[WMCTF2020]easy_re
简单输入flag
但是下断点后,还没走几步就报错退出了。
确实没有打印的字符串
main函数也看不懂在干嘛
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v4; // r13
char v5; // r12
__int64 v6; // rax
_QWORD *v7; // rax
void *v8; // r12
__int64 v10; // rcx
_QWORD *v11; // rdx
const char *v12; // rax
int v13; // ebx
__int64 v14; // rdi
void *v15; // rdi
void *v16; // rsi
void *Block; // [rsp+40h] [rbp-168h] BYREF
CHAR Filename[4]; // [rsp+50h] [rbp-158h] BYREF
char Src[268]; // [rsp+54h] [rbp-154h] BYREF
uintptr_t StackCookie; // [rsp+160h] [rbp-48h]
StackCookie = qword_4192E8;
v4 = argc;
v5 = 0;
GetModuleFileNameA(0i64, Filename, 0x104u); // 获取当前模块名到Filename
if ( *(_DWORD *)Filename == 0x5C3F5C5C ) // Filename前四个字节==0x5c3f5c5c
memmove(Filename, Src, strlen(Src) + 1); // 将Src移动到Filename
v6 = 1i64;
if ( (int)v4 > 1 )
{
while ( strcmp(argv[v6], "--err2out") )
{
if ( ++v6 >= v4 )
goto LABEL_8;
}
v5 = 4;
}
LABEL_8:
if ( (unsigned int)opera1(Filename, v5) )
return 1;
v7 = malloc(8i64 * ((int)v4 + 2));
v8 = v7;
if ( !v7 )
{
fprintf(&iob[2], "Panic: Cannot reallocate argv");
return 1;
}
v10 = 1i64;
*v7 = *argv; // 重新分配argv数组
v7[1] = "--";
if ( (int)v4 > 1 )
{
v11 = v7 + 2;
do
{
v12 = argv[v10++]; // 原始argv复制到新的里面
*v11++ = v12;
}
while ( v10 < v4 );
}
Block = qword_419A88;
v13 = ((__int64 (__fastcall *)(void **, _QWORD, _QWORD, _QWORD, void *, _QWORD, int, _QWORD))opera2)(
&Block,
0i64,
0i64,
(unsigned int)(v4 + 1),
v8,
0i64,
1,
0i64);
opera3((char *)Block);
if ( dword_419A78 ) // 清理和释放资源
{
opera3((char *)qword_419A88);
qword_419A88 = 0i64;
if ( qword_419A90 )
{
v14 = qword_419AB8();
qword_419BD0(qword_419A90);
qword_419AC8(qword_419A90);
qword_419A90 = 0i64;
qword_419BD0(v14);
}
FreeLibrary(hLibModule);
hLibModule = 0i64;
DeleteCriticalSection(&CriticalSection);
dword_419A78 = 0;
}
v15 = ::Block; // 释放链表节点
if ( ::Block )
{
do
{
v16 = *(void **)v15;
if ( *((_QWORD *)v15 + 1) )
{
if ( (unsigned int)((__int64 (*)(void))opera4)() )
perror("rmtree failed");
v15 = ::Block;
}
free(*((void **)v15 + 1));
free(v15);
v15 = v16;
::Block = v16;
}
while ( v16 );
}
free(v8);
return v13;
}应该就是要调试的
然后放到x64dbg
re学习笔记(69)WMCTF2020 - easy_re_69re-CSDN博客
看雪那个帖子解压call有字符串script(解压call之后出现的字符串可能是他帖子程序的解压代码了所以不考虑
所以x64dbg载入,搜索script字符串定位到关键位置
在script解密后的call函数下断点,运行,得到flag。
一般都是在这个里面。
[watevrCTF 2019]Timeout
修改一下后缀
翻到关键函数
