逆向攻防世界CTF系列13-Reversing-x64Elf-100

无壳64位

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char s[264]; // [rsp+0h] [rbp-110h] BYREF
  unsigned __int64 v5; // [rsp+108h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  printf("Enter the password: ");
  if ( !fgets(s, 255, stdin) )
    return 0LL;
  if ( (unsigned int)sub_4006FD(s) )
  {
    puts("Incorrect password!");
    return 1LL;
  }
  else
  {
    puts("Nice!");
    return 0LL;
  }
}

看看sub_4006FD

__int64 __fastcall sub_4006FD(__int64 a1)
{
  int i; // [rsp+14h] [rbp-24h]
  __int64 v3[4]; // [rsp+18h] [rbp-20h]

  v3[0] = (__int64)"Dufhbmf";
  v3[1] = (__int64)"pG`imos";
  v3[2] = (__int64)"ewUglpt";
  for ( i = 0; i <= 11; ++i ) {
    if ( *(char *)(v3[i % 3] + 2 * (i / 3)) - *(char *)(i + a1) != 1 )
      return 1LL;
  }
  return 0LL;
}

看样子要求返回nice，那么sub得返回0也就是(char )(v3[i % 3] + 2 * (i / 3)) - (char )(i + a1) 都== 1

(char )(v3[i % 3] + 2 * (i / 3)) - 1 == (char )(a1+i)

结合v3[0] = (__int64)“Dufhbmf”;

可以理解为v[i%3]的第几个字符 = a1

a1+i其实就是地址，(char )(a1+i)就是对应地址的字符

v3 = ["Dufhbmf","pG`imos","ewUglpt"]

flag = ''

for i in range(0,12):
    flag += chr(ord(v3[i%3][2*int(i/3)]) - 1)

print(flag)