getit
IDA查看main函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
v9 = __readfsqword(0x28u);
  for ( i = 0; i < strlen(s); ++i )
  {
    if ( (i & 1) != 0 )
      v3 = 1;
    else
      v3 = -1;
    *(&t + i + 10) = s[i] + v3;
  }
  strcpy(filename, "/tmp/flag.txt");
  stream = fopen(filename, "w");
  fprintf(stream, "%s\n", u);
  for ( j = 0; j < strlen(&t); ++j )
  {
    fseek(stream, p[j], 0);
    fputc(*(&t + p[j]), stream);
    fseek(stream, '\0', 0);
    fprintf(stream, "%s\n", u);
  }
  fclose(stream);
  remove(filename);
  return 0;

看一下s和t的具体数值
s:c61b68366edeb7bdce3c6820314b7498
t:SharifCTF{????????????????????????????????}
在这里插入图片描述

根据main函数写flag提取代码
这边t的长度不能为零,否则会越界报错,但是空间一定要够i+10,否则flag值不全

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
s='c61b68366edeb7bdce3c6820314b7498'
i=0
t=[0]*45   

while i<len(s):
    if i & 1:
        v3=1
    else:
        v3=-1

    t[i+10]=chr(ord(s[i])+v3)
    i=i+1

    print(t)
flag=''
for x in t:
    flag+=x
    print(flag,end='')

1
SharifCTF{b70c59275fcfa8aebf2d5911223c6589}