64位elf文件

64位ida查看字符串跟进main函数

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{char v3; // al__int64 result; // raxchar v5; // [rsp+7h] [rbp-B9h]signed int i; // [rsp+8h] [rbp-B8h]signed int j; // [rsp+Ch] [rbp-B4h]int v8[14]; // [rsp+10h] [rbp-B0h]int v9; // [rsp+4Ah] [rbp-76h]__int16 v10; // [rsp+4Eh] [rbp-72h]char v11[17]; // [rsp+50h] [rbp-70h]char v12; // [rsp+61h] [rbp-5Fh]unsigned __int64 v13; // [rsp+B8h] [rbp-8h]v13 = __readfsqword(0x28u);printf("input flag:", a2, a3);scanf("%s", v11);v9 = 'ftca';v10 = '{';v5 = 1;for ( i = 0; i <= 4; ++i ){if ( *((_BYTE *)&v9 + i) != v11[i] ){v5 = 0;goto LABEL_6;}}if ( !v5 )goto LABEL_19;
LABEL_6:for ( j = 0; j <= 11; ++j )v8[j] = v11[j + 5];v3 = (unsigned __int8)sub_83A(v8) && v12 == '}' ? 1 : 0;if ( v3 ){printf("That's true! flag is %s", v11);result = 0LL;}else{
LABEL_19:printf("Try another time...");result = 0LL;}return result;
}

上下是判定头字符串的actf{}
主要看sub_83A
ida提示too big function

百度得到只需要修改配置文件IDA\cfg\hexrays.cfg

找到：
MAX_FUNCSIZE            = 64        // Functions over 64K are not decompiled
修改为：
MAX_FUNCSIZE            = 1024        // Functions over 64K are not decompiled

重启ida，让函数再跑一会儿

卡完是一个三千多行的函数

总结：
输入的值经历三千行的变换后等于数组v4的值
逆向是不可能逆向的，直接开始爆破

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int v4[]={126,50,37,88,89,107,53,110,0,19,30,56};
int sub_83A(char *v1,int i)
{*v1 ^= 43u;v1[1] ^= 108u;v1[2] ^= 126u;v1[3] ^= 86u;//略 直接复制源代码就行v1[8] ^= 0x6Bu;v1[9] ^= 0x70u;v1[10] ^= 0x29u;v1[11] ^= 0x3Bu;if(v1[i] == v4[i])return 1;elsereturn 0;
}int main()
{int i,j;char flag[13] = "";char tmp[13] = "";for(i = 0; i < 12 ; i++){for(j = 33; j <= 126 ; j++){strcpy(flag,tmp);flag[i] = j;if(sub_83A(flag,i)){tmp[i] = j;break;}}}printf("actf{%s}\n",tmp);return 0;
}

flag{b0Nf|Re_LiT!}