[WUSTCTF2020]level1
关键知识点:for汇编
ida64打开:
00400666 55 push rbp
.text:0000000000400667 48 89 E5 mov rbp, rsp
.text:000000000040066A 48 83 EC 30 sub rsp, 30h
.text:000000000040066E 64 48 8B 04 25 28 00 00 00 mov rax, fs:28h
.text:0000000000400677 48 89 45 F8 mov [rbp+var_8], rax ; arg=rax
.text:000000000040067B 31 C0 xor eax, eax ; eax=0
.text:000000000040067D BE C4 07 40 00 mov esi, offset modes ; esi=r
.text:0000000000400682 BF C6 07 40 00 mov edi, offset filename ; "flag"
.text:0000000000400687 E8 C4 FE FF FF call _fopen
.text:0000000000400687
.text:000000000040068C 48 89 45 D8 mov [rbp-28h], rax ; lo1= rax
.text:0000000000400690 48 8B 55 D8 mov rdx, [rbp+stream] ; rdx = lo1
.text:0000000000400694 48 8D 45 E0 lea rax, [rbp-20h] ; rax=addr(lo2)
.text:0000000000400698 48 89 D1 mov rcx, rdx ; stream
.text:000000000040069B BA 14 00 00 00 mov edx, 14h ; n
.text:00000000004006A0 BE 01 00 00 00 mov esi, 1 ; size
.text:00000000004006A5 48 89 C7 mov rdi, rax ; ptr
.text:00000000004006A8 E8 53 FE FF FF call _fread
.text:00000000004006A8
.text:00000000004006AD 48 8B 45 D8 mov rax, [rbp+stream]
.text:00000000004006B1 48 89 C7 mov rdi, rax ; stream
.text:00000000004006B4 E8 57 FE FF FF call _fclose
.text:00000000004006B4
.text:00000000004006B9 C7 45 D4 01 00 00 00 mov [rbp+var_2C], 1 ; lo3=1
.text:00000000004006C0 EB 59 jmp short loc_40071B ; if/while/for
.text:00000000004006C0
.text:00000000004006C2 ; ---------------------------------------------------------------------------
.text:00000000004006C2
.text:00000000004006C2 loc_4006C2: ; CODE XREF: main+B9↓j
.text:00000000004006C2 8B 45 D4 mov eax, [rbp+var_2C] ; eax = lo3 = 1
.text:00000000004006C5 83 E0 01 and eax, 1 ; eax = eax & 1
.text:00000000004006C8 85 C0 test eax, eax ; eax&eax
.text:00000000004006CA 75 24 jnz short loc_4006F0 ; if eax=0 , jmp
.text:00000000004006CA
.text:00000000004006CC 8B 45 D4 mov eax, [rbp+var_2C] ; eax=lo3
.text:00000000004006CF 48 98 cdqe
.text:00000000004006D1 0F B6 44 05 E0 movzx eax, [rbp+rax+ptr] ; eax = [rbp + lo3 +ptr]
.text:00000000004006D6 0F BE C0 movsx eax, al ; edx = al
.text:00000000004006D9 0F AF 45 D4 imul eax, [rbp+var_2C] ; eax * lo3
.text:00000000004006DD 89 C6 mov esi, eax
.text:00000000004006DF BF CB 07 40 00 mov edi, offset format ; "%ld\n"
.text:00000000004006E4 B8 00 00 00 00 mov eax, 0
.text:00000000004006E9 E8 42 FE FF FF call _printf
.text:00000000004006E9
.text:00000000004006EE EB 27 jmp short loc_400717
.text:00000000004006EE
.text:00000000004006F0 ; ---------------------------------------------------------------------------
.text:00000000004006F0
.text:00000000004006F0 loc_4006F0: ; CODE XREF: main+64↑j
.text:00000000004006F0 8B 45 D4 mov eax, [rbp+var_2C] ; eax = lo3 =1
.text:00000000004006F3 48 98 cdqe ; Convert Doubleword to Quadword Extended
.text:00000000004006F5 0F B6 44 05 E0 movzx eax, [rbp+rax+ptr] ; eax = [rbp + lo3 +ptr]
.text:00000000004006FA 0F BE D0 movsx edx, al ; edx = al
.text:00000000004006FD 8B 45 D4 mov eax, [rbp+var_2C] ; eax = lo3
.text:0000000000400700 89 C1 mov ecx, eax ; ecx = lo3
.text:0000000000400702 D3 E2 shl edx, cl ; edx < cl
.text:0000000000400704 89 D0 mov eax, edx ; eax = edx
.text:0000000000400706 89 C6 mov esi, eax ; esi=eax
.text:0000000000400708 BF CB 07 40 00 mov edi, offset format ; "%ld\n"
.text:000000000040070D B8 00 00 00 00 mov eax, 0
.text:0000000000400712 E8 19 FE FF FF call _printf
.text:0000000000400712
.text:0000000000400717
.text:0000000000400717 loc_400717: ; CODE XREF: main+88↑j
.text:0000000000400717 83 45 D4 01 add [rbp+var_2C], 1
.text:0000000000400717
.text:000000000040071B
.text:000000000040071B loc_40071B: ; CODE XREF: main+5A↑j
.text:000000000040071B 83 7D D4 13 cmp [rbp+var_2C], 13h ; if lo3 > 19
.text:000000000040071F 7E A1 jle short loc_4006C2 ; goin content
.text:000000000040071F
.text:0000000000400721 B8 00 00 00 00 mov eax, 0
.text:0000000000400726 48 8B 4D F8 mov rcx, [rbp+var_8]
.text:000000000040072A 64 48 33 0C 25 28 00 00 00 xor rcx, fs:28h
.text:0000000000400733 74 05 jz short locret_40073A
.text:0000000000400733
.text:0000000000400735 E8 E6 FD FF FF call ___stack_chk_fail
.text:0000000000400735
.text:000000000040073A ; ---------------------------------------------------------------------------
.text:000000000040073A
.text:000000000040073A locret_40073A: ; CODE XREF: main+CD↑j
.text:000000000040073A C9 leave
.text:000000000040073B C3 retn
.text:000000000040073B ; } // starts at 400666主要功能:
for ( i = 1; i <= 19; ++i )
{
if ( (i & 1) != 0 )
printf("%ld\n", (unsigned int)(ptr[i] << i));
else
printf("%ld\n", (unsigned int)(i * ptr[i]));
}for汇编特征:
#1,赋值
mov [rbp+var_2C], 1 ; lo3=1
jmp short loc_40071B ; if/while/for
#3,循环内容
loc_4006C2: ; CODE XREF: main+B9↓j
mov eax, [rbp+var_2C]
...
#4,累加变量,然后继续到2
add [rbp+var_2C], 1
#2,判断条件
cmp [rbp+var_2C], 13h ; if lo3 > 19
jle short loc_4006C2还原代码获取flag
随题附件有个output.txt,所以把它当输入flag文件,更改for中逻辑相反即可:
def main():
# Open the file and read line by line
with open("output.txt", "r") as f:
i = 1
result = ""
for line in f: # Loop through each line in the file
ptr = line.strip() # Remove any trailing newline characters
value = int(ptr) # Convert character to integer
print(value)
if value == 0: continue
if i % 2 != 0: # If i is odd
c = value >> i # Right shift the integer value
else: # If i is even
c = value // i # Divide the integer value by i
i = i + 1
result += chr(c)
# Print the accumulated result after processing all lines
print(result)
if __name__ == "__main__":
main()