文件用IDA打开,反编译主函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
void *v3; // eax
int v4; // edx
void *v5; // eax
int result; // eax
void *v7; // eax
void *v8; // eax
void *v9; // eax
size_t i; // [esp+4Ch] [ebp-8Ch]
char v11[4]; // [esp+50h] [ebp-88h]
char v12[28]; // [esp+58h] [ebp-80h]
char v13; // [esp+74h] [ebp-64h]
v3 = (void *)sub_402B30((int)&unk_446360, "Give me your flag:");
sub_4013F0(v3, (int (__cdecl *)(void *))sub_403670);
sub_401440((int)&dword_4463F0, v4, (int)v12, 127);
if ( strlen(v12) < 0x1E && strlen(v12) > 4 )
{
strcpy(v11, "EIS{"); //对前四个字符的校验
for ( i = 0; i < strlen(v11); ++i )
{
if ( v12[i] != v11[i] )
{
v7 = (void *)sub_402B30((int)&unk_446360, "Sorry, keep trying! ");
sub_4013F0(v7, (int (__cdecl *)(void *))sub_403670);
return 0;
}
}
if ( v13 == 125 )
{
if ( sub_4011C0(v12) ) //关键函数
v9 = (void *)sub_402B30((int)&unk_446360, "Congratulations! ");
else
v9 = (void *)sub_402B30((int)&unk_446360, "Sorry, keep trying! ");
sub_4013F0(v9, (int (__cdecl *)(void *))sub_403670);
result = 0;
}
else
{
v8 = (void *)sub_402B30((int)&unk_446360, "Sorry, keep trying! ");
sub_4013F0(v8, (int (__cdecl *)(void *))sub_403670);
result = 0;
}
}
else
{
v5 = (void *)sub_402B30((int)&unk_446360, "Sorry, keep trying!");
sub_4013F0(v5, (int (__cdecl *)(void *))sub_403670);
result = 0;
}
return result;
}
看到返回“Congratulations”的if条件,可猜测函数sub_4011C0
为判断flag的关键函数,进去看内容:
bool __cdecl sub_4011C0(char *a1)
{
size_t v2; // eax
signed int v3; // [esp+50h] [ebp-B0h]
char v4[32]; // [esp+54h] [ebp-ACh]
int v5; // [esp+74h] [ebp-8Ch]
int v6; // [esp+78h] [ebp-88h]
size_t i; // [esp+7Ch] [ebp-84h]
char v8[128]; // [esp+80h] [ebp-80h]
if ( strlen(a1) <= 4 )
return 0;
i = 4;
v6 = 0;
while ( i < strlen(a1) - 1 )
v8[v6++] = a1[i++]; // v8字符串为EIS{}的内容
v8[v6] = 0;
v5 = 0;
v3 = 0;
memset(v4, 0, 0x20u);
for ( i = 0; ; ++i )
{
v2 = strlen(v8);
if ( i >= v2 )
break;
if ( v8[i] >= 'a' && v8[i] <= 'z' ) // 若v8字串内有小写字母则转为大写
{
v8[i] -= 32;
v3 = 1;
}
if ( !v3 && v8[i] >= 'A' && v8[i] <= 'Z' )
v8[i] += 32;
v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]);
v3 = 0;
}
return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0;
}
其中函数sub_4013C0
内容为:
int __cdecl sub_4013C0(int a1)
{
return (a1 ^ 0x55) + 72;
}
根据函数逻辑反向运算就能得到flag
t = [ 13, 19, 23, 17, 2, 1, 32, 29, 12, 2,
25, 47, 23, 43, 36, 31, 30, 22, 9, 15,
21, 39, 19, 38, 10, 47, 30, 26, 45, 12,
34, 4]
s= "GONDPHyGjPEKruv{{pj]X@rF"
f = ''
for i in range(len(s)):
a = ord(s[i]) ^ t[i]
a = (a - 72) ^ 0x55
if a >= 97 and a <= 122:
a -= 32
elif a >= 65 and a <= 90:
a += 32
f += chr(a)
print('EIS{'+f+'}')
运行得到flag
EIS{wadx_tdgk_aihc_ihkn_pjlm}