查壳,无壳。拉去IDA
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
size_t i; // [esp+4Ch] [ebp-8Ch]
char v5[4]; // [esp+50h] [ebp-88h]
char v6[28]; // [esp+58h] [ebp-80h]
char v7; // [esp+74h] [ebp-64h]
sub_402B30(&unk_446360, "Give me your flag:");//这个应该是类似于printf函数
sub_4013F0(sub_403670);
sub_401440(v6, 127);
if ( strlen(v6) < 0x1E && strlen(v6) > 4 )//输入的字符串要大于4个字符小于0x1E个字符
{
strcpy(v5, "EIS{");
for ( i = 0; i < strlen(v5); ++i )
{//验证前4个字符符合“EIS{”
if ( v6[i] != v5[i] )
{
sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
return 0;
}
}
if ( v7 == 125 )//"}"的ASCII码为125
{
if ( (unsigned __int8)sub_4011C0(v6) )//最重要的函数sub_4011C0(v6)
sub_402B30(&unk_446360, "Congratulations! ");
else
sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
result = 0;
}
else
{
sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
result = 0;
}
}
else
{
sub_402B30(&unk_446360, "Sorry, keep trying!");
sub_4013F0(sub_403670);
result = 0;
}
return result;
}
bool __cdecl sub_4011C0(char *a1)
{
size_t v2; // eax
signed int v3; // [esp+50h] [ebp-B0h]
char v4[32]; // [esp+54h] [ebp-ACh]
int v5; // [esp+74h] [ebp-8Ch]
int v6; // [esp+78h] [ebp-88h]
size_t i; // [esp+7Ch] [ebp-84h]
char v8[128]; // [esp+80h] [ebp-80h]
if ( strlen(a1) <= 4 )
return 0;
i = 4;
v6 = 0;
while ( i < strlen(a1) - 1 )
v8[v6++] = a1[i++];//将EIS{xxxx}中的内容赋值到v8数组 b[i]
v8[v6] = 0;
v5 = 0;
v3 = 0;
memset(v4, 0, 0x20u);
for ( i = 0; ; ++i )
{
v2 = strlen(v8);
if ( i >= v2 )
break;
if ( v8[i] >= 97 && v8[i] <= 122 )//97->a,122->z
{//将小写改为大写
v8[i] -= 32;
v3 = 1;
}
if ( !v3 && v8[i] >= 65 && v8[i] <= 90 )//65->A,90->Z
v8[i] += 32;//将大写改为小写
v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]);
//byte_4420B0[i] c[i]与sub_4013C0()函数异或
v3 = 0;
}
return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0; //a[i]
}
.data:004420B0 ; char byte_4420B0[32]
.data:004420B0 byte_4420B0 db 0Dh ; DATA XREF: sub_4011C0+1A0↑r
.data:004420B1 db 13h
.data:004420B2 db 17h
.data:004420B3 db 11h
.data:004420B4 db 2
.data:004420B5 db 1
.data:004420B6 db 20h
.data:004420B7 db 1Dh
.data:004420B8 db 0Ch
.data:004420B9 db 2
.data:004420BA db 19h
.data:004420BB db 2Fh ; /
.data:004420BC db 17h
.data:004420BD db 2Bh ; +
.data:004420BE db 24h ; $
.data:004420BF db 1Fh
.data:004420C0 db 1Eh
.data:004420C1 db 16h
.data:004420C2 db 9
.data:004420C3 db 0Fh
.data:004420C4 db 15h
.data:004420C5 db 27h ; '
.data:004420C6 db 13h
.data:004420C7 db 26h ; &
.data:004420C8 db 0Ah
.data:004420C9 db 2Fh ; /
.data:004420CA db 1Eh
.data:004420CB db 1Ah
.data:004420CC db 2Dh ; -
.data:004420CD db 0Ch
.data:004420CE db 22h ; "
.data:004420CF db 4
int __cdecl sub_4013C0(int a1)
{//内容与0x55异或再加上72
return (a1 ^ 0x55) + 72;//b[i]=(a[i]^0x55)+72
//a[i]=(b[i]-72)^0x55
}
exp
#include<stdio.h>
#include<string.h>
int main()
{
char a[] = "GONDPHyGjPEKruv{{pj]X@rF";
int b[25];
int c[32] = { 0x0D,0x13,0x17,0x11,2,1,0x20,0x1D,0x0C,2,0x19,0x2F,0x17,0x2B,0x24,0x1F,0x1E,0x16,9,0x0F,0x15,0x27,0x13,0x26,0x0A,0x2F,0x1E,0x1A,0x2D,0x0C,0x22,4 };
int i;
int v3;
for (i = 0; i < strlen(a); i++)
{
v3 = 0;
b[i] = c[i]^a[i];
b[i] = (b[i] - 72) ^ 0x55;
if (b[i] >= 97 && b[i] <= 122)//97->a,122->z
{//将小写改为大写
b[i] -= 32;
v3 = 1;
}
if (!v3 && b[i] >= 65 && b[i] <= 90)//65->A,90->Z
b[i] += 32;//将大写改为小写
}
for(i=0;i<strlen(a);i++)
printf("%c",(char)b[i]);
}
//wadx_tdgk_aihc_ihkn_pjlm