废话不多说,无壳直接拖入IDA。
关键代码
for ( i = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v11); ; sub_400D7A(&i) )
{
v13 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v11);
if ( !sub_400D3D((__int64)&i, (__int64)&v13) )
break;
v8 = *(unsigned __int8 *)sub_400D9A(&i);
if ( (_BYTE)v8 != off_6020A0[dword_6020C0[v14]] )
sub_400B56((__int64)&i, (__int64)&v13, v8);
++v14;
}
sub_400B56
这个函数打印出来的结果是Better luck next time
,所以上面的判断if ( (_BYTE)v8 != off_6020A0[dword_6020C0[v14]] )
一定要成立,然后看off_6020A0
和dword_6020C0
的值。以dword_6020C0
为index
,在字符串里面找值,最终结果为flag
python代码如下
str_key="L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t"
key=[36, 0, 5, 54, 101, 7, 39, 38, 45, 1, 3, 0, 13, 86, 1, 3, 101, 3, 45, 22, 2, 21, 3, 101, 0, 41, 68, 68, 1, 68, 43]
result = ""
for i in range(len(key)):
result += str_key[key[i]]
print(result)
flag
为ALEXCTF{W3_L0v3_C_W1th_CL45535}