查壳发现是ELF文件,IDA载入,找到main函数,查看反汇编代码
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
__pid_t v3; // eax
size_t v4; // rax
ssize_t v5; // rbx
bool v6; // al
char **argva; // [rsp+0h] [rbp-1D0h]
bool bCheckPtrace; // [rsp+13h] [rbp-1BDh]
ssize_t numRead; // [rsp+18h] [rbp-1B8h]
ssize_t numReada; // [rsp+18h] [rbp-1B8h]
char bufWrite[200]; // [rsp+20h] [rbp-1B0h]
char bufParentRead[200]; // [rsp+F0h] [rbp-E0h]
unsigned __int64 v13; // [rsp+1B8h] [rbp-18h]
argva = (char **)argv;
v13 = __readfsqword(0x28u);
bCheckPtrace = detectDebugging();
if ( pipe(pParentWrite) == -1 )
exit(1);
if ( pipe(pParentRead) == -1 )
exit(1);
v3 = fork();
if ( v3 != -1 )
{
if ( v3 )
{
close(pParentWrite[0]);
close(pParentRead[1]);
while ( 1 )
{
printf("Input key : ", argva);
memset(bufWrite, 0, 0xC8uLL);
gets(bufWrite, 0LL);
v4 = strlen(bufWrite);
v5 = write(pParentWrite[1], bufWrite, v4);
if ( v5 != strlen(bufWrite) )
printf("parent - partial/failed write", bufWrite);
do
{
memset(bufParentRead, 0, 0xC8uLL);
numReada = read(pParentRead[0], bufParentRead, 0xC8uLL);
v6 = bCheckPtrace || checkDebuggerProcessRunning();
if ( v6 )
{
puts("Wrong !!!
");
}
else if ( !checkStringIsNumber(bufParentRead) )
{
puts("Wrong !!!
");
}
else
{
if ( atoi(bufParentRead) )
{
puts("True");
if ( close(pParentWrite[1]) == -1 )
exit(1);
exit(0);
}
puts("Wrong !!!
");
}
}
while ( numReada == -1 );
}
}
close(pParentWrite[1]);
close(pParentRead[0]);
while ( 1 ) /////////
{
memset(bufParentRead, 0, 0xC8uLL);
numRead = read(pParentWrite[0], bufParentRead, 0xC8uLL);
if ( numRead == -1 )
break;
if ( numRead )
{
if ( childCheckDebugResult() )
{
responseFalse();
}
else if ( bufParentRead[0] == '{' ) //第一个字符是 '{'
{
if ( strlen(bufParentRead) == 42 ) //字符串长度为42
{
if ( !strncmp(&bufParentRead[1], "53fc275d81", 0xAuLL) ) //第2~11个字符是"53fc275d81"
{
if ( bufParentRead[strlen(bufParentRead) - 1] == '}' ) //最后一个字符是 '}'
{
if ( !strncmp(&bufParentRead[31], "4938ae4efd", 0xAuLL) ) //第32~41个字符是“4938ae4efd”
{
if ( !confuseKey(bufParentRead, 42) )
{
responseFalse();
}
else if ( !strncmp(bufParentRead, "{daf29f59034938ae4efd53fc275d81053ed5be8c}", 0x2AuLL) )
{
responseTrue();
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
}
exit(1);
}
exit(1);
}
while(1)上面的代码是检查一些东西的
bufParentRead是输入的字符串
跟着代码走,最后到confuseKey函数,查看代码,找到关键代码
strncpy(szPart1, szKey + 1, 0xAuLL); /*
strncpy(szPart2, szKey + 11, 0xAuLL);
strncpy(szPart3, szKey + 21, 0xAuLL);
strncpy(szPart4, szKey + 31, 0xAuLL);
memset(szKey, 0, iKeyLength);
*szKey = 123;
strcat(szKey, szPart3);
strcat(szKey, szPart4);
strcat(szKey, szPart1);
strcat(szKey, szPart2);
szKey[41] = 125;
return 1;
}
函数作用为:把字符串分为四部分:第2 ~11,12 ~ 21,22 ~ 31,32 ~ 41
然后调换顺序,改为第22 ~ 31,32 ~ 41,2 ~ 11,12 ~ 21
所以只要将daf29f59034938ae4efd53fc275d81053ed5be8c调换顺序即可得到flag