BUUCTF Reverse/[QCTF2018]Xman-babymips

32位程序，代码很简单

一个移位和按位与操作，直接爆破就行

int __fastcall sub_4007F0(const char *a1)
{
  char v1; // $v1
  size_t i; // [sp+18h] [+18h]

  for ( i = 5; i < strlen(a1); ++i )
  {
    if ( (i & 1) != 0 )
      v1 = (a1[i] >> 2) | (a1[i] << 6);
    else
      v1 = (4 * a1[i]) | (a1[i] >> 6);
    a1[i] = v1;
  }
  if ( !strncmp(a1 + 5, (const char *)off_410D04, 27u) )
    return puts("Right!");
  else
    return puts("Wrong!");
}

脚本

#include <stdio.h>
#include <stdlib.h>

int main()
{
   char s[]= { 0,0,0,0,0, 0x52, 0xFD, 0x16, 0xA4, 0x89, 0xBD, 0x92, 0x80, 0x13, 0x41,
  0x54, 0xA0, 0x8D, 0x45, 0x18, 0x81, 0xDE, 0xFC, 0x95, 0xF0,
  0x16, 0x79, 0x1A, 0x15, 0x5B, 0x75, 0x1F};
  char flag[33] = {'Q','|','j','{','g'};
  int i,j;
  for(i = 5 ; i < 32 ; i++)
  {

      for (j = 0 ; j < 256 ;  j++)
      {
          char v1 = 0;
          if( (i & 1) != 0)
            v1 = (j >> 2)  | (j << 6);
          else
            v1 = (4 * j) | (j >> 6);
          if(v1 == s[i])
          {
              flag[i] = j;
              break;
          }


      }
  }
  for(i = 0 ; i < 32; i++)
  {

      printf("%c",flag[i] ^ (32 - i));
  }
  return 0;

}

flag: flag{ReA11y_4_B@89_mlp5_4_XmAn_}