IDA32中查看伪代码
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // $v0
char v5[24]; // [sp+18h] [+18h] BYREF
char v6[24]; // [sp+30h] [+30h] BYREF
char v7[84]; // [sp+48h] [+48h] BYREF
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v5, argv, envp);
v3 = std::operator<<<std::char_traits<char>>(&std::cout, "enter the flag");
std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
std::operator>><char>(&std::cin, v5);
memcpy(v7, &unk_4015F4, sizeof(v7)); // 已知字符串被拷贝到v7
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v6, v5);// v5即v6
sub_401164(v7, v6); // 加密处理函数
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v6);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v5);
return 0;
}
直接看sub_401164(v7, v6);函数
int __fastcall sub_401164(int a1, int a2)
{
int v2; // $v0
int result; // $v0
int v4; // $v0
unsigned int i; // [sp+1Ch] [+1Ch]
if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a2) != 0x4E )// 长度判断
{
LABEL_2:
v2 = std::operator<<<std::char_traits<char>>(&std::cout, "incorrect");
result = std::ostream::operator<<(v2, &std::endl<char,std::char_traits<char>>);
}
else
{
for ( i = 0; i < std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a2); ++i )
{
if ( (*(char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a2, i) ^ (i + 23)) != *(char *)(a1 + i) )// 异或处理
goto LABEL_2;
}
v4 = std::operator<<<std::char_traits<char>>(&std::cout, "correct!");
result = std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
}
return result;
}
主要就是那个异或,直接写exp:
data=[0x62, 0x6C, 0x7F, 0x76, 0x7A, 0x7B, 0x66, 0x73, 0x76, 0x50,
0x52, 0x7D, 0x40, 0x54, 0x55, 0x79, 0x40, 0x49, 0x47, 0x4D,
0x74, 0x19, 0x7B, 0x6A, 0x42, 0x0A, 0x4F, 0x52, 0x7D, 0x69,
0x4F, 0x53, 0x0C, 0x64, 0x10, 0x0F, 0x1E, 0x4A, 0x67, 0x03,
0x7C, 0x67, 0x02, 0x6A, 0x31, 0x67, 0x61, 0x37, 0x7A, 0x62,
0x2C, 0x2C, 0x0F, 0x6E, 0x17, 0x00, 0x16, 0x0F, 0x16, 0x0A,
0x6D, 0x62, 0x73, 0x25, 0x39, 0x76, 0x2E, 0x1C, 0x63, 0x78,
0x2B, 0x74, 0x32, 0x16, 0x20, 0x22, 0x44, 0x19]
flag=''
for i in range(len(data)):
flag+=chr(data[i]^(i+23))
print(flag)
flag{mips_cpp_gang_5VDm:~`N]ze;\)5%vZ=C'C(r#$q=*efD"ZNY_GX>6&sn.wF8$v*mvA@'}