2020网鼎杯re-hero

IDA shitf+F12搜索flag字符串，定位关键函数

通读代码可得，总共需参加boss游戏三次，eff为bss段int数字，需做三次判断，分别需大于1000000，3000000，5000000

int boss()

{

intresult; // eax

if( bossexist <= 2 )

{

if ( bossexist == 2 )

{

puts("The dragon appears, its Combat Effectiveness is3000000.");

if ( eff <= 3000000 )

{

printf("You die!");

exit(1);

}

puts("The dragon is beated! flag is partly decrypted...");

--bossexist;

result = decrypt2();

}

else

{

result = bossexist;

if ( bossexist <= 1 )

{

puts("The dragon appears, its Combat Effectiveness is5000000.");

if ( eff <= 5000000 )

{

printf("You die!");

exit(1);

}

puts("The dragon is beated! combining flag and print...");

--bossexist;

result = decrypt3();

}

else

{

puts("The dragon appears, its Combat Effectiveness is1000000.");

if ( eff <= 1000000 )

{

printf("You die!");

exit(1);

}

puts("The dragon is beated! flag is partly decrypted...");

--bossexist;

result = decrypt1("The dragon is beated! flag is partlydecrypted...");

}

return result;

}

GDB动态调试，直接设置eff数值

set {int}0x0000000000603478 = 9000000

x/gx 0x0000000000603478

b boss

可得

Breakpoint 3 at 0x4015de

pwndbg> c

Continuing.

Day 0 , You want to:

+-----------------------+

| 1.battle with slime. |

| 2.battle with boss. |

| 3.go to the shop. |

+-----------------------+

Input the number of your chioce:2

Breakpoint 3, 0x00000000004015de in boss ()

───────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────

RAX 0x0

RBX 0x0

RCX 0x0

RDX 0x7ffff7fad590◂—0x0

RDI 0x7fffffffdf50 —▸ 0x7ffff7ff0032 (strcmp+82) ◂—out 0xf0, al

RSI 0x0

R8 0x0

R9 0x0

R10 0x1

R11 0x7ffff7f5f3c0◂—0x2000200020002

R12 0x400870 (_start)◂—xor ebp, ebp

R13 0x7fffffffe5b0◂—0x1

R14 0x0

R15 0x0

RBP 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

RSP 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

RIP 0x4015de (boss+4)◂—mov eax, dword ptr [rip +0x201e90]

