由main函数查看相关代码,但是代码中并没有直接的关于flag的信息:
int __cdecl main(int argc, const char **argv, const char **envp)
{
__main();
fill_starbase(&starbase);
print_starbase((int)&starbase);
return 0;
}
void __cdecl fill_starbase(int a1)
{
int i; // [esp+8h] [ebp-10h]
int v2; // [esp+Ch] [ebp-Ch]
v2 = 0;
for ( i = 0; i <= 4; ++i )
{
*(_DWORD *)(a1 + 24 * i) = galaxy_name[i];
*(_DWORD *)(24 * i + a1 + 4) = rand();
*(_DWORD *)(24 * i + a1 + 8) = 0;
*(_DWORD *)(24 * i + a1 + 12) = 0;
*(_DWORD *)(24 * i + a1 + 16) = 24 * (i + 1) + a1;
*(_DWORD *)(a1 + 24 * i + 20) = v2;
v2 = 24 * i + a1;
}
}
int __cdecl print_starbase(int a1)
{
int result; // eax
const char *v2; // edx
int i; // [esp+1Ch] [ebp-Ch]
puts("--------------GALAXY DATABASE-------------");
printf("%10s | %s | %s\n", "Galaxy name", "Existence of life", "Distance from Earth");
result = puts("-------------------------------------------");
for ( i = 0; i <= 4; ++i )
{
if ( *(_DWORD *)(24 * i + a1 + 8) == 1 )
v2 = "INHABITED";
else
v2 = "IS NOT INHABITED";
result = printf("%11s | %17s | %d\n", *(const char **)(24 * i + a1), v2, *(_DWORD *)(24 * i + a1 + 4));
}
return result;
}
注意到print_starbase只是打印了5个galaxy,但galaxy_name有6个元素:
c通过交叉引用,找到了下面的代码:
cpp
int __libc_csu_gala()
{
int result; // eax
sc[0] = off_409014;
sc[3] = &byte_40DAC0;
sc[1] = 31337;
sc[2] = 1;
byte_40DAC0 = off_409004[0][8];
byte_40DAC1 = off_409010[0][7];
byte_40DAC2 = off_409008[0][4];
byte_40DAC3 = off_409004[0][6];
byte_40DAC4 = off_409004[0][1];
byte_40DAC5 = off_409008[0][2];
byte_40DAC6 = 95;
byte_40DAC7 = off_409004[0][8];
byte_40DAC8 = off_409004[0][3];
byte_40DAC9 = off_40900C[0][5];
byte_40DACA = 95;
byte_40DACB = off_409004[0][8];
byte_40DACC = off_409004[0][3];
byte_40DACD = off_409004[0][4];
byte_40DACE = off_409010[0][6];
byte_40DACF = off_409010[0][4];
byte_40DAD0 = off_409004[0][2];
byte_40DAD1 = 95;
byte_40DAD2 = off_409010[0][6];
result = *((unsigned __int8 *)off_409008[0] + 3);
byte_40DAD3 = off_409008[0][3];
byte_40DAD4 = 0;
return result;
}但是上面代码中的result并不是我们要的flag,而是byte_40DAC0数组。解密方法有两种,一种是动态的就是在上面的代码中下断点,另一种是通过静态分析,用python改写上面的代码:
cpp
off_409004 = "Andromeda".encode('utf-8')
off_409008= "Messier".encode('utf-8')
off_40900C = "Sombrero".encode('utf-8')
off_409010 = "Triangulum".encode('utf-8')
off_409014 = "DARK SECRET GALAXY".encode('utf-8')
def __libc_csu_gala():
byte_40DAC = bytearray(21)
byte_40DAC[0] = off_409004[8]
byte_40DAC[1] = off_409010[7]
byte_40DAC[2] = off_409008[4]
byte_40DAC[3] = off_409004[6]
byte_40DAC[4] = off_409004[1]
byte_40DAC[5] = off_409008[2]
byte_40DAC[6] = 95
byte_40DAC[7] = off_409004[8]
byte_40DAC[8] = off_409004[3]
byte_40DAC[9] = off_40900C[5]
byte_40DAC[10] = 95
byte_40DAC[11] = off_409004[8]
byte_40DAC[12] = off_409004[3]
byte_40DAC[13] = off_409004[4]
byte_40DAC[14] = off_409010[6]
byte_40DAC[15] = off_409010[4]
byte_40DAC[16] = off_409004[2]
byte_40DAC[17] = 95
byte_40DAC[18] = off_409010[6]
byte_40DAC[19] = off_409008[3]
byte_40DAC[20] = 0
return byte_40DAC.decode('utf-8')
result = __libc_csu_gala()
print(result)