字符串搜索来到关键函数
__int64 __fastcall sub_401E40(__int64 a1, int a2, int a3, int a4, int a5, int a6)
{
__int64 result; // rax
char v7; // [rsp+Bh] [rbp-75h]
int i; // [rsp+Ch] [rbp-74h]
u32 uaddr2[2]; // [rsp+10h] [rbp-70h] BYREF
__int64 v10; // [rsp+18h] [rbp-68h]
__int64 v11; // [rsp+20h] [rbp-60h]
__int64 v12; // [rsp+28h] [rbp-58h]
__int64 v13; // [rsp+30h] [rbp-50h]
__int64 v14; // [rsp+38h] [rbp-48h]
__int64 v15; // [rsp+40h] [rbp-40h]
__int64 v16; // [rsp+48h] [rbp-38h]
__int64 v17; // [rsp+50h] [rbp-30h]
__int64 v18; // [rsp+58h] [rbp-28h]
__int64 v19; // [rsp+60h] [rbp-20h]
__int64 v20; // [rsp+68h] [rbp-18h]
int v21; // [rsp+70h] [rbp-10h]
unsigned __int64 v22; // [rsp+78h] [rbp-8h]
v22 = __readfsqword(0x28u);
*(_QWORD *)uaddr2 = 0LL;
v10 = 0LL;
v11 = 0LL;
v12 = 0LL;
v13 = 0LL;
v14 = 0LL;
v15 = 0LL;
v16 = 0LL;
v17 = 0LL;
v18 = 0LL;
v19 = 0LL;
v20 = 0LL;
v21 = 0;
sub_410DF0((unsigned int)"give me a flag: ", a2, a3, a4, a5, a6);
sub_418970(uaddr2); // 输入flag
v7 = v10 ^ HIBYTE(uaddr2[1]) ^ BYTE1(v10);// v7是flag第8、9、10位进行异或
for ( i = 0; i <= 41; ++i )
*((_BYTE *)uaddr2 + i) ^= v7; // 对flag进行异或处理
if ( (unsigned int)sub_401DE7(uaddr2) ) // 判断flag是否正确
{
sub_418C70("okk");
sub_410330(0LL);
}
sub_418C70("nono, may be.... ");
result = 0LL;
if ( __readfsqword(0x28u) != v22 )
sub_454840();
return result;
}
判断函数
__int64 __fastcall sub_401DE7(__int64 a1)
{
int i; // [rsp+14h] [rbp-4h]
for ( i = 0; i <= 41; ++i )
{
if ( *(_BYTE *)(i + a1) != (unsigned __int8)dword_4C0100[i] )// flag[i]和dword_4C0100[i]的1字节进行比较
return 0LL;
}
return 1LL;
}
注意dword_4C0100经过了处理
_DWORD *sub_401D94()
{
_DWORD *result; // rax
_BYTE v1[16]; // [rsp-8h] [rbp-10h]
for ( *(_DWORD *)&v1[-4] = 0; *(int *)&v1[-4] <= 41; ++*(_DWORD *)&v1[-4] )
{
result = dword_4C0100;
dword_4C0100[*(int *)&v1[-4]] ^= 0x17u;
}
return result;
}
对数据进行了异或0x17的处理,用IDAPython打印处理后的数据
addr = 0x4C0100
arr = []
for i in range(42):
arr.append(Dword(addr + 4 * i) ^ 0X17)
print(arr)
最后爆破求解flag
exp
dword_4C0100 = [6, 268, 513, 775, 1051, 1361, 1619, 1798, 2131, 2389, 2646, 2902, 3155, 3405, 3669,
3920, 4097, 4436, 4685, 4948, 5207, 5463, 5634, 5965, 6226, 6487, 6744, 6914, 7245,
7426, 7767, 8017, 8273, 8528, 8786, 9046, 9222, 9478, 9815, 9985, 10244, 10525]
for v7 in range(128):
flag = ''
for i in dword_4C0100:
flag += chr((i ^ v7) & 0xff)
if flag.startswith('flag'): # 判断是否为flag
print(flag)
break