────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────

►0x4015de mov eax, dword ptr [rip + 0x201e90]<0x603474>

0x4015e4 cmp eax, 2

0x4015e7 jle boss+103 <0x401641>

0x4015e9 mov edi, 0x401dd0

0x4015ee call puts@plt <0x400770>

0x4015f3 mov eax, dword ptr [rip +0x201e7f] <0x603478>

0x4015f9 cmp eax, 0xf4240

0x4015fe jle boss+78 <0x401628>

0x401600 mov edi, 0x401e10

0x401605 call puts@plt <0x400770>

0x40160a mov eax, dword ptr [rip +0x201e64] <0x603474>

─────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────

00:0000│rbp rsp 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0

(__libc_csu_init) ◂—push r15

01:0008│ 0x7fffffffe488 —▸ 0x4018b9 (dround+171) ◂—jmp 0x4018d9

02:0010│ 0x7fffffffe490◂—0x1

03:0018│ 0x7fffffffe498 —▸ 0x401aed (__libc_csu_init+77) ◂—add rbx, 1

04:0020│ 0x7fffffffe4a0◂—0x200000000

05:0028│ 0x7fffffffe4a8◂—0x7cca280f247ca200

06:0030│ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

07:0038│ 0x7fffffffe4b8 —▸ 0x401a79 (main+57) ◂—jmp 0x401a8f

───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────

►f0 4015de boss+4

f1 4018b9 dround+171

f2 401a79 main+57

f3 7ffff7e17bbb __libc_start_main+235

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Breakpoint boss

pwndbg> set {int}0x0000000000603478 =9000000

RAX 0x0

RBX 0x0

RCX 0x0

RDX 0x7ffff7fad590◂—0x0

RDI 0x7fffffffdf50 —▸ 0x7ffff7ff0032 (strcmp+82) ◂—out 0xf0, al

RSI 0x0

R8 0x0

R9 0x0

R10 0x1

R11 0x7ffff7f5f3c0◂—0x2000200020002

R12 0x400870 (_start)◂—xor ebp, ebp

R13 0x7fffffffe5b0◂—0x1

R14 0x0

R15 0x0

RBP 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

RSP 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

RIP 0x4015de (boss+4)◂—mov eax, dword ptr [rip +0x201e90]

►0x4015de mov eax, dword ptr [rip + 0x201e90]<0x603474>

0x4015e4 cmp eax, 2

0x4015e7 jle boss+103 <0x401641>

0x4015e9 mov edi, 0x401dd0

0x4015ee call puts@plt <0x400770>

0x4015f3 mov eax, dword ptr [rip +0x201e7f] <0x603478>

0x4015f9 cmp eax, 0xf4240

0x4015fe jle boss+78 <0x401628>

0x401600 mov edi, 0x401e10

0x401605 call puts@plt <0x400770>

0x40160a mov eax, dword ptr [rip + 0x201e64]<0x603474>

00:0000│rbp rsp 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

01:0008│ 0x7fffffffe488 —▸ 0x4018b9 (dround+171) ◂—jmp 0x4018d9

02:0010│ 0x7fffffffe490◂—0x1

03:0018│ 0x7fffffffe498 —▸ 0x401aed (__libc_csu_init+77) ◂—add rbx, 1

04:0020│ 0x7fffffffe4a0◂—0x200000000

05:0028│ 0x7fffffffe4a8◂—0x7cca280f247ca200

06:0030│ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

07:0038│ 0x7fffffffe4b8 —▸ 0x401a79 (main+57) ◂—jmp 0x401a8f

►f0 4015de boss+4

f1 4018b9 dround+171

f2 401a79 main+57

f3 7ffff7e17bbb __libc_start_main+235

Breakpoint boss

pwndbg> c

Continuing.

The dragon appears, its CombatEffectiveness is 1000000.

The dragon is beated! flag is partlydecrypted...

Day 1 , You want to:

+-----------------------+

| 1.battle with slime. |

| 2.battle with boss. |

| 3.go to the shop. |

+-----------------------+

Input the number of your chioce:2

Breakpoint 3, 0x00000000004015de in boss ()

RAX 0x0

RBX 0x0

RCX 0x0

RDX 0x7ffff7fad590◂—0x0

RDI 0x7fffffffdf50 —▸ 0x7ffff7ff0032 (strcmp+82) ◂—out 0xf0, al

RSI 0x0

R8 0x0

R9 0x0

R10 0x2

R11 0x7ffff7f5f3c0◂—0x2000200020002

R12 0x400870 (_start)◂—xor ebp, ebp

R13 0x7fffffffe5b0◂—0x1

R14 0x0

R15 0x0

RBP 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

RSP 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

RIP 0x4015de (boss+4)◂—mov eax, dword ptr [rip +0x201e90]

