[WMCTF2020]easy_re
简单输入flag
但是下断点后,还没走几步就报错退出了。
确实没有打印的字符串
main函数也看不懂在干嘛
int __cdecl main(int argc, const char **argv, const char **envp)
{__int64 v4; // r13char v5; // r12__int64 v6; // rax_QWORD *v7; // raxvoid *v8; // r12__int64 v10; // rcx_QWORD *v11; // rdxconst char *v12; // raxint v13; // ebx__int64 v14; // rdivoid *v15; // rdivoid *v16; // rsivoid *Block; // [rsp+40h] [rbp-168h] BYREFCHAR Filename[4]; // [rsp+50h] [rbp-158h] BYREFchar Src[268]; // [rsp+54h] [rbp-154h] BYREFuintptr_t StackCookie; // [rsp+160h] [rbp-48h]StackCookie = qword_4192E8;v4 = argc;v5 = 0;GetModuleFileNameA(0i64, Filename, 0x104u); // 获取当前模块名到Filenameif ( *(_DWORD *)Filename == 0x5C3F5C5C ) // Filename前四个字节==0x5c3f5c5cmemmove(Filename, Src, strlen(Src) + 1); // 将Src移动到Filenamev6 = 1i64;if ( (int)v4 > 1 ){while ( strcmp(argv[v6], "--err2out") ){if ( ++v6 >= v4 )goto LABEL_8;}v5 = 4;}
LABEL_8:if ( (unsigned int)opera1(Filename, v5) )return 1;v7 = malloc(8i64 * ((int)v4 + 2));v8 = v7;if ( !v7 ){fprintf(&iob[2], "Panic: Cannot reallocate argv");return 1;}v10 = 1i64;*v7 = *argv; // 重新分配argv数组v7[1] = "--";if ( (int)v4 > 1 ){v11 = v7 + 2;do{v12 = argv[v10++]; // 原始argv复制到新的里面*v11++ = v12;}while ( v10 < v4 );}Block = qword_419A88;v13 = ((__int64 (__fastcall *)(void **, _QWORD, _QWORD, _QWORD, void *, _QWORD, int, _QWORD))opera2)(&Block,0i64,0i64,(unsigned int)(v4 + 1),v8,0i64,1,0i64);opera3((char *)Block);if ( dword_419A78 ) // 清理和释放资源{opera3((char *)qword_419A88);qword_419A88 = 0i64;if ( qword_419A90 ){v14 = qword_419AB8();qword_419BD0(qword_419A90);qword_419AC8(qword_419A90);qword_419A90 = 0i64;qword_419BD0(v14);}FreeLibrary(hLibModule);hLibModule = 0i64;DeleteCriticalSection(&CriticalSection);dword_419A78 = 0;}v15 = ::Block; // 释放链表节点if ( ::Block ){do{v16 = *(void **)v15;if ( *((_QWORD *)v15 + 1) ){if ( (unsigned int)((__int64 (*)(void))opera4)() )perror("rmtree failed");v15 = ::Block;}free(*((void **)v15 + 1));free(v15);v15 = v16;::Block = v16;}while ( v16 );}free(v8);return v13;
}应该就是要调试的
然后放到x64dbg
re学习笔记(69)WMCTF2020 - easy_re_69re-CSDN博客
看雪那个帖子解压call有字符串script(解压call之后出现的字符串可能是他帖子程序的解压代码了所以不考虑
所以x64dbg载入,搜索script字符串定位到关键位置
在script解密后的call函数下断点,运行,得到flag。
一般都是在这个里面。
[watevrCTF 2019]Timeout
修改一下后缀
翻到关键函数
多输入多输出预测)
】)
)
