新手一枚,如有错误(不足)请指正,谢谢!!
题目链接:BugkuCTF-re-游戏过关
下载地址:点击下载
打开程序,发现要把8个都点亮,每次输入会把输入的数本身和他上一个下一个都改变状态,当所有都变亮,则出现flag
IDA32位载入
然后前往_main_0函数,F5查看伪代码
void main_0()
{
signed int i; // [esp+DCh] [ebp-20h]
int v1; // [esp+F4h] [ebp-8h]
sub_45A7BE(&unk_50B110);
sub_45A7BE(&unk_50B158);
sub_45A7BE(&unk_50B1A0);
sub_45A7BE(&unk_50B1E8);
sub_45A7BE(&unk_50B230);
sub_45A7BE(&unk_50B278);
sub_45A7BE(&unk_50B2C0);
sub_45A7BE(&unk_50B308);
sub_45A7BE("二 |\n");
sub_45A7BE("| by 0x61 |\n");
sub_45A7BE("| |\n");
sub_45A7BE("|------------------------------------------------------|\n");
sub_45A7BE(
"Play a game\n"
"The n is the serial number of the lamp,and m is the state of the lamp\n"
"If m of the Nth lamp is 1,it's on ,if not it's off\n"
"At first all the lights were closed\n");
sub_45A7BE("Now you can input n to change its state\n");
sub_45A7BE(
"But you should pay attention to one thing,if you change the state of the Nth lamp,the state of (N-1)th and (N+1)th w"
"ill be changed too\n");
sub_45A7BE("When all lamps are on,flag will appear\n");
sub_45A7BE("Now,input n \n");
while ( 1 )
{
while ( 1 )
{
sub_45A7BE("input n,n(1-8)\n");
sub_459418();
sub_45A7BE("n=");
sub_4596D4("%d", &v1);
sub_45A7BE("\n");
if ( v1 >= 0 && v1 <= 8 )
break;
sub_45A7BE("sorry,n error,try again\n");
}
if ( v1 )
{
sub_4576D6(v1 - 1);
}
else
{
for ( i = 0; i < 8; ++i )
{
if ( (unsigned int)i >= 9 )
j____report_rangecheckfailure();
byte_532E28[i] = 0;
}
}
j__system("CLS");
sub_458054();
if ( byte_532E28[0] == 1
&& byte_532E28[1] == 1
&& byte_532E28[2] == 1
&& byte_532E28[3] == 1
&& byte_532E28[4] == 1
&& byte_532E28[5] == 1
&& byte_532E28[6] == 1
&& byte_532E28[7] == 1 )
{
sub_457AB4();
}
}
}
不难发现他用1表示亮,0表示暗,当八个都变亮时,执行sub_457AB4()函数
int sub_45E940()
{
signed int i; // [esp+D0h] [ebp-94h]
char v2; // [esp+DCh] [ebp-88h]
char v3; // [esp+DDh] [ebp-87h]
char v4; // [esp+DEh] [ebp-86h]
char v5; // [esp+DFh] [ebp-85h]
char v6; // [esp+E0h] [ebp-84h]
char v7; // [esp+E1h] [ebp-83h]
char v8; // [esp+E2h] [ebp-82h]
char v9; // [esp+E3h] [ebp-81h]
char v10; // [esp+E4h] [ebp-80h]
char v11; // [esp+E5h] [ebp-7Fh]
char v12; // [esp+E6h] [ebp-7Eh]
char v13; // [esp+E7h] [ebp-7Dh]
char v14; // [esp+E8h] [ebp-7Ch]
char v15; // [esp+E9h] [ebp-7Bh]
char v16; // [esp+EAh] [ebp-7Ah]
char v17; // [esp+EBh] [ebp-79h]
char v18; // [esp+ECh] [ebp-78h]
char v19; // [esp+EDh] [ebp-77h]
char v20; // [esp+EEh] [ebp-76h]
char v21; // [esp+EFh] [ebp-75h]
char v22; // [esp+F0h] [ebp-74h]
char v23; // [esp+F1h] [ebp-73h]
char v24; // [esp+F2h] [ebp-72h]
char v25; // [esp+F3h] [ebp-71h]
char v26; // [esp+F4h] [ebp-70h]
char v27; // [esp+F5h] [ebp-6Fh]
char v28; // [esp+F6h] [ebp-6Eh]
char v29; // [esp+F7h] [ebp-6Dh]
char v30; // [esp+F8h] [ebp-6Ch]
