下载附件,惯例查壳,发现无壳,拖进IDA
shfit+F12,查看字符串,发现有关flag的字符串
点击跟进调查,找到主函数
空格进入,查看框图, 同时F5查看主函数
发现sub_401160这个地址是储存输出项的函数,而Format是储存错误字符串的,aYesYouAreRight是储存正确字符串的,由此可判断v4和dword_403000的比较是决定正确还是错误的判断语句跟进调查dword_403000,可得这个拥有100个数的数组
完整数组如下
而v4经过上面的变换如果还与dword_403000相等,则flag正确
将这个for循环逆向编译,可得(c语言实现)
#include <stdio.h>
int main(int argc, char *argv[])
{
int v4[100] = {
8, 6, 7, 6, 1, 6, 13, 6, 5, 6, 11, 7, 5, 6, 14, 6, 3, 6, 15, 6, 4, 6, 5, 6, 15, 5, 9, 6, 3, 7, 15, 5, 5, 6, 1, 6,
3, 7, 9, 7, 15, 5, 6, 6, 15, 6, 2, 7, 15, 5, 1, 6, 15, 5, 2, 7, 5, 6, 6, 7, 5, 6, 2, 7, 3, 7, 5, 6, 15, 5, 5, 6,
14, 6, 7, 6, 9, 6, 14, 6, 5, 6, 5, 6, 2, 7, 13, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
for (int i = 0; i < 50; ++i)
{
for (int j = 33; j < 128; j++)
{
if ((v4[i * 2] == (j & 0xf)) && (v4[i * 2 + 1] == ((j >> 4) & 0xf)))
{
printf("%c", j);
}
}
}
return 0;
}
运行可得最终flag
即NSSCTF{encode_is_easy_for_a_reverse_engineer}