ida打开,看到main函数,f5
int __cdecl main(int argc, const char **argv, const char **envp)
{
setlocale(6, &locale);
banner();
prompt_authentication();
authenticate();
return 0;
}
int banner()
{
unsigned int v0; // eax
v0 = time(0);
srand(v0);
wprintf(&unk_80488B0);
rand();
return wprintf(&unk_8048960);
}
int prompt_authentication()
{
return wprintf((int)&unk_80489F8); // Please enter authetication details:
}
void authenticate()
{
wchar_t ws[8192]; // [esp+1Ch] [ebp-800Ch] BYREF
wchar_t *s2; // [esp+801Ch] [ebp-Ch]
s2 = (wchar_t *)decrypt((wchar_t *)&s, (wchar_t *)&dword_8048A90);
if ( fgetws(ws, 0x2000, stdin) )
{
ws[wcslen(ws) - 1] = 0;
if ( !wcscmp(ws, s2) )
wprintf((int)&unk_8048B44); // Success
else
wprintf((int)&unk_8048BA4);
}
free(s2);
}
根据分析,只要ws和s2相等了,就是flag
ws是我们输入的值,s2是decrypt()函数加密后的值,因此我们拿到s2就拿到flag
wchar_t *__cdecl decrypt(wchar_t *s, wchar_t *a2)
{
size_t v2; // eax
signed int v4; // [esp+1Ch] [ebp-1Ch]
signed int i; // [esp+20h] [ebp-18h]
signed int v6; // [esp+24h] [ebp-14h]
signed int v7; // [esp+28h] [ebp-10h]
wchar_t *dest; // [esp+2Ch] [ebp-Ch]
v6 = wcslen(s);
v7 = wcslen(a2);
v2 = wcslen(s);
dest = (wchar_t *)malloc(v2 + 1);
wcscpy(dest, s);
while ( v4 < v6 )
{
for ( i = 0; i < v7 && v4 < v6; ++i )
dest[v4++] -= a2[i];
}
return dest;
}
使用debug看一下值
flag:9447{you_are_an_international_mystery}