IgniteMe_攻防世界RE【4】
2020-04-06 本文已影响0人
火把_033f
题目描述:
下载附件拖入ida,发现是win32 console Application。
解题过程:
拖入IDA,反编译。
main函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
size_t i; // [esp+4Ch] [ebp-8Ch]
char v5[4]; // [esp+50h] [ebp-88h]
char v6[28]; // [esp+58h] [ebp-80h]
char v7; // [esp+74h] [ebp-64h]
sub_402B30(&unk_446360, "Give me your flag:");
sub_4013F0(sub_403670);
sub_401440(v6, 127);
if ( strlen(v6) < 0x1E && strlen(v6) > 4 )
{
strcpy(v5, "EIS{");
for ( i = 0; i < strlen(v5); ++i )
{
if ( v6[i] != v5[i] )
{
sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
return 0;
}
}
if ( v7 == 125 )
{
if ( sub_4011C0(v6) )
sub_402B30(&unk_446360, "Congratulations! ");
else
sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
result = 0;
}
else
{
sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
result = 0;
}
}
else
{
sub_402B30(&unk_446360, "Sorry, keep trying!");
sub_4013F0(sub_403670);
result = 0;
}
return result;
}
能看出flag需要以EIS{ 开始,}结尾.
关键函数为sub_4011C0,反编译后如下:
bool __cdecl sub_4011C0(char *a1)
{
size_t v2; // eax
signed int v3; // [esp+50h] [ebp-B0h]
char v4[32]; // [esp+54h] [ebp-ACh]
int v5; // [esp+74h] [ebp-8Ch]
int v6; // [esp+78h] [ebp-88h]
size_t i; // [esp+7Ch] [ebp-84h]
char v8[128]; // [esp+80h] [ebp-80h]
if ( strlen(a1) <= 4 )
return 0;
i = 4;
v6 = 0;
while ( i < strlen(a1) - 1 )
v8[v6++] = a1[i++];
v8[v6] = 0;
v5 = 0;
v3 = 0;
memset(v4, 0, 0x20u);
for ( i = 0; ; ++i )
{
v2 = strlen(v8);
if ( i >= v2 )
break;
if ( v8[i] >= 97 && v8[i] <= 122 )
{
v8[i] -= 32;
v3 = 1;
}
if ( !v3 && v8[i] >= 65 && v8[i] <= 90 )
v8[i] += 32;
v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]);
v3 = 0;
}
return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0;
}
写出相反的逻辑代码如下:
b4420=[0xD,0x13,0x17,0x11,0x2,0x1,0x20,0x1D,0x0C,0x2,0x19,0x2F,
0x17,0x2B,0x24,0x1F,0x1E,0x16,0x9,0x0F,0x15,0x27,0x13,
0x26,0x0A,0x2F,0x1E,0x1A,0x2D,0x0C,0x22,0x4]
encrypted='GONDPHyGjPEKruv{{pj]X@rF'
result=""
for index in range(len(encrypted)):
ele=encrypted[index][0]
ele2=ord(ele)^b4420[index]
dEle=ele2-72^ 0x55
result+=chr(dEle);
print("EIS{"+result.swapcase()+"}")
值得讨论
一个小知识:
A^B=C;
则
A^C=B.
B^C=A
