start_adr = 0x1151 end_adr = 0x3100 # 因为尝试patch一个后发现后面有大批量的花指令,所以编写脚本 for i inrange(start_adr,end_adr): if get_wide_byte(i) == 0xeb: if get_wide_byte(i+1) == 0xff: patch_byte(i,0x90)
然后发现是一系列putchar(),同样写脚本将输出的字符提取出来:
1 2 3 4 5
start_adr = 0x1151 end_adr = 0x3100 for i inrange(start_adr,end_adr): if get_wide_byte(i) == 0xc0: print(chr(get_wide_byte(i+2)),end='')
运行结果:
1 2 3 4 5 6 7
ello world! There are moments in life when you miss someone so much that you just want to pick them from your dreams and hug them for real! Dream what you want to dream;go where you want to go;be what you want to be,becÿause you have only one life and one chance to do all the things you want to do. May you have enough happiness to make you sweet,enough trials to make you strong,enough sorrow to keep you human,enough hope to make you happy? Always put yourself in others'shÿoes.If you feel that it hurts you,it probably hurts the other person, too.
GFÿCTF{u_are2wordy} You find Flag, Congratulation! You didn't find Flag
for (int i = 0; i < 29; ++i) { for (int c = 32; c <= 126; ++c) { if (func_p[i % 5](c) == str1[i]) { putchar(c); break; } } } return0; } /* adr=0x00EFFA1C for i in range(29): temp=get_bytes(adr+i,1) print(hex(int.from_bytes(temp,byteorder='little')),end=',') #print(temp,end=',')*/