關鍵知識點:for匯編
ida64打開:
00400666 55 push rbp
.text:0000000000400667 48 89 E5 mov rbp, rsp
.text:000000000040066A 48 83 EC 30 sub rsp, 30h
.text:000000000040066E 64 48 8B 04 25 28 00 00 00 mov rax, fs:28h
.text:0000000000400677 48 89 45 F8 mov [rbp+var_8], rax ; arg=rax
.text:000000000040067B 31 C0 xor eax, eax ; eax=0
.text:000000000040067D BE C4 07 40 00 mov esi, offset modes ; esi=r
.text:0000000000400682 BF C6 07 40 00 mov edi, offset filename ; "flag"
.text:0000000000400687 E8 C4 FE FF FF call _fopen
.text:0000000000400687
.text:000000000040068C 48 89 45 D8 mov [rbp-28h], rax ; lo1= rax
.text:0000000000400690 48 8B 55 D8 mov rdx, [rbp+stream] ; rdx = lo1
.text:0000000000400694 48 8D 45 E0 lea rax, [rbp-20h] ; rax=addr(lo2)
.text:0000000000400698 48 89 D1 mov rcx, rdx ; stream
.text:000000000040069B BA 14 00 00 00 mov edx, 14h ; n
.text:00000000004006A0 BE 01 00 00 00 mov esi, 1 ; size
.text:00000000004006A5 48 89 C7 mov rdi, rax ; ptr
.text:00000000004006A8 E8 53 FE FF FF call _fread
.text:00000000004006A8
.text:00000000004006AD 48 8B 45 D8 mov rax, [rbp+stream]
.text:00000000004006B1 48 89 C7 mov rdi, rax ; stream
.text:00000000004006B4 E8 57 FE FF FF call _fclose
.text:00000000004006B4
.text:00000000004006B9 C7 45 D4 01 00 00 00 mov [rbp+var_2C], 1 ; lo3=1
.text:00000000004006C0 EB 59 jmp short loc_40071B ; if/while/for
.text:00000000004006C0
.text:00000000004006C2 ; ---------------------------------------------------------------------------
.text:00000000004006C2
.text:00000000004006C2 loc_4006C2: ; CODE XREF: main+B9↓j
.text:00000000004006C2 8B 45 D4 mov eax, [rbp+var_2C] ; eax = lo3 = 1
.text:00000000004006C5 83 E0 01 and eax, 1 ; eax = eax & 1
.text:00000000004006C8 85 C0 test eax, eax ; eax&eax
.text:00000000004006CA 75 24 jnz short loc_4006F0 ; if eax=0 , jmp
.text:00000000004006CA
.text:00000000004006CC 8B 45 D4 mov eax, [rbp+var_2C] ; eax=lo3
.text:00000000004006CF 48 98 cdqe
.text:00000000004006D1 0F B6 44 05 E0 movzx eax, [rbp+rax+ptr] ; eax = [rbp + lo3 +ptr]
.text:00000000004006D6 0F BE C0 movsx eax, al ; edx = al
.text:00000000004006D9 0F AF 45 D4 imul eax, [rbp+var_2C] ; eax * lo3
.text:00000000004006DD 89 C6 mov esi, eax
.text:00000000004006DF BF CB 07 40 00 mov edi, offset format ; "%ld\n"
.text:00000000004006E4 B8 00 00 00 00 mov eax, 0
.text:00000000004006E9 E8 42 FE FF FF call _printf
.text:00000000004006E9
.text:00000000004006EE EB 27 jmp short loc_400717
.text:00000000004006EE
.text:00000000004006F0 ; ---------------------------------------------------------------------------
.text:00000000004006F0
.text:00000000004006F0 loc_4006F0: ; CODE XREF: main+64↑j
.text:00000000004006F0 8B 45 D4 mov eax, [rbp+var_2C] ; eax = lo3 =1
.text:00000000004006F3 48 98 cdqe ; Convert Doubleword to Quadword Extended
.text:00000000004006F5 0F B6 44 05 E0 movzx eax, [rbp+rax+ptr] ; eax = [rbp + lo3 +ptr]
.text:00000000004006FA 0F BE D0 movsx edx, al ; edx = al
.text:00000000004006FD 8B 45 D4 mov eax, [rbp+var_2C] ; eax = lo3
.text:0000000000400700 89 C1 mov ecx, eax ; ecx = lo3
.text:0000000000400702 D3 E2 shl edx, cl ; edx < cl
.text:0000000000400704 89 D0 mov eax, edx ; eax = edx
.text:0000000000400706 89 C6 mov esi, eax ; esi=eax
.text:0000000000400708 BF CB 07 40 00 mov edi, offset format ; "%ld\n"
.text:000000000040070D B8 00 00 00 00 mov eax, 0
.text:0000000000400712 E8 19 FE FF FF call _printf
.text:0000000000400712
.text:0000000000400717
.text:0000000000400717 loc_400717: ; CODE XREF: main+88↑j
.text:0000000000400717 83 45 D4 01 add [rbp+var_2C], 1
.text:0000000000400717
.text:000000000040071B
.text:000000000040071B loc_40071B: ; CODE XREF: main+5A↑j
.text:000000000040071B 83 7D D4 13 cmp [rbp+var_2C], 13h ; if lo3 > 19
.text:000000000040071F 7E A1 jle short loc_4006C2 ; goin content
.text:000000000040071F
.text:0000000000400721 B8 00 00 00 00 mov eax, 0
.text:0000000000400726 48 8B 4D F8 mov rcx, [rbp+var_8]
.text:000000000040072A 64 48 33 0C 25 28 00 00 00 xor rcx, fs:28h
.text:0000000000400733 74 05 jz short locret_40073A
.text:0000000000400733
.text:0000000000400735 E8 E6 FD FF FF call ___stack_chk_fail
.text:0000000000400735
.text:000000000040073A ; ---------------------------------------------------------------------------
.text:000000000040073A
.text:000000000040073A locret_40073A: ; CODE XREF: main+CD↑j
.text:000000000040073A C9 leave
.text:000000000040073B C3 retn
.text:000000000040073B ; } // starts at 400666主要功能:
for ( i = 1; i <= 19; ++i )
{if ( (i & 1) != 0 )printf("%ld\n", (unsigned int)(ptr[i] << i));elseprintf("%ld\n", (unsigned int)(i * ptr[i]));
}for匯編特征:
#1,賦值
mov [rbp+var_2C], 1 ; lo3=1
jmp short loc_40071B ; if/while/for#3,循環內容
loc_4006C2: ; CODE XREF: main+B9↓j
mov eax, [rbp+var_2C]
...#4,累加變量,然后繼續到2
add [rbp+var_2C], 1#2,判斷條件
cmp [rbp+var_2C], 13h ; if lo3 > 19
jle short loc_4006C2還原代碼獲取flag
隨題附件有個output.txt,所以把它當輸入flag文件,更改for中邏輯相反即可:
def main():# Open the file and read line by linewith open("output.txt", "r") as f:i = 1result = ""for line in f: # Loop through each line in the fileptr = line.strip() # Remove any trailing newline charactersvalue = int(ptr) # Convert character to integerprint(value)if value == 0: continueif i % 2 != 0: # If i is oddc = value >> i # Right shift the integer valueelse: # If i is evenc = value // i # Divide the integer value by ii = i + 1result += chr(c)# Print the accumulated result after processing all linesprint(result)
if __name__ == "__main__":main())
詳解)
)