HateIntel

看图标应该是ios的逆向
看reader me，只提示Find The Password
用ida打开，查字符串，找到主函数

int sub_2224()
{
  char v1; // [sp+4h] [bp-5Ch]@1
  int v2; // [sp+54h] [bp-Ch]@1
  signed __int32 v3; // [sp+58h] [bp-8h]@1
  signed __int32 i; // [sp+5Ch] [bp-4h]@1
  char vars0; // [sp+60h] [bp+0h]@2  60h=96

  v2 = 4;
  printf("Input key : ");
  scanf("%s", &v1);
  v3 = strlen(&v1);
  sub_232C(&v1, v2);
  for ( i = 0; i < v3; ++i )
  {
    if ( (unsigned __int8)*(&vars0 + i - 92) != byte_3004[i] )//处理后的输入不等于已知
    {
      puts("Wrong Key! ");
      return 0;
    }
  }
  puts("Correct Key! ");
  return 0;
}

看sub_232是如何处理的

signed __int32 __fastcall sub_232C(signed __int32 &v1, int a2=4)
{
  int v2; // [sp+0h] [bp-14h]@1
  char *v3; // [sp+4h] [bp-10h]@1
  int i; // [sp+8h] [bp-Ch]@1
  signed __int32 j; // [sp+Ch] [bp-8h]@2

  v3 = (char *)&v1;
  v2 = a2 = 4;
  for ( i = 0; i < 4; ++i )
  {
    for ( j = 0; ; ++j )
    {
      &v1 = strlen(v3);
      if ( &v1 <= j )
        break;
      v3[j] = sub_2494((unsigned __int8)v3[j], 1);
    }
  }
  return &v1;
}

int __fastcall sub_2494(unsigned __int8 a1, int a2)
{
  int v3; // [sp+8h] [bp-8h]@1
  int i; // [sp+Ch] [bp-4h]@1

  v3 = a1;
  for ( i = 0; i < a2; ++i )
  {
    v3 *= 2;
    if ( v3 & 0x100 )//100000000
      v3 |= 1u;  //或无符号1.类似于左移一位，最高位移到最低位
  }
  return (unsigned __int8)v3;
}

也就是每个字符这样移4次。所以我们只需要把已知右移四次。
写个c

#include <stdio.h>
int main()
{
    unsigned char s[30]={0x44, 0xF6, 0xF5, 0x57, 0xF5, 0xC6, 0x96, 0xB6, 0x56,0xF5, 0x14, 0x25, 0xD4, 0xF5, 0x96, 0xE6, 0x37, 0x47,0x27, 0x57, 0x36, 0x47, 0x96, 3, 0xE6, 0xF3, 0xA3,0x92, 0};
    int i,j,c;
    for(i=0;s[i]!=0;i++)
    {
        for(j=0;j<4;j++)
        {
            c = s[i] & 1;
            s[i] = (s[i] >> 1) + c*0x80;

        }
        printf("%c",s[i]);
    }
}

跑出来是：Do_u_like_ARM_instructi0n?:)