re题(19)BUUCTF[ACTF新生赛2020]easyre

BUUCTF在线评测 (buuoj.cn)

查下壳，有upx壳 

 

找到主函数，

从for循环了解到flag长度应该是12，将flag的ASCII值作为下标取值，与v4数组比较。很简单，只需要利用v4数组在_data_start__中找位置，就是我们flag的值

int __cdecl main(int argc, const char **argv, const char **envp)
{_BYTE v4[12]; // [esp+12h] [ebp-2Eh] BYREF_DWORD v5[3]; // [esp+1Eh] [ebp-22h]_BYTE v6[5]; // [esp+2Ah] [ebp-16h] BYREFint v7; // [esp+2Fh] [ebp-11h]int v8; // [esp+33h] [ebp-Dh]int v9; // [esp+37h] [ebp-9h]char v10; // [esp+3Bh] [ebp-5h]int i; // [esp+3Ch] [ebp-4h]__main();qmemcpy(v4, "*F'\"N,\"(I?+@", sizeof(v4));printf("Please input:");scanf("%s", v6);if ( v6[0] != 65 || v6[1] != 67 || v6[2] != 84 || v6[3] != 70 || v6[4] != 123 || v10 != 125 )return 0;v5[0] = v7;v5[1] = v8;v5[2] = v9;for ( i = 0; i <= 11; ++i ){if ( v4[i] != _data_start__[*((char *)v5 + i) - 1] )//v5数组里存的flag，写脚本的话先以v4数组的字符为目标，在_data_start__里找到目标字符，再用目标字符在_data_start__里的下标加上1减去i就是flagreturn 0;}printf("You are correct!");return 0;
}

v4 = [42,70,39,34,78,44,34,40,73,63,43,64]model = r"}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(" + chr(0x27) + r'&%$# !"'pos = []for i in v4:pos.append(model.find(chr(i))+1)
s = [chr(x + 1) for x in pos]
flag = ''.join(s)
print ('flag{'+flag+'}')
#flag{U9X_1S_W6@T?}

本题用到了upx脱壳，一个简单逻辑分析，用字符串表找下标的方法加密