![[BUUCTF] [Reverse] [GXYCTF2019]luck](http://www.mshxw.com/aiimages/31/295809.png "[BUUCTF] [Reverse] [GXYCTF2019]luck")
ida64反编译,很容易找到核心代码:
unsigned __int64 get_flag()
{
unsigned int v0; // eax
int i; // [rsp+4h] [rbp-3Ch]
int j; // [rsp+8h] [rbp-38h]
__int64 s; // [rsp+10h] [rbp-30h] BYREF
char v5; // [rsp+18h] [rbp-28h]
unsigned __int64 v6; // [rsp+38h] [rbp-8h]
v6 = __readfsqword(0x28u);
v0 = time(0LL);
srand(v0);
for ( i = 0; i <= 4; ++i )
{
switch ( rand() % 200 )
{
case 1:
puts("OK, it's flag:");
memset(&s, 0, 0x28uLL);
strcat((char *)&s, f1);
strcat((char *)&s, &f2);
printf("%s", (const char *)&s);
break;
case 2:
printf("Solar not like you");
break;
case 3:
printf("Solar want a girlfriend");
break;
case 4:
s = 0x7F666F6067756369LL;
v5 = 0;
strcat(&f2, (const char *)&s);
break;
case 5:
for ( j = 0; j <= 7; ++j )
{
if ( j % 2 == 1 )
*(&f2 + j) -= 2;
else
--*(&f2 + j);
}
break;
default:
puts("emmm,you can't find flag 23333");
break;
}
}
return __readfsqword(0x28u) ^ v6;
}
需要注意两个地方,第一个s = 0x7F666F6067756369LL;这儿要注意小端序,因此s是'icug`ofx7F',不是'x7Ffo`guci'。另外,做题时把s当成11个字符了,因此前面又加了一个作为转义。实际上x7F是十六进制,是一个字符,s为8个字符,因此python代码就出来了:
#aa='x7Ffo`guci'
aa='icug`ofx7F'
a=list(aa)
for i in range(8):
if i%2==1:
a[i]=chr(ord(a[i])-2)
else:
a[i]=chr(ord(a[i])-1)
print(''.join(a))
得到结果hate_me}
此外f1变量在代码中直接赋值为GXY{do_not_,字符串拼接为GXY{do_not_hate_me}
所以flag是flag{do_not_hate_me}
