3, 0x65, 0x3, 0x2d, 0x16, 0x2, 0x15, 0x3, 0x65, 0x0, 0x29, 0x44, 0x44, 0x1, 0x44, 0x2b]
flag = ""
for i in dword:
    flag += off[i]
print(flag)

 

输出：ALEXCTFW3_L0v3_C_W1th_CL45535

 

解题完毕！

 

收获：了解 align (n) 的相关知识