攻防世界 happyctf
逆向题目分析
·
1.下载附件,exeinfo查壳,无壳
2.32位IDA分析,进入主函数内
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
int v4; // [esp+5Ch] [ebp-70h]
char *v5; // [esp+60h] [ebp-6Ch]
char v6[27]; // [esp+6Ch] [ebp-60h] BYREF
char v7; // [esp+87h] [ebp-45h]
char *v8; // [esp+88h] [ebp-44h]
char *v9; // [esp+8Ch] [ebp-40h]
char *v10; // [esp+90h] [ebp-3Ch]
char v11[12]; // [esp+98h] [ebp-34h] BYREF
char v12[24]; // [esp+A4h] [ebp-28h] BYREF
int v13; // [esp+C8h] [ebp-4h]
sub_402930();
v13 = 0;
sub_401530((int)&unk_4DDAF8, "please input flag");
sub_4039B0(sub_402310);
sub_401500(&dword_4DDA80, v12);
if ( sub_405DE0(v12) == 24 )
{
sub_402A20(v11);
LOBYTE(v13) = 1;
sub_402570(v11);
v10 = v12;
v9 = (char *)sub_405270(v12);
v8 = (char *)sub_4052B0(v12);
while ( v9 != v8 )
{
v7 = *v9;
sub_403B70(v7);
++v9;
}
qmemcpy(v6, "rxusoCqxw{yqK`{KZqag{r`i", 24);
sub_402590(v6);
v5 = (char *)sub_405290(v11);
v4 = sub_4052E0(v11);
while ( v5 != (char *)v4 )
{
if ( !(unsigned __int8)sub_403BB0(*v5) )
{
sub_401530((int)&unk_4DDAF8, "error");
sub_4039B0(sub_402310);
LOBYTE(v13) = 0;
sub_4034E0(v11);
v13 = -1;
sub_403450(v12);
return 0;
}
++v5;
}
sub_401530((int)&unk_4DDAF8, "good job");
sub_4039B0(sub_402310);
LOBYTE(v13) = 0;
sub_4034E0(v11);
v13 = -1;
sub_403450(v12);
result = 0;
}
else
{
sub_401530((int)&unk_4DDAF8, "not enought");
sub_4039B0(sub_402310);
v13 = -1;
sub_403450(v12);
result = 0;
}
return result;
}
int __thiscall sub_403B70(void *this, char a2)
{
char v3[65]; // [esp+Fh] [ebp-45h] BYREF
void *v4; // [esp+50h] [ebp-4h]
v4 = this;
v3[0] = a2 ^ 0x14;//进行异或
sub_406170(v3);
return ++dword_4DD8F8;
}
3.最终脚本:
s ='rxusoCqxw{yqK`{KZqag{r`i'
for i in range(len(s)):
print (chr(ord(s[i])^0x14),end = '')
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
int main()
{
char a[]="rxusoCqxw{yqK`{KZqag{r`i";
int i;
for(i=0;i<24;i++)
{
a[i]=a[i]^20;//20来源:在IDA中快捷键H将0x14转化为十进制20
printf("%c",a[i]);
}
return 0;
}
flag{Welcome_to_Neusoft}
更多推荐
已为社区贡献1条内容
所有评论(0)