简单逆向4

开始

1. PEID查壳 ，vs写的程序，并且没有壳
   

2. 放入IDA32 ：关键点在sub_401090(&buf),并且能看出buf长度小于等于37

3. 打开sub_401090(&buf) ：
   

4. 代码分析 ：
   主体思路：分别从两个地方取常量数据和0x19做亦或，将输入的flag作为操作码（即数组下标）执行if语句

5. 解题：所以我们需要先将比较的数据算出来，
   然后找到数据域中和所算结果相同的数据下标，在做分析

首先找到数据区域（byte_402150，byte_402151， byte_4021A0）：



写脚本进行逆向解码：

a1 = "2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6"
a2 = "a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6"
code = [0x63,0x7C,0x77,0x7B,0xF2,0x6B,0x6F,0xC5,0x30,0x01,0x67,0x2B,0xFE,0xD7,0xAB,0x76,0xCA,0x82,0xC9,0x7D,0xFA,0x59,0x47,0xF0,0xAD,0xD4,0xA2,0xAF,0x9C,0xA4,0x72,0xC0,0xB7,0xFD,0x93,0x26,0x36,0x3F,0xF7,0xCC,0x34,0xA5,0xE5,0xF1,0x71,0xD8,0x31,0x15,0x04,0xC7,0x23,0xC3,0x18,0x96,0x05,0x9A,0x07,0x12,0x80,0xE2,0xEB,0x27,0xB2,0x75,0x09,0x83,0x2C,0x1A,0x1B,0x6E,0x5A,0xA0,0x52,0x3B,0xD6,0xB3,0x29,0xE3,0x2F,0x84,0x53,0xD1,0x00,0xED,0x20,0xFC,0xB1,0x5B,0x6A,0xCB,0xBE,0x39,0x4A,0x4C,0x58,0xCF,0xD0,0xEF,0xAA,0xFB,0x43,0x4D,0x33,0x85,0x45,0xF9,0x02,0x7F,0x50,0x3C,0x9F,0xA8,0x51,0xA3,0x40,0x8F,0x92,0x9D,0x38,0xF5,0xBC,0xB6,0xDA,0x21,0x10,0xFF,0xF3,0xD2,0xCD,0x0C,0x13,0xEC,0x5F,0x97,0x44,0x17,0xC4,0xA7,0x7E,0x3D,0x64,0x5D,0x19,0x73,0x60,0x81,0x4F,0xDC,0x22,0x2A,0x90,0x88,0x46,0xEE,0xB8,0x14,0xDE,0x5E,0x0B,0xDB,0xE0,0x32,0x3A,0x0A,0x49,0x06,0x24,0x5C,0xC2,0xD3,0xAC,0x62,0x91,0x95,0xE4,0x79,0xE7,0xC8,0x37,0x6D,0x8D,0xD5,0x4E,0xA9,0x6C,0x56,0xF4,0xEA,0x65,0x7A,0xAE,0x08,0xBA,0x78,0x25,0x2E,0x1C,0xA6,0xB4,0xC6,0xE8,0xDD,0x74,0x1F,0x4B,0xBD,0x8B,0x8A,0x70,0x3E,0xB5,0x66,0x48,0x03,0xF6,0x0E,0x61,0x35,0x57,0xB9,0x86,0xC1,0x1D,0x9E,0xE1,0xF8,0x98,0x11,0x69,0xD9,0x8E,0x94,0x9B,0x1E,0x87,0xE9,0xCE,0x55,0x28,0xDF,0x8C,0xA1,0x89,0x0D,0xBF,0xE6,0x42,0x68,0x41,0x99,0x2D,0x0F,0xB0,0x54,0xBB,0x16]
v8 = []
index0 = []
v4 = 0
while v4 < 35:
    v8 = a1[2 * v4];                   
    if ord(v8) < 48 or ord(v8) > 57:                 
      v9 = ord(v8) - 87
    else:
      v9 = ord(v8) - 48                 
    v11 = 16 * v9   
    v10 = a2[2 * v4]; 
    if ord(v10) < 48 or ord(v10) > 57:                
      v12 = ord(v10) - 87;
    else:
      v12 = ord(v10) - 48;
    re = (v11 + v12) ^ 0x19
    v4 += 1
    for j in code:
        if j == re:
            index0.append(code.index(j))
            break;
print(index0)
n = 0
result = ""
for i in index0:
    result += chr(i)
print(result)

说明：代码中对输入数据的操作如下，我们比如输入数据为33，实际上就是把数据转换成16进制在转换成16进制，只取最后两位，所以在不达到16 * 16 + 16 = 276的大小下，输出的m就是本身，所以我们只需要找到数据域对应的下标，就是所求的字符ascii码

#include<stdio.h>

int main()
{
	int v6, v5 = 33, v7;
	v6 = v5 / 16 % 16;
	v7 = 16 * v5 / 16 % 16;
	int m = 16 * v6 + v7;
	return 0;
}

运行获得flag

题目下载：https://lecloud.lenovo.com/share/42xwJAnvMDmsFKbbV