char v31; // [esp+F9h] [ebp-6Bh]
char v32; // [esp+FAh] [ebp-6Ah]
char v33; // [esp+FBh] [ebp-69h]
char v34; // [esp+FCh] [ebp-68h]
char v35; // [esp+FDh] [ebp-67h]
char v36; // [esp+FEh] [ebp-66h]
char v37; // [esp+FFh] [ebp-65h]
char v38; // [esp+100h] [ebp-64h]
char v39; // [esp+101h] [ebp-63h]
char v40; // [esp+102h] [ebp-62h]
char v41; // [esp+103h] [ebp-61h]
char v42; // [esp+104h] [ebp-60h]
char v43; // [esp+105h] [ebp-5Fh]
char v44; // [esp+106h] [ebp-5Eh]
char v45; // [esp+107h] [ebp-5Dh]
char v46; // [esp+108h] [ebp-5Ch]
char v47; // [esp+109h] [ebp-5Bh]
char v48; // [esp+10Ah] [ebp-5Ah]
char v49; // [esp+10Bh] [ebp-59h]
char v50; // [esp+10Ch] [ebp-58h]
char v51; // [esp+10Dh] [ebp-57h]
char v52; // [esp+10Eh] [ebp-56h]
char v53; // [esp+10Fh] [ebp-55h]
char v54; // [esp+110h] [ebp-54h]
char v55; // [esp+111h] [ebp-53h]
char v56; // [esp+112h] [ebp-52h]
char v57; // [esp+113h] [ebp-51h]
char v58; // [esp+114h] [ebp-50h]
char v59; // [esp+120h] [ebp-44h]
char v60; // [esp+121h] [ebp-43h]
char v61; // [esp+122h] [ebp-42h]
char v62; // [esp+123h] [ebp-41h]
char v63; // [esp+124h] [ebp-40h]
char v64; // [esp+125h] [ebp-3Fh]
char v65; // [esp+126h] [ebp-3Eh]
char v66; // [esp+127h] [ebp-3Dh]
char v67; // [esp+128h] [ebp-3Ch]
char v68; // [esp+129h] [ebp-3Bh]
char v69; // [esp+12Ah] [ebp-3Ah]
char v70; // [esp+12Bh] [ebp-39h]
char v71; // [esp+12Ch] [ebp-38h]
char v72; // [esp+12Dh] [ebp-37h]
char v73; // [esp+12Eh] [ebp-36h]
char v74; // [esp+12Fh] [ebp-35h]
char v75; // [esp+130h] [ebp-34h]
char v76; // [esp+131h] [ebp-33h]
char v77; // [esp+132h] [ebp-32h]
char v78; // [esp+133h] [ebp-31h]
char v79; // [esp+134h] [ebp-30h]
char v80; // [esp+135h] [ebp-2Fh]
char v81; // [esp+136h] [ebp-2Eh]
char v82; // [esp+137h] [ebp-2Dh]
char v83; // [esp+138h] [ebp-2Ch]
char v84; // [esp+139h] [ebp-2Bh]
char v85; // [esp+13Ah] [ebp-2Ah]
char v86; // [esp+13Bh] [ebp-29h]
char v87; // [esp+13Ch] [ebp-28h]
char v88; // [esp+13Dh] [ebp-27h]
char v89; // [esp+13Eh] [ebp-26h]
char v90; // [esp+13Fh] [ebp-25h]
char v91; // [esp+140h] [ebp-24h]
char v92; // [esp+141h] [ebp-23h]
char v93; // [esp+142h] [ebp-22h]
char v94; // [esp+143h] [ebp-21h]
char v95; // [esp+144h] [ebp-20h]
char v96; // [esp+145h] [ebp-1Fh]
char v97; // [esp+146h] [ebp-1Eh]
char v98; // [esp+147h] [ebp-1Dh]
char v99; // [esp+148h] [ebp-1Ch]
char v100; // [esp+149h] [ebp-1Bh]
char v101; // [esp+14Ah] [ebp-1Ah]
char v102; // [esp+14Bh] [ebp-19h]
char v103; // [esp+14Ch] [ebp-18h]
char v104; // [esp+14Dh] [ebp-17h]
char v105; // [esp+14Eh] [ebp-16h]
char v106; // [esp+14Fh] [ebp-15h]
char v107; // [esp+150h] [ebp-14h]
char v108; // [esp+151h] [ebp-13h]
char v109; // [esp+152h] [ebp-12h]
