Hitcon-Training

---

Hitcon-training

git clone https://github.com/scwuaptx/HITCON-Training.git

已有环境，git克隆到当前目录

HITCON

lab1 | 多种解法

buf=v2，则异或打印flag，但是buf无法被v2覆盖，所以无法从输入端控制，但是异或的v54的用char显示，根据小端模式，推知Do_y，即输入（0x44 6F5F79）=>0x795f6f44(内存中/栈中)=>(y_oD),所以用python复原字符串

list=[0x795f6f44,0x6B5F756F,0x5F776F6E,0x5F796877,0x745F796D,0x6D6D6165,0x5F657461,0x6E61724F, 0x695F6567,0x6F735F73,0x676E615F,0x3F3F7972] #0x3f
str=""
for i in list:
str+=chr(i%0x100)
str+=chr(int(i%0x10000/0x100))
str+=chr(int(i%0x1000000/0x10000))
str+=chr(int((i%0x100000000/0x1000000)))
str+=chr(0x3f)
print(str)

以上是python对字符串的复原，复原即下方的key

#include <stdio.h>
#include <stdlib.h>
int main()
{   char key[] = "Do_you_know_why_my_teammate_Orange_is_so_angry???";
	char cipher[] = {7, 59, 25, 2, 11, 16, 61, 30, 9, 8, 18, 45, 40, 89, 10, 0, 30, 22, 0, 4, 85, 22, 8, 31, 7, 1, 9, 0, 126, 28, 62, 10, 30, 11, 107, 4, 66, 60, 44, 91, 49, 85, 2, 30, 33, 16, 76, 30, 66};
    for(int i = 0 ; i < sizeof(cipher) ; i++)
        {

			printf("%c",cipher[i]^key[i]);
		}

    return 0;
}

还可以gdb调试