睡前才猛然想起今天NSSCTF有比赛,来不及了 (╥╯^╰╥)
用IDA反编译,找关键字符串:
查看调用找到主函数
__int64 sub_140018C10()
{
char *v0; // rdi
signed __int64 i; // rcx
__int64 v2; // rax
__int64 v3; // rax
__int64 v4; // rax
__int64 v5; // rax
__int64 v6; // rax
__int64 v7; // rax
__int64 v8; // rdi
char v10; // [rsp+0h] [rbp-20h]
char v11; // [rsp+28h] [rbp+8h]
_QWORD *v12; // [rsp+68h] [rbp+48h]
_QWORD *v13; // [rsp+88h] [rbp+68h]
_QWORD *v14; // [rsp+A8h] [rbp+88h]
_QWORD *v15; // [rsp+C8h] [rbp+A8h]
unsigned int v16; // [rsp+1A4h] [rbp+184h]
unsigned int v17; // [rsp+1C4h] [rbp+1A4h]
__int64 v18; // [rsp+1E8h] [rbp+1C8h]
v0 = &v10;
for ( i = 130i64; i; --i )
{
*(_DWORD *)v0 = -858993460;
v0 += 4;
}
v18 = -2i64;
sub_14001112C(&unk_14002F034);
sub_14001173F(&v11);
v2 = sub_140011262(std::cout, "Tell Me! Where is our xenny??");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v2, sub_1400111FE);
sub_14001129E(std::cin, &v11);
if ( (unsigned __int64)sub_140011753(&v11) >= 0xC )
{
v12 = (_QWORD *)(sub_1400115EB(&v11) + 5);
v5 = sub_140011753(&v11);
*((_BYTE *)v12 + v5 - 6) = 0;
v13 = v12;
v14 = v12 + 1;
v15 = v12 + 2;
sub_140011514();
if ( (unsigned int)qword_140029370(*v13)
|| (unsigned int)qword_140029378(*v14)
|| (unsigned int)qword_140029380(*v15) )
{
v7 = sub_140011262(std::cout, "Try harder");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v7, sub_1400111FE);
}
else
{
v6 = sub_140011262(std::cout, "I can't believe my golden doge eye! we are comarde!");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v6, sub_1400111FE);
}
v17 = 0;
sub_14001137A(&v11);
v4 = v17;
}
else
{
v3 = sub_140011262(std::cout, "Try harder");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v3, sub_1400111FE);
v16 = 0;
sub_14001137A(&v11);
v4 = v16;
}
v8 = v4;
sub_140011695(&v10, &unk_1400248E0);
return v8;
}
这里是关键判断
if ( (unsigned int)qword_140029370(*v13)
|| (unsigned int)qword_140029378(*v14)
|| (unsigned int)qword_140029380(*v15) )
程序运行的时候会自己解密,直接下断点动态调试
根据程序要求输入16位长度
选中按C键转换成代码
按P键转换成函数,然后就可以按F5反编译了
可以看出第一部分代码是要求要等于’oh_you_f’
剩下两段同理
得到最终的flag:
oh_you_found_our_x3nny