打开附件
尝试password
IDA打开
查看字符串
找到含有请输入pass!
的函数
int __thiscall sub_401890(CWnd *this)
{
struct CString *v1; // ST08_4
CWnd *v2; // eax
int v3; // eax
int v5[26]; // [esp+4Ch] [ebp-74h]
int i; // [esp+B4h] [ebp-Ch]
char *Str; // [esp+B8h] [ebp-8h]
CWnd *v8; // [esp+BCh] [ebp-4h]
v8 = this;
v1 = (CWnd *)((char *)this + 100);
v2 = CWnd::GetDlgItem(this, 1002);
CWnd::GetWindowTextA(v2, v1);
v3 = sub_401A30((char *)v8 + 100);
Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3); //输入passwrod
if ( !strlen(Str) )
return CWnd::MessageBoxA(v8, "请输入pass!", 0, 0);
for ( i = 0; Str[i]; ++i )
{
if ( Str[i] > 57 || Str[i] < 48 )
{
if ( Str[i] > 122 || Str[i] < 97 )
{
if ( Str[i] > 90 || Str[i] < 65 )
sub_4017B0();
else
v5[i] = Str[i] - 29; //大写字母加密
}
else
{
v5[i] = Str[i] - 87; //小写字母加密
}
}
else
{
v5[i] = Str[i] - 48; //数字加密
}
}
return sub_4017F0(v5); //将加密后的password输入
}
查看sub_4017F0
int __cdecl sub_4017F0(int a1)
{
int result; // eax
char Str1[28]; // [esp+D8h] [ebp-24h]
int v3; // [esp+F4h] [ebp-8h]
int v4; // [esp+F8h] [ebp-4h]
v4 = 0;
v3 = 0;
while ( *(_DWORD *)(a1 + 4 * v4) < 62 && *(_DWORD *)(a1 + 4 * v4) >= 0 )
{
Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)]; //相当于St1[v4] = aAbcdefghiabcde[a1[v4]]
++v4;
}
Str1[v4] = 0;
if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") ) //二次加密后的password = "KanXueCTF2019JustForhappy"
result = sub_401770();
else
result = sub_4017B0();
return result;
}
Exp
a = 'KanXueCTF2019JustForhappy'
b = 'abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ'
tp = []
flag = ''
for i in a: #第一次解密
tp.append(b.index(i))
for i in range(len(tp)): #二次解密
if 35 < tp[i] < 62:
tp[i] += 29
elif 9 < tp[i] < 36:
tp[i] += 87
else:
tp[i] += 48
flag += chr(tp[i])
print(flag)
答案为flag{XXX}形式
flag{j0rXI4bTeustBiIGHeCF70DDM}