查壳发现是ELF文件
查看反编译代码
__int64 __fastcall main(int a1, char **a2, char **a3)
{
__int64 result; // rax
char s[264]; // [rsp+0h] [rbp-110h] BYREF
unsigned __int64 v5; // [rsp+108h] [rbp-8h]
v5 = __readfsqword(0x28u);
printf("Enter the password: ");
if ( !fgets(s, 255, stdin) ) //输入的password
return 0LL;
if ( (unsigned int)sub_4006FD((__int64)s) ) //返回值为0时正确
{
puts("Incorrect password!");
result = 1LL;
}
else
{
puts("Nice!");
result = 0LL;
}
return result;
}
看下判断函数
__int64 __fastcall sub_4006FD(__int64 a1)
{
int i; // [rsp+14h] [rbp-24h]
__int64 v3[4]; // [rsp+18h] [rbp-20h]
v3[0] = (__int64)"Dufhbmf";
v3[1] = (__int64)"pG`imos";
v3[2] = (__int64)"ewUglpt";
for ( i = 0; i <= 11; ++i ) //v3是个二维数组
{
if ( *(char *)(v3[i % 3] + 2 * (i / 3)) - *(char *)(i + a1) != 1 )
return 1LL;
}
return 0LL;
}
Exp
v3 = ['Dufhbmf', 'pG`imos', 'ewUglpt']
password = ''
for i in range(12):
password += chr(ord(v3[i % 3][2 * int(i / 3)]) - 1) #python不会自动取整,需要用int()函数
print(password)
输出 Code_Talkers