AlexCTF 2017 RE2

原文地址：https://ngaoopmeo.blogspot.com/2017/02/alexctf-2017write-upre2-c-is-awesomed.html
Check file type using file command
译文：使用file命令查看文件属性

re2; ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped

So this is a ELF 64-bit file. Let open ida64 and load it
译文：该文件是一个EFL 64位的文件,使用IDA pro 64位打开它
This is pseudo code
译文：伪代码如下：

if ( a1 != 2 )  {    v2 = *(_QWORD *)a2;    LODWORD(v3) = std::operator<<<std::char_traits<char>>(6299968LL, 4198153LL);    LODWORD(v4) = std::operator<<<std::char_traits<char>>(v3, v2);    std::operator<<<std::char_traits<char>>(v4, 4198161LL);    exit(0);  }

a1 is number of parameter. So if number of parameter != 2 program will terminate
译文：al代表参数的个数．如果al不等于2，该程序将退出．
Next
译文：接下来

std::allocator<char>::allocator(&v11);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v10, *(_QWORD *)(a2 + 8), &v11);std::allocator<char>::~allocator(&v11);v13 = 0;

that code read string from keyboard to v10
译文：输入的内容存入变量v10
And
译文：并且

 v13 = 0;  LODWORD(v5) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v10);  for ( i = v5; ; sub_400D7A((__int64)&i) )  {    LODWORD(v6) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v10);    v12 = v6;    if ( !(unsigned __int8)sub_400D3D(&i, &v12) )      break;    v7 = sub_400D9A((__int64)&i);    if ( *(_BYTE *)v7 != off_6020A0[dword_6020C0[v13]] )      sub_400B56();    ++v13;  }

It compare each character in v10 and off_6020A0 [dword_6020C0[v13]]
so maybe flag is off_6020A0[dword_6020C0[v13]] with v13 is len of flag
译文：比较v10和off_6020A0 [dword_6020C0[v13]，可能off_6020A0[dword_6020C0[v13]]是flag的长度
I find off_6020A0 is a string
译文：off_6020A0是一个字符串
内容是

L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t

And dword_6020C0 is an array
译文：dword_6020C0是一个数组．
数组的内容是：

0x24,0x5,0x36,0x65,0x7,0x27,0x26,0x2D,0x1,0x3,0x0,0x0D,0x56,0x1,0x3,0x65,0x3,0x2D,0x16,0x2,0x15,0x3,0x65,0x0,0x29,0x44,0x44,0x1,0x44,0x2B

And here is code to get flag
译文：解出flag的代码如下：

#include <stdio.h>int main(){    char *strsample = "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t";    int data[] = {0x24,0x5,0x36,0x65,0x7,0x27,0x26,0x2D,0x1,0x3,0x0,0x0D,0x56,0x1,0x3,0x65,0x3,0x2D,0x16,0x2,0x15,0x3,0x65,0x0,0x29,0x44,0x44,0x1,0x44,0x2B};    for (int i = 0; i < sizeof(data)/sizeof(int); i++)        printf("%c", strsample[data[i]]);    return 0;}

Flag is ALEXCTF{W3_L0v3_C_W1th_CL45535}
译文：flag为ALEXCTF{W3_L0v3_C_W1th_CL45535}