https://dirtycow.cn/tag/%E9%9D%92%E5%B0%91%E5%B9%B4ctf/ https://dirtycow.cn/198.html 2023-12-20T21:26:00+08:00 思路：拿到题目先查壳image-20231220211157807.png是windows 64为的程序 双击打开，随便输如测试image-20231220211517370.png根据题目名字，推测这是使用mfc框架开发的直接上ida在import中搜索messagebox跟到调用这个函数的地方发现了验证flag的地方v7中存的是加密的flag ^0x87 就能还原flag image-20231220212121416.png直接上脚本exp：encode = [0xE0E6EBE1, 0x0E3E1B6FC, 0x0BEB7B6B2, 0x0B2B1BEE2, 0x0E2B6B6B2, 0x0B3B0B3E2, 0x0E3E3B2E2,0x0B7B7B3E2,0x0B6B0E6B0,0x0FAE1 ] for i in encode: tmp = i.to_bytes(4,'little') for j in tmp: print(chr(j^0x87), end="")flag：flag{1fd5109e965511ee474e5dde4007a71f}