char v110; // [esp+153h] [ebp-11h]
char v111; // [esp+154h] [ebp-10h]
char v112; // [esp+155h] [ebp-Fh]
char v113; // [esp+156h] [ebp-Eh]
char v114; // [esp+157h] [ebp-Dh]
char v115; // [esp+158h] [ebp-Ch]
sub_45A7BE((int)"done!!! the flag is ");
v59 = 18;
v60 = 64;
v61 = 98;
v62 = 5;
v63 = 2;
v64 = 4;
v65 = 6;
v66 = 3;
v67 = 6;
v68 = 48;
v69 = 49;
v70 = 65;
v71 = 32;
v72 = 12;
v73 = 48;
v74 = 65;
v75 = 31;
v76 = 78;
v77 = 62;
v78 = 32;
v79 = 49;
v80 = 32;
v81 = 1;
v82 = 57;
v83 = 96;
v84 = 3;
v85 = 21;
v86 = 9;
v87 = 4;
v88 = 62;
v89 = 3;
v90 = 5;
v91 = 4;
v92 = 1;
v93 = 2;
v94 = 3;
v95 = 44;
v96 = 65;
v97 = 78;
v98 = 32;
v99 = 16;
v100 = 97;
v101 = 54;
v102 = 16;
v103 = 44;
v104 = 52;
v105 = 32;
v106 = 64;
v107 = 89;
v108 = 45;
v109 = 32;
v110 = 65;
v111 = 15;
v112 = 34;
v113 = 18;
v114 = 16;
v115 = 0;
v2 = 123;
v3 = 32;
v4 = 18;
v5 = 98;
v6 = 119;
v7 = 108;
v8 = 65;
v9 = 41;
v10 = 124;
v11 = 80;
v12 = 125;
v13 = 38;
v14 = 124;
v15 = 111;
v16 = 74;
v17 = 49;
v18 = 83;
v19 = 108;
v20 = 94;
v21 = 108;
v22 = 84;
v23 = 6;
v24 = 96;
v25 = 83;
v26 = 44;
v27 = 121;
v28 = 104;
v29 = 110;
v30 = 32;
v31 = 95;
v32 = 117;
v33 = 101;
v34 = 99;
v35 = 123;
v36 = 127;
v37 = 119;
v38 = 96;
v39 = 48;
v40 = 107;
v41 = 71;
v42 = 92;
v43 = 29;
v44 = 81;
v45 = 107;
v46 = 90;
v47 = 85;
v48 = 64;
v49 = 12;
v50 = 43;
v51 = 76;
v52 = 86;
v53 = 13;
v54 = 114;
v55 = 1;
v56 = 117;
v57 = 126;
v58 = 0;
for ( i = 0; i < 56; ++i )
{
*(&v2 + i) ^= *(&v59 + i);
*(&v2 + i) ^= 0x13u;
}
return sub_45A7BE((int)"%s\n"); // 输出字符串
}
修改一下变量的类型
int sub_45E940()
{
signed int i; // [esp+D0h] [ebp-94h]
char v2[57]; // [esp+DCh] [ebp-88h]
char v3[57]; // [esp+120h] [ebp-44h]
sub_45A7BE((int)"done!!! the flag is ");
v3[0] = 18;
v3[1] = 64;
v3[2] = 98;
v3[3] = 5;
v3[4] = 2;
v3[5] = 4;
v3[6] = 6;
v3[7] = 3;
v3[8] = 6;
v3[9] = 48;
v3[10] = 49;
v3[11] = 65;
v3[12] = 32;
v3[13] = 12;
v3[14] = 48;
v3[15] = 65;
v3[16] = 31;
v3[17] = 78;
v3[18] = 62;
v3[19] = 32;
v3[20] = 49;
v3[21] = 32;
v3[22] = 1;
v3[23] = 57;
v3[24] = 96;
v3[25] = 3;
v3[26] = 21;
v3[27] = 9;
v3[28] = 4;
v3[29] = 62;
v3[30] = 3;
v3[31] = 5;
v3[32] = 4;
v3[33] = 1;
v3[34] = 2;
v3[35] = 3;
v3[36] = 44;
v3[37] = 65;
v3[38] = 78;
v3[39] = 32;
v3[40] = 16;
v3[41] = 97;
v3[42] = 54;
v3[43] = 16;
v3[44] = 44;
v3[45] = 52;
v3[46] = 32;
v3[47] = 64;
v3[48] = 89;
v3[49] = 45;
v3[50] = 32;
v3[51] = 65;
v3[52] = 15;
v3[53] = 34;
v3[54] = 18;
v3[55] = 16;
v3[56] = 0;
v2[0] = 123;
v2[1] = 32;
v2[2] = 18;
v2[3] = 98;
v2[4] = 119;
v2[5] = 108;
v2[6] = 65;
v2[7] = 41;
v2[8] = 124;
v2[9] = 80;
v2[10] = 125;
v2[11] = 38;
v2[12] = 124;
v2[13] = 111;
v2[14] = 74;
v2[15] = 49;
v2[16] = 83;
v2[17] = 108;
v2[18] = 94;
v2[19] = 108;
v2[20] = 84;
v2[21] = 6;
