re2-cpp-is-awesome

re2-cpp-is-awesome
下载是ELF文件，直接拖进IDA64找到main函数，找到while（1）里面有两个if语句

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char *v3; // rbx
  __int64 v4; // rax
  __int64 v5; // rdx
  __int64 v6; // rax
  __int64 v7; // rdx
  _BYTE *v8; // rax
  __int64 v10[2]; // [rsp+10h] [rbp-60h] BYREF
  char v11[47]; // [rsp+20h] [rbp-50h] BYREF
  char v12; // [rsp+4Fh] [rbp-21h] BYREF
  __int64 v13; // [rsp+50h] [rbp-20h] BYREF
  int v14; // [rsp+5Ch] [rbp-14h]

  if ( a1 != 2 )
  {
    v3 = *a2;
    v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Usage: ", a3);
    v6 = std::operator<<<std::char_traits<char>>(v4, v3, v5);
    std::operator<<<std::char_traits<char>>(v6, " flag\n", v7);
    exit(0);
  }
  std::allocator<char>::allocator(&v12, a2, a3);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v11, a2[1], &v12);
  std::allocator<char>::~allocator(&v12);
  v14 = 0;
  v10[0] = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(v11);
  while ( 1 )
  {
    v13 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(v11);
    if ( !(unsigned __int8)sub_400D3D(v10, &v13) )
      break;
    v8 = (_BYTE *)sub_400D9A(v10);
    if ( *v8 != off_6020A0[dword_6020C0[v14]] )
      sub_400B56();
    ++v14;
    sub_400D7A(v10);
  }
  sub_400B73();
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v11);
  return 0LL;
}

查看off_6020A0：以dword_6020C0十六进制字符为索引提取off_6020A0字符串内容

直接写脚本：

off=[0x24,0x00,0x05,0x36,
0x65,0x07,0x27,0x26,
0x2D,0x01,0x03,0x00,
0x0D,0x56,0x01,0x03,
0x65,0x03,0x2D,0x16,
0x02,0x15,0x03,0x65,
0x00,0x29,0x44,0x44,
0x01,0x44,0x2B]
s='L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t'
flag=''
for i in off:
    flag+=s[i]
print(flag)

运行：

ALEXCTF{W3_L0v3_C_W1th_CL45535}