Decompiled src / Analysis
fgets를 통해 s 변수에 최대 512바이트 입력받음.strncmp를 통해 pretty 문자열의 개수가 v6, please 문자열의 개수가 v5에 저장됨- 조건 충족 필요:
v6 + v5 == 0x36 && v6 - v5 == -0x18u
v6 = 15, v5 = 39, 즉 flag 문자열과 함께 pretty 15번과 please 39번 들어가야함
int __fastcall main(int argc, const char **argv, const char **envp)
{
char *v3; // rbx
size_t v4; // rax
int v5; // ebp
int v6; // r12d
char *v7; // r15
char s[568]; // [rsp+10h] [rbp-238h] BYREF
v3 = s;
setbuf(stdout, 0);
puts("hi, i'm aplet321. how can i help?");
fgets(s, 512, stdin);
v4 = strlen(s);
if ( v4 <= 5 )
goto LABEL_10;
v5 = 0;
v6 = 0;
v7 = &s[(unsigned int)(v4 - 6) + 1];
do
{
v6 += strncmp(v3, "pretty", 6u) == 0;
v5 += strncmp(v3++, "please", 6u) == 0;
}
while ( v3 != v7 );
if ( v5 )
{
if ( strstr(s, "flag") )
{
if ( v6 + v5 == 0x36 && v6 - v5 == -0x18u )
{
puts("ok here's your flag");
system("cat flag.txt");
}
else
{
puts("sorry, i'm not allowed to do that");
}
}
else
{
puts("sorry, i didn't understand what you mean");
}
}
else
{
LABEL_10:
puts("so rude");
}
return 0;
}
solve.py
from pwn import *
# context.log_level = 'debug'
context(arch='amd64', os='linux')
warnings.filterwarnings('ignore')
p = process("./aplet321")
sla = p.sendlineafter
sa = p.sendafter
payload = b"flag"
payload += b"pretty"*15
payload += b"please"*39
sla(b"hi, i'm aplet321. how can i help?\n", payload)
p.interactive()
Result
seo@seo:~/study/LACTF2024/aplet321$ python3 solve.py
[+] Starting local process './aplet321': pid 14118
[*] Switching to interactive mode
ok here's your flag
cat: flag.txt: No such file or directory
[*] Got EOF while reading in interactive
$
[*] Interrupted
[*] Process './aplet321' stopped with exit code 0 (pid 14118)