攻防世界--dmd-50 攻防世界--dmd-50

测试文件：https://adworld.xctf.org.cn/media/task/attachments/7ef7678559ea46cbb535c0b6835f2f4d

1.准备
文章图片

获取信息

64位文件

2.IDA打开

1 int __cdecl main(int argc, const char **argv, const char **envp) 2 { 3__int64 v3; // rax 4__int64 v4; // rax 5__int64 v5; // rax 6__int64 v6; // rax 7__int64 v7; // rax 8__int64 v8; // rax 9__int64 v9; // rax 10__int64 v10; // rax 11__int64 v11; // rax 12__int64 v12; // rax 13__int64 v13; // rax 14__int64 v14; // rax 15__int64 v15; // rax 16__int64 v16; // rax 17__int64 v17; // rax 18__int64 v18; // rax 19__int64 v19; // rax 20__int64 v20; // rax 21__int64 v21; // rax 22int result; // eax 23__int64 v23; // rax 24__int64 v24; // rax 25__int64 v25; // rax 26__int64 v26; // rax 27__int64 v27; // rax 28__int64 v28; // rax 29__int64 v29; // rax 30__int64 v30; // rax 31__int64 v31; // rax 32__int64 v32; // rax 33__int64 v33; // rax 34__int64 v34; // rax 35__int64 v35; // rax 36__int64 v36; // rax 37__int64 v37; // rax 38char v38; // [rsp+Fh] [rbp-71h] 39char v39; // [rsp+10h] [rbp-70h] 40char v40; // [rsp+20h] [rbp-60h] 41_BYTE *v41; // [rsp+28h] [rbp-58h] 42char v42; // [rsp+30h] [rbp-50h] 43unsigned __int64 v43; // [rsp+68h] [rbp-18h] 44 45v43 = __readfsqword(0x28u); 46std::operator<>(&std::cout, "Enter the valid key!\n", envp); 47std::operator>>>(&edata, &v42); 48std::allocator::allocator(&v38); 49std::string::string(&v39, &v42, &v38); 50md5(&v40, &v39); 51v41 = (_BYTE *)std::string::c_str((std::string *)&v40); 52std::string::~string((std::string *)&v40); 53std::string::~string((std::string *)&v39); 54std::allocator::~allocator(&v38); 55if ( *v41 != '7' 56|| v41[1] != '8' 57|| v41[2] != '0' 58|| v41[3] != '4' 59|| v41[4] != '3' 60|| v41[5] != '8' 61|| v41[6] != 'd' 62|| v41[7] != '5' 63|| v41[8] != 'b' 64|| v41[9] != '6' 65|| v41[10] != 'e' 66|| v41[11] != '2' 67|| v41[12] != '9' 68|| v41[13] != 'd' 69|| v41[14] != 'b' 70|| v41[15] != '0' 71|| v41[16] != '8' 72|| v41[17] != '9' 73|| v41[18] != '8' 74|| v41[19] != 'b' 75|| v41[20] != 'c' 76|| v41[21] != '4' 77|| v41[22] != 'f' 78|| v41[23] != '0' 79|| v41[24] != '2' 80|| v41[25] != '2' 81|| v41[26] != '5' 82|| v41[27] != '9' 83|| v41[28] != '3' 84|| v41[29] != '5' 85|| v41[30] != 'c' 86|| v41[31] != '0' ) 87{ 88v23 = std::operator<>(&std::cout, 'I'); 89v24 = std::operator<>(v23, 'n'); 90v25 = std::operator<>(v24, 'v'); 91v26 = std::operator<>(v25, 'a'); 92v27 = std::operator<>(v26, 'l'); 93v28 = std::operator<>(v27, 'i'); 94v29 = std::operator<>(v28, 'd'); 95v30 = std::operator<>(v29, ' '); 96v31 = std::operator<>(v30, 'K'); 97v32 = std::operator<>(v31, 'e'); 98v33 = std::operator<>(v32, 'y'); 99v34 = std::operator<>(v33, '!'); 100v35 = std::operator<>(v34, ' '); 101v36 = std::operator<>(v35, ':'); 102v37 = std::operator<>(v36, '('); 103std::ostream::operator<<(v37, &std::endl>); 104result = 0; 105} 106else 107{ 108v3 = std::operator<>(&std::cout, 'T'); 109v4 = std::operator<>(v3, 'h'); 110v5 = std::operator<>(v4, 'e'); 111v6 = std::operator<>(v5, ' '); 112v7 = std::operator<>(v6, 'k'); 113v8 = std::operator<>(v7, 'e'); 114v9 = std::operator<>(v8, 'y'); 115v10 = std::operator<>(v9, ' '); 116v11 = std::operator<>(v10, 'i'); 117v12 = std::operator<>(v11, 's'); 118v13 = std::operator<>(v12, ' '); 119v14 = std::operator<>(v13, 'v'); 120v15 = std::operator<>(v14, 'a'); 121v16 = std::operator<>(v15, 'l'); 122v17 = std::operator<>(v16, 'i'); 123v18 = std::operator<>(v17, 'd'); 124v19 = std::operator<>(v18, ' '); 125v20 = std::operator<>(v19, ':'); 126v21 = std::operator<>(v20, ')'); 127std::ostream::operator<<(v21, &std::endl>); 128result = 0; 129} 130return result; 131 }