开辟了一块内存空间,然后有两个函数,进入第一个跟一下
将输入的字符串进行异或,后比较, 解一下
y1=[0x23,0x61,0x3e,0x69,0x54,0x41,0x18,0x4d,0x6e,0x3b,0x65,0x53,0x30,0x79,0x45,0x5b] y2=[0x71,0x04,0x61,0x58,0x27,0x1e,0x4b,0x22,0x5e,0x64,0x03,0x26,0x5e,0x17,0x3c,0x7a]; flag="" for i in range(0,len(y1)): flag+=chr(y1[i]^y2[i]) print(flag) print(len(flag))
得出Re_1s_So0_funny!
长度是16
不是flag,看一下函数
这其实是flag的第一部分
将16位flag赋值到12位数组
这其实是一个利用栈溢出漏洞,调用了另一个函数,我们知道了栈溢出后填入的地址是40233D,增地址就是栈溢出后我们输入的第二部分,就是flag的第二部分
跟踪x,找到了调用的这个函数
进入这个函数之后,再输入了一个字符串,进行了base64加密,解密之后得到第三部分flag
WP
import base64 y1=[0x23,0x61,0x3e,0x69,0x54,0x41,0x18,0x4d,0x6e,0x3b,0x65,0x53,0x30,0x79,0x45,0x5b] y2=[0x71,0x04,0x61,0x58,0x27,0x1e,0x4b,0x22,0x5e,0x64,0x03,0x26,0x5e,0x17,0x3c,0x7a]; flag="" for i in range(0,len(y1)): flag+=chr(y1[i]^y2[i]) addr=[0x3d,0x23,0x40] for i in range(len(addr)): flag+=chr(addr[i]) a="YTFzMF9wV24=" print(a.encode()) flag+=base64.b64decode(a.encode()).decode() print(flag)
![BUUCTF [ACTF新生赛2020]outguess 1](https://ucc.alicdn.com/pic/developer-ecology/tycxnpqmgloi4_36a5b44aa5104094b83724a3d0812e89.png?x-oss-process=image/resize,h_160,m_lfit)