其他分享
首页 > 其他分享> > BUUCTF--reverse1

BUUCTF--reverse1

作者:互联网

测试文件:https://buuoj.cn/files/81c48295620d635f0c7e35b41efcc52d/b095c2d1-aa44-4e11-9ab5-137f66e1a48c.rar?token=eyJ0ZWFtX2lkIjpudWxsLCJ1c2VyX2lkIjoxOTAzLCJmaWxlX2lkIjoxOTh9.XW-UvA.lZSWlFegUBhf1vfDHms_m_bTpK0

 

1.准备

获得信息

64位文件

 

2.x64dbg打开

搜索全部字符串

 

打开红框中字符串的位置

 1 00007FF7F26F18FD | 8945 04                  | mov dword ptr ss:[rbp+4],eax            |
 2 00007FF7F26F1900 | 48:6345 04               | movsxd rax,dword ptr ss:[rbp+4]         |
 3 00007FF7F26F1904 | 48:8985 08010000         | mov qword ptr ss:[rbp+108],rax          |
 4 00007FF7F26F190B | 48:8D0D EEA60000         | lea rcx,qword ptr ds:[7FF7F26FC000]     | 00007FF7F26FC000:"{hello_world}"
 5 00007FF7F26F1912 | E8 8DF8FFFF              | call reverse_1.7FF7F26F11A4             |
 6 00007FF7F26F1917 | 48:8B8D 08010000         | mov rcx,qword ptr ss:[rbp+108]          |
 7 00007FF7F26F191E | 48:3BC8                  | cmp rcx,rax                             |
 8 00007FF7F26F1921 | 77 25                    | ja reverse_1.7FF7F26F1948               |
 9 00007FF7F26F1923 | 48:6345 04               | movsxd rax,dword ptr ss:[rbp+4]         |
10 00007FF7F26F1927 | 48:8D0D D2A60000         | lea rcx,qword ptr ds:[7FF7F26FC000]     | 00007FF7F26FC000:"{hello_world}"
11 00007FF7F26F192E | 0FBE0401                 | movsx eax,byte ptr ds:[rcx+rax]         |
12 00007FF7F26F1932 | 83F8 6F                  | cmp eax,6F                              | 6F:'o'
13 00007FF7F26F1935 | 75 0F                    | jne reverse_1.7FF7F26F1946              |
14 00007FF7F26F1937 | 48:6345 04               | movsxd rax,dword ptr ss:[rbp+4]         |
15 00007FF7F26F193B | 48:8D0D BEA60000         | lea rcx,qword ptr ds:[7FF7F26FC000]     | 00007FF7F26FC000:"{hello_world}"
16 00007FF7F26F1942 | C60401 30                | mov byte ptr ds:[rcx+rax],30            | 30:'0'
17 00007FF7F26F1946 | EB B0                    | jmp reverse_1.7FF7F26F18F8              |
18 00007FF7F26F1948 | 48:8D0D E1830000         | lea rcx,qword ptr ds:[7FF7F26F9D30]     | 00007FF7F26F9D30:"input the flag:"
19 00007FF7F26F194F | E8 7DF8FFFF              | call reverse_1.7FF7F26F11D1             |
20 00007FF7F26F1954 | 48:8D55 28               | lea rdx,qword ptr ss:[rbp+28]           |
21 00007FF7F26F1958 | 48:8D0D C5830000         | lea rcx,qword ptr ds:[7FF7F26F9D24]     | 00007FF7F26F9D24:"%20s"
22 00007FF7F26F195F | E8 2BF9FFFF              | call reverse_1.7FF7F26F128F             |
23 00007FF7F26F1964 | 48:8D0D 95A60000         | lea rcx,qword ptr ds:[7FF7F26FC000]     | 00007FF7F26FC000:"{hello_world}"
24 00007FF7F26F196B | E8 34F8FFFF              | call reverse_1.7FF7F26F11A4             |
25 00007FF7F26F1970 | 4C:8BC0                  | mov r8,rax                              |
26 00007FF7F26F1973 | 48:8D15 86A60000         | lea rdx,qword ptr ds:[7FF7F26FC000]     | 00007FF7F26FC000:"{hello_world}"
27 00007FF7F26F197A | 48:8D4D 28               | lea rcx,qword ptr ss:[rbp+28]           |
28 00007FF7F26F197E | FF15 4CE90000            | call qword ptr ds:[<&strncmp>]          |
29 00007FF7F26F1984 | 85C0                     | test eax,eax                            |
30 00007FF7F26F1986 | 74 0E                    | je reverse_1.7FF7F26F1996               |
31 00007FF7F26F1988 | 48:8D0D 81820000         | lea rcx,qword ptr ds:[7FF7F26F9C10]     | 00007FF7F26F9C10:"wrong flag\n"
32 00007FF7F26F198F | E8 3DF8FFFF              | call reverse_1.7FF7F26F11D1             |
33 00007FF7F26F1994 | EB 0C                    | jmp reverse_1.7FF7F26F19A2              |
34 00007FF7F26F1996 | 48:8D0D F3820000         | lea rcx,qword ptr ds:[7FF7F26F9C90]     | 00007FF7F26F9C90:"this is the right flag!\n"
35 00007FF7F26F199D | E8 2FF8FFFF              | call reverse_1.7FF7F26F11D1             |

 

2.1代码分析

第28行代码调用了strcmp比较输入字符串与“{hello_world}”,这个“{hello_world}”似乎就是我们的flag。

 

在"input the flag"上面,分析代码,了解到此部分对“{hello_world}”进行了'o'字符替换为‘0’字符的操作。因此得到正确答案为“{hell0_w0rld}”

 

3.get flag!

flag{hell0_w0rld}

标签:lea,BUUCTF,rcx,48,ds,qword,ptr,reverse1
来源: https://www.cnblogs.com/Mayfly-nymph/p/11460950.html