반응형
rev-basic-2
sub_140001000()
를 보자.
__int64 __fastcall sub_140001000(__int64 a1)
{
int i; // [rsp+0h] [rbp-18h]
for ( i = 0; (unsigned __int64)i < 0x12; ++i )
{
if ( *(_DWORD *)&aC[4 * i] != *(unsigned __int8 *)(a1 + i) )
return 0i64;
}
return 1i64;
}
for문으로 a[i]
를 1자리씩 가져와서 aC[4*i]
와 비교한다.
- 즉,
aC[4*i]
가 flag다.
.data:0000000140003000 _data segment para public 'DATA' use64
.data:0000000140003000 assume cs:_data
.data:0000000140003000 ;org 140003000h
.data:0000000140003000 aC db 'C',0 ; DATA XREF: sub_140001000+28↑o
.data:0000000140003002 align 4
.data:0000000140003004 aO db 'o',0
.data:0000000140003006 align 8
.data:0000000140003008 aM db 'm',0
.data:000000014000300A align 4
.data:000000014000300C aP db 'p',0
.data:000000014000300E align 10h
.data:0000000140003010 a4 db '4',0
.data:0000000140003012 align 4
.data:0000000140003014 aR db 'r',0
.data:0000000140003016 align 8
.data:0000000140003018 aE db 'e',0
.data:000000014000301A align 4
.data:000000014000301C db '_',0
.data:000000014000301E align 20h
.data:0000000140003020 aT db 't',0
.data:0000000140003022 align 4
.data:0000000140003024 db 'h',0
.data:0000000140003026 align 8
.data:0000000140003028 aE_0 db 'e',0
.data:000000014000302A align 4
.data:000000014000302C db '_',0
.data:000000014000302E align 10h
.data:0000000140003030 aA db 'a',0
.data:0000000140003032 align 4
.data:0000000140003034 aR_0 db 'r',0
.data:0000000140003036 align 8
.data:0000000140003038 aR_1 db 'r',0
.data:000000014000303A align 4
.data:000000014000303C a4_0 db '4',0
.data:000000014000303E align 20h
.data:0000000140003040 aY db 'y',0
aC를 확인하면 데이터 영역에 string 형태로 1자리씩 문자가 저장된 것을 확인할 수 있다.
데이터 영역에 저장된 값을 모두 모으면 flag를 획득할 수 있다.
필자는 IDA python을 이용해서 문자를 추출하고 flag를 획득했다.
- IDA python: [shift]+F2
import idc
def extract_byte_array(start_address, length):
extracted_data = []
for i in range(length):
byte_value = idc.get_wide_byte(start_address + i*4)
extracted_data.append(byte_value)
return extracted_data
flag = extract_byte_array(0x140003000, 17)
for i in flag:
print(chr(i), end='')
print()
DH{Comp4re_the_arr4y}
반응형