很简单的一个程序:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax@2
char s; // [sp+10h] [bp-30h]@1
int v5; // [sp+38h] [bp-8h]@3
int v6; // [sp+3Ch] [bp-4h]@1
printf("Let me cheack your flag:", argv, argv);
gets(&s);
v6 = strlen(&s);
if ( (unsigned int)cheack_func(&s) ) // serial=22
{
v5 = decode1((__int64)&s, v6);
judge_func(v5);
result = 0;
}
else
{
puts("Try again~");
result = 0;
}
return result;
}
上面是main函数反编译出来的算法,和一些我加的注释
__int64 __fastcall decode1(__int64 a1, int a2)
{
unsigned int v3; // [sp+14h] [bp-8h]@1
int i; // [sp+18h] [bp-4h]@1
v3 = 0;
for ( i = 0; i < a2; ++i )
{
if ( (i ^ *(_BYTE *)(i + a1)) != compare[(signed __int64)i] )
return 0LL; // v3==22
++v3;
}
return v3;
}
最后结果要返回v3=22也就是for循环要走完
compare的内容:
rodata:00000000004007F0 ; char compare[]
.rodata:00000000004007F0 compare db ‘E’ ; DATA XREF: decode1+38r
.rodata:00000000004007F1 a1zF1fkbufirfnf db ‘`1z[F1fkbUFiRFnftMUa{‘,0
a="E1z[F1fkbUFiRFnftMUa{"
a=list(a)for i in range(len(a)):
print(chr(i^ord(a[i])),end="")
得到结果:E0xXB4lj\Lb^K
id\Gro