[dasctf]howtodecompile

上来就是个jumpout

看汇编，这里有问题造成ida无法识别函数边界，将对应的机器码E8改为90

回到函数起始部分，按P重建函数即可显示反汇编代码

int __cdecl main_0(int argc, const char **argv, const char **envp)
{int v3; // eaxint v4; // eaxint v6; // eaxint v7; // eaxchar Destination[20]; // [esp+190h] [ebp-230h] BYREFchar v9[264]; // [esp+1A4h] [ebp-21Ch] BYREFint i; // [esp+2ACh] [ebp-114h]char Str[260]; // [esp+2B8h] [ebp-108h] BYREFv3 = sub_41124E(std::cout, "Welcom to the world of Reverse !");std::ostream::operator<<(v3, sub_411050);v4 = sub_41124E(std::cout, "Can you decompile me ?");std::ostream::operator<<(v4, sub_411050);sub_41124E(std::cout, "GO,input your flag:");sub_4110D7(std::cin, Str);if ( j_strlen(Str) != 28 )return 0;strncpy(Destination, Str, 7u);if ( strncmp(Destination, "DASCTF{", 7u) || Str[27] != 125 )return 0;strncpy(v9, Str, 0x1Cu);for ( i = 0; i < 28; ++i ){v9[i] ^= 0x24u;if ( v9[i] != byte_41DCA0[i] ){v6 = sub_41124E(std::cout, "GG!");std::ostream::operator<<(v6, sub_411050);exit(0);}}v7 = sub_41124E(std::cout, "Oh!You may get it. I need another flag.");std::ostream::operator<<(v7, sub_411050);j_memset(v9, 0, 0x100u);sub_4110D7(std::cin, v9);sub_411550(v9, Str);return 0;
}

解出来是

DASCTF{this_is_a_fake_flag?}

sub_AF1550(v9, Str);为真正flag部分。操作流程类似上面那样nop相关代码。

int __cdecl sub_414A90(char *Source, int a2)
{char v2; // blchar v3; // alchar Destination[264]; // [esp+D0h] [ebp-114h] BYREFint i; // [esp+1D8h] [ebp-Ch]strncpy(Destination, Source, 0x1Cu);for ( i = 0; i < 28; ++i ){v2 = Destination[i];v3 = sub_411127(i);Destination[i] = v2 - v3;if ( Destination[i] != *(char *)(i + a2) )exit(0);}return sub_41124E(std::cout, "Ohhhhhhhhhhhhh, You finally get it");

最里面的类似,但没找到要点，非准确结果如下。dword_41DC30有用。

int __cdecl sub_414F80(int a1)
{int v1; // eaxint v3; // [esp+E8h] [ebp-8h]if ( !IsDebuggerPresent() )return ((v3 - 27436) ^ (dword_41DC30[a1] + v3) ^ 0x23) - v3;v1 = sub_41124E(std::cout, "I know you will come here, Let me pour you a cup of teA.");std::ostream::operator<<(v1, sub_411050);return (a1 ^ 0x99) % 255;
}

wp

dword_AFDC30=[0,0,0,0,0,0,0, 0xDA, 0xE7, 0x6, 0xBD, 0x0, 0xE0,0xB4, 0x2, 0xF6, 0x0, 0x0E,0xF1, 0x0A, 0x0CE, 0, 0xE0, 0xB5, 0, 0xD2, 0xE2, 0]
print(len(dword_AFDC30))for i in range(28):sth=(ord(fake[i])+dword_AFDC30[i])&0xffprint(chr(sth),end='')//DASCTF{NOo0_I'aW_tRu3_F!a9!}