►0x4015de mov eax, dword ptr [rip + 0x201e90]<0x603474>

0x4015e4 cmp eax, 2

0x4015e7 jle boss+103 <0x401641>

↓

0x401641 mov eax, dword ptr [rip +0x201e2d] <0x603474>

0x401647 cmp eax, 2

0x40164a jne boss+199 <0x4016a1>

0x40164c mov edi, 0x401e48

0x401651 call puts@plt <0x400770>

0x401656 mov eax, dword ptr [rip + 0x201e1c]<0x603478>

0x40165c cmp eax, 0x2dc6c0

0x401661 jle boss+174 <0x401688>

00:0000│rbp rsp 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0

(__libc_csu_init) ◂—push r15

01:0008│ 0x7fffffffe488 —▸ 0x4018b9 (dround+171) ◂—jmp 0x4018d9

02:0010│ 0x7fffffffe490◂—0x1

03:0018│ 0x7fffffffe498◂—0x100401aed

04:0020│ 0x7fffffffe4a0◂—0x200000000

05:0028│ 0x7fffffffe4a8◂—0x7cca280f247ca200

06:0030│ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

07:0038│ 0x7fffffffe4b8 —▸ 0x401a79 (main+57) ◂—jmp 0x401a8f

►f0 4015de boss+4

f1 4018b9 dround+171

f2 401a79 main+57

f3 7ffff7e17bbb __libc_start_main+235

Breakpoint boss

pwndbg> x/gx 0x0000000000603478

0x603478 : 0x0000000000895440

pwndbg> c

Continuing.

The dragon appears, its CombatEffectiveness is 3000000.

The dragon is beated! flag is partlydecrypted...

Day 2 , You want to:

+-----------------------+

| 1.battle with slime. |

| 2.battle with boss. |

| 3.go to the shop. |

+-----------------------+

Input the number of your chioce:2

Breakpoint 3, 0x00000000004015de in boss ()

RAX 0x0

RBX 0x0

RCX 0x0

RDX 0x7ffff7fad590◂—0x0

RDI 0x7fffffffdf50 —▸ 0x7ffff7ff0032 (strcmp+82) ◂—out 0xf0, al

RSI 0x0

R8 0x0

R9 0x0

R10 0x2

R11 0x7ffff7f5f3c0◂—0x2000200020002

R12 0x400870 (_start)◂—xor ebp, ebp

R13 0x7fffffffe5b0◂—0x1

R14 0x0

R15 0x0

RBP 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

RSP 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

RIP 0x4015de (boss+4)◂—mov eax, dword ptr [rip +0x201e90]

►0x4015de mov eax, dword ptr [rip + 0x201e90]<0x603474>

0x4015e4 cmp eax, 2

0x4015e7 jle boss+103 <0x401641>

↓

0x401641 mov eax, dword ptr [rip +0x201e2d] <0x603474>

0x401647 cmp eax, 2

0x40164a jne boss+199 <0x4016a1>

↓

0x4016a1 mov eax, dword ptr [rip +0x201dcd] <0x603474>

0x4016a7 cmp eax, 1

0x4016aa jg boss+295 <0x401701>

0x4016ac mov edi, 0x401e88

0x4016b1 call puts@plt <0x400770>

00:0000│rbp rsp 0x7fffffffe480 —▸ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

01:0008│ 0x7fffffffe488 —▸ 0x4018b9 (dround+171) ◂—jmp 0x4018d9

02:0010│ 0x7fffffffe490◂—0x1

03:0018│ 0x7fffffffe498◂— 0x200401aed

04:0020│ 0x7fffffffe4a0◂—0x200000000

05:0028│ 0x7fffffffe4a8◂—0x7cca280f247ca200

06:0030│ 0x7fffffffe4b0 —▸ 0x7fffffffe4d0 —▸ 0x401aa0 (__libc_csu_init) ◂—push r15

07:0038│ 0x7fffffffe4b8 —▸ 0x401a79 (main+57) ◂—jmp 0x401a8f

►f0 4015de boss+4

f1 4018b9 dround+171

f2 401a79 main+57

f3 7ffff7e17bbb __libc_start_main+235

Breakpoint boss

pwndbg> c

Continuing.

The dragon appears, its CombatEffectiveness is 5000000.

The dragon is beated! combining flag andprint...

flag{0259-6430-726f077b-5959-bf477a78c83b}[Inferior1 (process 20377) exited with code 01]

flag{0259-6430-726f077b-5959-bf477a78c83b}