测试输入
显示
查壳
32位拖进 IDA 查看结构和 main 伪代码
找到对应地址储存的值
分析代码
int wmain()
{
signed int v0; // ecx
signed int i; // eax
signed int v2; // ecx
signed int j; // eax
signed int v4; // eax
int v5; // eax
signed int v6; // ecx
signed int k; // eax
signed int v8; // ecx
signed int l; // eax
char v11; // [esp+0h] [ebp-18h]
__int128 v12; // [esp+1h] [ebp-17h]
__int16 v13; // [esp+11h] [ebp-7h]
///
/*
aNa -> {`na}
aLF -> l{{f{
aYelhzlGyOehnl3 -> yelhzl)`gy|})|)oehnl3
a80z -> ,80z
aOehnl3rHfCcgpt -> oehnl3r=<?=hF@CCGPt
*/
///
v0 = strlen(aYelhzlGyOehnl3);
for ( i = 0; i < v0; ++i )
aYelhzlGyOehnl3[i] ^= 9u;
printf(aYelhzlGyOehnl3);
///
v11 = 0;
v13 = 0;
_mm_storeu_si128((__m128i *)&v12, (__m128i)0i64);
v2 = strlen(a80z);
for ( j = 0; j < v2; ++j )
a80z[j] ^= 9u;
scanf(a80z, &v11); //输入
///
// 把 v11 与 9 异或得到最后的 flag
v4 = 0;
do
{
*(&v11 + v4) ^= 9u;
++v4;
}
while ( v4 < 19 );
///
v5 = strcmp(&v11, aOehnl3rHfCcgpt); //比较
if ( v5 )
v5 = -(v5 < 0) | 1;
if ( v5 ) //假
{
v6 = strlen(aLF);
for ( k = 0; k < v6; ++k )
aLF[k] ^= 9u;
printf(aLF); //error
}
else
{
v8 = strlen(aNa);
for ( l = 0; l < v8; ++l )
aNa[l] ^= 9u;
printf(aNa); //right
}
printf("\r\n", *(_DWORD *)&v11);
system("pause");
return 0;
}
写脚本测试输出值
发现对应得出结果的 error 和 right,再回去分析
知道地址 aOehnl3rHfCcgpt 对应存的值经过 do while 循环得到最终的 flag
记得去掉多余的 e 和 :
flage:{4564aOIJJNY}