字符串处理

例题 Cr0ssfun

放入64ida,发现check函数就是不断判断读入的字符1722234390731-81ace62d-318b-4c04-891f-586010b21054.png

1722234438327-e1408a2e-2429-4228-999e-958f2e9aeb08.png

这边直接手搓一个代码,得到flag

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
a1=[0]*48
a1[10] = 112
a1[13] = 64
a1[3] = 102
a1[26] = 114
a1[20] = 101
a1[7] = 48
a1[16] = 95
a1[11] = 112
a1[23] = 101
a1[30] = 117
a1[0] = 119
a1[6] = 50
a1[22] = 115
a1[31] =110
a1[12] = 95
a1[15] = 100
a1[8] = 123
a1[18] = 51
a1[28] = 95
a1[21] = 114
a1[2] = 116
a1[9] = 99
a1[32] = 125
a1[19] = 118
a1[5] = 48
a1[14] = 110
a1[4] = 50
a1[17] = 114
a1[29] = 102
a1[17] = 114
a1[24] = 95
a1[1] = 99
a1[25] = 64
a1[27] = 101
for i in range(48):
    if(a1[i]!=0):
        print(chr(a1[i]),end='')

1722234513686-55efe0eb-e980-4d76-842e-7ca157cc3e89.png

大佬的exp

复制ida中的判断条件,注意复制的格式尽量一致,例如每一次都给后面留一个空格,便于之后进行字符串处理,结果为:

1722234553909-f366933a-7444-40a0-859c-f23d92bffdfa.jpeg

得到这个字符串后就可以开始处理了。首先我们把文件保存为”.examp.txt”,注意直接赋值给python字符串是不行的,因为有很多换行符:

1
2
3
file=open(".examp.txt")
mystr=file.read()
print(mystr.replace("\n",""))

结果为

1
a1[10] == 112      && a1[13] == 64      && a1[3] == 102      && a1[26] == 114      && a1[20] == 101   && a1[7] == 48      && a1[16] == 95      && a1[11] == 112      && a1[23] == 101      && a1[30] == 117      && *a1 == 119 && a1[6] == 50 && a1[22] == 115 && a1[31] == 110 && a1[12] == 95     && a1[15] == 100      && a1[8] == 123      && a1[18] == 51      && a1[28] == 95      && a1[21] == 114 && a1[2] == 116      && a1[9] == 99      && a1[32] == 125      && a1[19] == 118      && a1[5] == 48      && a1[14] == 110    && a1[4] == 50 && a1[17] == 114 && a1[29] == 102 && a1[17] == 114 && a1[24] == 95 && a1[1] == 99 && a1[25] == 64 && a1[27] == 101

可以看到还不太对齐,由于我们之前复制的格式比较一致,其实我们看到的缩进都是由六个空格所组成,直接使用replace把缩进改成单个空格,保持格式一致:

1
2
3
4
file=open(".examp.txt")
mystr=file.read()
mystr=mystr.replace("\n","")
print(mystr.replace("      "," "))

结果为

1
a1[10] == 112 && a1[13] == 64 && a1[3] == 102 && a1[26] == 114 && a1[20] == 101   && a1[7] == 48 && a1[16] == 95 && a1[11] == 112 && a1[23] == 101 && a1[30] == 117      && *a1 == 119 && a1[6] == 50 && a1[22] == 115 && a1[31] == 110 && a1[12] == 95     && a1[15] == 100 && a1[8] == 123 && a1[18] == 51 && a1[28] == 95 && a1[21] == 114 && a1[2] == 116 && a1[9] == 99 && a1[32] == 125 && a1[19] == 118 && a1[5] == 48 && a1[14] == 110     && a1[4] == 50 && a1[17] == 114 && a1[29] == 102 && a1[17] == 114 && a1[24] == 95 && a1[1] == 99 && a1[25] == 64 && a1[27] == 101

结果已经比较适合进行字符串处理了,但在此之前我们还能进行一步小小的处理,将” == “全部换为”=“,将” && “全部换为”&”,避免进行split分割的时候多出来一部分难处理的地方。替换的函数也是replace,过程同上。替换完毕后可以进行字符串处理,得到最后的flag。**
**最后一部处理之后,字符串如下:

1
a1[10]=112&a1[13]=64&a1[3]=102&a1[26]=114&a1[20]=101&a1[7]=48&a1[16]=95&a1[11]=112&a1[23]=101&a1[30]=117&*a1=119&a1[6]=50&a1[22]=115&a1[31]=110&a1[12]=95&a1[15]=100&a1[8]=123&a1[18]=51&a1[28]=95&a1[21]=114&a1[2]=116&a1[9]=99&a1[32]=125&a1[19]=118&a1[5]=48&a1[14]=110&a1[4]=50&a1[17]=114&a1[29]=102&a1[17]=114&a1[24]=95&a1[1]=99&a1[25]=64&a1[27]=101

本来用mystr.count(“=”)数了,有34个元素,结果a1[17]被赋了两次值,我们用in可以判断是否已经存在
综上,代码如下:

更新: 2024-07-29 14:40:21
原文: https://www.yuque.com/chaye-apqbl/vsc85q/ew2yuwbyt38kgz2d

http://example.com/2026/01/19/RE/例题/NSSCTF/字符串处理/
Author
chaye
Posted on
January 19, 2026
Licensed under