v2[22] = 96;
v2[23] = 83;
v2[24] = 44;
v2[25] = 121;
v2[26] = 104;
v2[27] = 110;
v2[28] = 32;
v2[29] = 95;
v2[30] = 117;
v2[31] = 101;
v2[32] = 99;
v2[33] = 123;
v2[34] = 127;
v2[35] = 119;
v2[36] = 96;
v2[37] = 48;
v2[38] = 107;
v2[39] = 71;
v2[40] = 92;
v2[41] = 29;
v2[42] = 81;
v2[43] = 107;
v2[44] = 90;
v2[45] = 85;
v2[46] = 64;
v2[47] = 12;
v2[48] = 43;
v2[49] = 76;
v2[50] = 86;
v2[51] = 13;
v2[52] = 114;
v2[53] = 1;
v2[54] = 117;
v2[55] = 126;
v2[56] = 0;
for ( i = 0; i < 56; ++i )
{
v2[i] ^= v3[i];
v2[i] ^= 0x13u;
}
return sub_45A7BE((int)"%s\n"); // 输出字符串
}
开始写脚本
#include <stdio.h>
int main(void)
{
signed int i; // [esp+D0h] [ebp-94h]
char v2[57]; // [esp+DCh] [ebp-88h]
char v3[57]; // [esp+120h] [ebp-44h]
v3[0] = 18;
v3[1] = 64;
v3[2] = 98;
v3[3] = 5;
v3[4] = 2;
v3[5] = 4;
v3[6] = 6;
v3[7] = 3;
v3[8] = 6;
v3[9] = 48;
v3[10] = 49;
v3[11] = 65;
v3[12] = 32;
v3[13] = 12;
v3[14] = 48;
v3[15] = 65;
v3[16] = 31;
v3[17] = 78;
v3[18] = 62;
v3[19] = 32;
v3[20] = 49;
v3[21] = 32;
v3[22] = 1;
v3[23] = 57;
v3[24] = 96;
v3[25] = 3;
v3[26] = 21;
v3[27] = 9;
v3[28] = 4;
v3[29] = 62;
v3[30] = 3;
v3[31] = 5;
v3[32] = 4;
v3[33] = 1;
v3[34] = 2;
v3[35] = 3;
v3[36] = 44;
v3[37] = 65;
v3[38] = 78;
v3[39] = 32;
v3[40] = 16;
v3[41] = 97;
v3[42] = 54;
v3[43] = 16;
v3[44] = 44;
v3[45] = 52;
v3[46] = 32;
v3[47] = 64;
v3[48] = 89;
v3[49] = 45;
v3[50] = 32;
v3[51] = 65;
v3[52] = 15;
v3[53] = 34;
v3[54] = 18;
v3[55] = 16;
v3[56] = 0;
v2[0] = 123;
v2[1] = 32;
v2[2] = 18;
v2[3] = 98;
v2[4] = 119;
v2[5] = 108;
v2[6] = 65;
v2[7] = 41;
v2[8] = 124;
v2[9] = 80;
v2[10] = 125;
v2[11] = 38;
v2[12] = 124;
v2[13] = 111;
v2[14] = 74;
v2[15] = 49;
v2[16] = 83;
v2[17] = 108;
v2[18] = 94;
v2[19] = 108;
v2[20] = 84;
v2[21] = 6;
v2[22] = 96;
v2[23] = 83;
v2[24] = 44;
v2[25] = 121;
v2[26] = 104;
v2[27] = 110;
v2[28] = 32;
v2[29] = 95;
v2[30] = 117;
v2[31] = 101;
v2[32] = 99;
v2[33] = 123;
v2[34] = 127;
v2[35] = 119;
v2[36] = 96;
v2[37] = 48;
v2[38] = 107;
v2[39] = 71;
v2[40] = 92;
v2[41] = 29;
v2[42] = 81;
v2[43] = 107;
v2[44] = 90;
v2[45] = 85;
v2[46] = 64;
v2[47] = 12;
v2[48] = 43;
v2[49] = 76;
v2[50] = 86;
v2[51] = 13;
v2[52] = 114;
v2[53] = 1;
v2[54] = 117;
v2[55] = 126;
v2[56] = 0;
for ( i = 0; i < 56; ++i )
{
v2[i] ^= v3[i];
v2[i] ^= 0x13u;
}
puts(v2);
puts(v3);
return 0;
}
可以看到v2就是flag
flag为zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}
往期回顾
小白学习笔记(0) CG-CTF-re-3 py交易
小白学习笔记(1) BUUCTF-re xor
小白学习笔记(2)BUUCTF-re-新年快乐
小白学习笔记(3) CG-CT re ReadAsm2
小白学习笔记(4)BUUCTF-re-reverse_1
小白学习笔记(5)BUUCTF-re-内涵软件
小白学习笔记(6)BUUCTF-re-SimpleRev
小白学习笔记(7)BUUCTF-re-rsa
小白学习笔记(8)BUUCTF-re-CrackRTF
小白学习笔记(9)BUUCTF-re-刮开有奖
小白学习笔记(10)BUUCTF-re-Youngter-drive
小白学习笔记(11)BUUCTF-re-reverse3
京公网安备 11010502036488号