需要输入正确的flag
查看反编译代码
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
size_t i; // [esp+4Ch] [ebp-8Ch]
char v5[8]; // [esp+50h] [ebp-88h] BYREF
char Str[128]; // [esp+58h] [ebp-80h] BYREF
sub_402B30((int)&unk_446360, "Give me your flag:");
sub_4013F0(sub_403670);
sub_401440(Str, 127); //输入flag
if ( strlen(Str) < 0x1E && strlen(Str) > 4 )
{
strcpy(v5, "EIS{"); //flag前四位
for ( i = 0; i < strlen(v5); ++i )
{
if ( Str[i] != v5[i] )
goto LABEL_7;
}
if ( Str[28] != '}' ) //flag最后一位
{
LABEL_7:
sub_402B30((int)&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
return 0;
}
if ( sub_4011C0(Str) ) //关键判断函数,返回值为1是正确
sub_402B30((int)&unk_446360, "Congratulations! ");
else
sub_402B30((int)&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
result = 0;
}
else
{
sub_402B30((int)&unk_446360, "Sorry, keep trying!");
sub_4013F0(sub_403670);
result = 0;
}
return result;
}
目前可以看出flag的形式为EIS{XXXXXXXXX}
看下关键的判断函数
bool __cdecl sub_4011C0(char *Str)
{
size_t v2_25; // eax
int v3; // [esp+50h] [ebp-B0h]
char Str2[32]; // [esp+54h] [ebp-ACh] BYREF
int v5; // [esp+74h] [ebp-8Ch]
int v6; // [esp+78h] [ebp-88h]
size_t i; // [esp+7Ch] [ebp-84h]
char v8[128]; // [esp+80h] [ebp-80h] BYREF
if ( strlen(Str) <= 4 )
return 0;
i = 4;
v6 = 0;
while ( i < strlen(Str) - 1 )
v8[v6++] = Str[i++]; //将flag中间24位赋值给v8
v8[v6] = 0;
v5 = 0;
v3 = 0;
memset(Str2, 0, sizeof(Str2));
for ( i = 0; ; ++i )
{
v2_25 = strlen(v8);
if ( i >= v2_25 )
break;
if ( v8[i] >= 'a' && v8[i] <= 'z' ) //如果小写,转为大写
{
v8[i] -= 32;
v3 = 1;
}
if ( !v3 && v8[i] >= 'A' && v8[i] <= 'Z' ) //如果大写,转为小写
v8[i] += 32;
Str2[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]); //异或加密
v3 = 0;
}
return strcmp("GONDPHyGjPEKruv{{pj]X@rF", Str2) == 0;
}
查看下sub_4013C0
int __cdecl sub_4013C0(int a1)
{
return (a1 ^ 0x55) + 72;
}
byte_4420B0
Exp
byte_4420B0 = [0x0D, 0x13, 0x17, 0x11, 0x02, 0x01, 0x20, 0x1D, 0x0C, 0x02, 0x19, 0x2F, 0x17, 0x2B, 0x24, 0x1F,
0x1E, 0x16, 0x09, 0x0F, 0x15, 0x27, 0x13, 0x26, 0x0A, 0x2F, 0x1E, 0x1A, 0x2D, 0x0C, 0x22, 0x04]
flag = ''
str2 = 'GONDPHyGjPEKruv{{pj]X@rF'
for i in range(24):
flag += chr((ord(str2[i]) ^ byte_4420B0[i]) - 72 ^ 0x55)
print('EIS{' + flag.swapcase() + '}')
输出EIS{wadx_tdgk_aihc_ihkn_pjlm}
验证一下