AlexCTF 2017　RE2

原文地址：https://ngaoopmeo.blogspot.com/2017/02/alexctf-2017write-upre2-c-is-awesomed.html

Check file type using file command

译文：使用file命令查看文件属性

re2; ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped

So this is a ELF 64-bit file. Let open ida64 and load it

译文：该文件是一个EFL 64位的文件,使用IDA pro 64位打开它

This is pseudo code

译文：伪代码如下：

if ( a1 != 2 )
{
v2 = *(_QWORD *)a2;
LODWORD(v3) = std::operator<<<std::char_traits<char>>(6299968LL, 4198153LL);
LODWORD(v4) = std::operator<<<std::char_traits<char>>(v3, v2);
std::operator<<<std::char_traits<char>>(v4, 4198161LL);
exit(0);
}

a1 is number of parameter. So if number of parameter != 2 program will terminate

译文：al代表参数的个数．如果al不等于2，该程序将退出．

Next

译文：接下来

std::allocator<char>::allocator(&v11);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v10, *(_QWORD *)(a2 + 8), &v11);
std::allocator<char>::~allocator(&v11);
v13 = 0;

that code read string from keyboard to v10

译文：输入的内容存入变量v10

And

译文：并且

v13 = 0;
LODWORD(v5) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v10);
for ( i = v5; ; sub_400D7A((__int64)&i) )
{
LODWORD(v6) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v10);
v12 = v6;
if ( !(unsigned __int8)sub_400D3D(&i, &v12) )
break;
v7 = sub_400D9A((__int64)&i);
if ( *(_BYTE *)v7 != off_6020A0[dword_6020C0[v13]] )
sub_400B56();
++v13;
}

It compare each character in v10 and off_6020A0 [dword_6020C0[v13]]

so maybe flag is off_6020A0[dword_6020C0[v13]] with v13 is len of flag

译文：比较v10和off_6020A0 [dword_6020C0[v13]，可能off_6020A0[dword_6020C0[v13]]是flag的长度

I find off_6020A0 is a string

译文：off_6020A0是一个字符串

内容是

L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t

And dword_6020C0 is an array

译文：dword_6020C0是一个数组．

数组的内容是：

0x24,0x5,0x36,0x65,0x7,0x27,0x26,0x2D,0x1,0x3,0x0,0x0D,0x56,0x1,0x3,0x65,0x3,0x2D,0x16,0x2,0x15,0x3,0x65,0x0,0x29,0x44,0x44,0x1,0x44,0x2B

And here is code to get flag

译文：解出flag的代码如下：

#include <stdio.h>

int main()
{
char *strsample = "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t";
int data[] = {0x24,0x5,0x36,0x65,0x7,0x27,0x26,0x2D,0x1,0x3,0x0,0x0D,0x56,0x1,0x3,0x65,0x3,0x2D,0x16,0x2,0x15,0x3,0x65,0x0,0x29,0x44,0x44,0x1,0x44,0x2B};
for (int i = 0; i < sizeof(data)/sizeof(int); i++)
printf("%c", strsample[data[i]]);
return 0;
}

Flag is ALEXCTF{W3_L0v3_C_W1th_CL45535}

译文：flag为ALEXCTF{W3_L0v3_C_W1th_CL45535}