# [CH] Rev C 2 ###### tags:`Writeup` `Reverse` `Chinese` > [name=FlyDragon] ## Step.1 觀察 `output.txt` 以及執行程式碼 可猜測 `flag.exe` 會將flag打亂後輸出 ## Step.2 使用ghidra查看 `main()` 可以發現這個程式會讀入flag.txt、照特定的順序交換後輸出 ![](https://i.imgur.com/ZRqeAbn.png) ![](https://i.imgur.com/2i5qB2F.png) order = [5, 13, 0, 12, 1, 16, 3, 2, 8, 7, 15, 4, 6, 17, 11, 10, 9] 不過 for loop 的判斷式是 `local_20 < 0x12` 但 `order[]` 的長度只有 0x11 (少了14),所以在最後補一個零 order = [5, 13, 0, 12, 1, 16, 3, 2, 8, 7, 15, 4, 6, 17, 11, 10, 9, 0] ## Step.3 撰寫程式逆推交換順序得到flag ```py= output = list("4_e_foyeXE__ouryCs") order = [5, 13, 0, 12, 1, 16, 3, 2, 8, 7, 15, 4, 6, 17, 11, 10, 9, 0] for i in reversed(range(len(order))): temp = output[i] output[i] = output[order[i]] output[order[i]] = temp print("".join(output)) ``` {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}
Last changed by  
LoTuX CTF
287

Read more

[EN] Rev C 2

[name=FlyDragon] Step.1 By observing output.txt and executing the code, it can be inferred that the program flag.exe will output the flag after shuffling it. Step.2 By examining main() using Ghidra, it can be discovered that this program reads in the contents of flag.txt and outputs them after performing specific swaps in a particular order. order = [5, 13, 0, 12, 1, 16, 3, 2, 8, 7, 15, 4, 6, 17, 11, 10, 9]

11/1/2023
LoTuX CTF Writeup Dark Theme

LoTuX CTF Writeup Dark Theme Design By Curious

10/2/2023
[EN] Blank Site 2

[name=Curious] Train of Thought & Solution Continuing from the previous question's Writeup, after downloading app.py, you can find the following piece of code: @app.get('/1d538e83d6f6b08f') def secret(): try: with open('/proc/sys/kernel/random/boot_id') as f: hint = f.readline().strip()

9/25/2023
[CH] Blank Site 2

[name=Curious] 思路 承接上一題的 Writeup,在下載 app.py 之後可以看到這樣一段程式碼 @app.get('/1d538e83d6f6b08f') def secret(): try: with open('/proc/sys/kernel/random/boot_id') as f: hint = f.readline().strip()

9/25/2023
Read more from LoTuX CTF
Published on HackMD