https://buuoj.cn/challenges#[Zer0pts2020]easy%20strcmp
tar.gz 解压
7z 解压完拉进去发现还是个 tar 再解压,应该是 windows 这边的原因
elf 64
./chall zer0pts{********CENSORED********}
Wrong!就说没这么简单嘛
往下翻翻这个函数 找到一处隐藏调用的函数
__int64 __fastcall sub_5621E80006EA(__int64 a1, __int64 a2)
{
int i; // [rsp+18h] [rbp-8h]
int v4; // [rsp+18h] [rbp-8h]
int j; // [rsp+1Ch] [rbp-4h]
for ( i = 0; *(_BYTE *)(i + a1); ++i )
;
v4 = (i >> 3) + 1;
for ( j = 0; j < v4; ++j )
*(_QWORD *)(8 * j + a1) -= qword_5621E8201060[j];
return qword_5621E8201090(a1, a2);
}_QWORD qword_5621E8201060[5] =
{ 0LL, 4686632258374338882LL, 796841318371695088LL, 5695428477452625963LL, 0LL };字符串长度 33,刚好分成 4 组 → 基本类型数据大小 小端序
import binascii
str_1 = b"********"
str_2 = b"CENSORED"
str_3 = b"********"
word_1 = 4686632258374338882
word_2 = 796841318371695088
word_3 = 5695428477452625963
bin_1 = int(binascii.b2a_hex(str_1[::-1]), 16)
bin_2 = int(binascii.b2a_hex(str_2[::-1]), 16)
bin_3 = int(binascii.b2a_hex(str_3[::-1]), 16)
j_1 = binascii.a2b_hex(hex(word_1+bin_1)[2:])[::-1]
j_2 = binascii.a2b_hex(hex(word_2+bin_2)[2:])[::-1]
j_3 = binascii.a2b_hex(hex(word_3+bin_3)[2:])[::-1]
print((j_1+j_2+j_3).decode())l3ts_m4k3_4_DETOUR_t0d4y