[WMCTF2020]easy_re
簡單輸入flag
但是下斷點后,還沒走幾步就報錯退出了。
確實沒有打印的字符串
main函數也看不懂在干嘛
int __cdecl main(int argc, const char **argv, const char **envp)
{__int64 v4; // r13char v5; // r12__int64 v6; // rax_QWORD *v7; // raxvoid *v8; // r12__int64 v10; // rcx_QWORD *v11; // rdxconst char *v12; // raxint v13; // ebx__int64 v14; // rdivoid *v15; // rdivoid *v16; // rsivoid *Block; // [rsp+40h] [rbp-168h] BYREFCHAR Filename[4]; // [rsp+50h] [rbp-158h] BYREFchar Src[268]; // [rsp+54h] [rbp-154h] BYREFuintptr_t StackCookie; // [rsp+160h] [rbp-48h]StackCookie = qword_4192E8;v4 = argc;v5 = 0;GetModuleFileNameA(0i64, Filename, 0x104u); // 獲取當前模塊名到Filenameif ( *(_DWORD *)Filename == 0x5C3F5C5C ) // Filename前四個字節==0x5c3f5c5cmemmove(Filename, Src, strlen(Src) + 1); // 將Src移動到Filenamev6 = 1i64;if ( (int)v4 > 1 ){while ( strcmp(argv[v6], "--err2out") ){if ( ++v6 >= v4 )goto LABEL_8;}v5 = 4;}
LABEL_8:if ( (unsigned int)opera1(Filename, v5) )return 1;v7 = malloc(8i64 * ((int)v4 + 2));v8 = v7;if ( !v7 ){fprintf(&iob[2], "Panic: Cannot reallocate argv");return 1;}v10 = 1i64;*v7 = *argv; // 重新分配argv數組v7[1] = "--";if ( (int)v4 > 1 ){v11 = v7 + 2;do{v12 = argv[v10++]; // 原始argv復制到新的里面*v11++ = v12;}while ( v10 < v4 );}Block = qword_419A88;v13 = ((__int64 (__fastcall *)(void **, _QWORD, _QWORD, _QWORD, void *, _QWORD, int, _QWORD))opera2)(&Block,0i64,0i64,(unsigned int)(v4 + 1),v8,0i64,1,0i64);opera3((char *)Block);if ( dword_419A78 ) // 清理和釋放資源{opera3((char *)qword_419A88);qword_419A88 = 0i64;if ( qword_419A90 ){v14 = qword_419AB8();qword_419BD0(qword_419A90);qword_419AC8(qword_419A90);qword_419A90 = 0i64;qword_419BD0(v14);}FreeLibrary(hLibModule);hLibModule = 0i64;DeleteCriticalSection(&CriticalSection);dword_419A78 = 0;}v15 = ::Block; // 釋放鏈表節點if ( ::Block ){do{v16 = *(void **)v15;if ( *((_QWORD *)v15 + 1) ){if ( (unsigned int)((__int64 (*)(void))opera4)() )perror("rmtree failed");v15 = ::Block;}free(*((void **)v15 + 1));free(v15);v15 = v16;::Block = v16;}while ( v16 );}free(v8);return v13;
}應該就是要調試的
然后放到x64dbg
re學習筆記(69)WMCTF2020 - easy_re_69re-CSDN博客
看雪那個帖子解壓call有字符串script(解壓call之后出現的字符串可能是他帖子程序的解壓代碼了所以不考慮
所以x64dbg載入,搜索script字符串定位到關鍵位置
在script解密后的call函數下斷點,運行,得到flag。
一般都是在這個里面。
[watevrCTF 2019]Timeout
修改一下后綴
翻到關鍵函數
?
多輸入多輸出預測)
】)
)
