BUUCTF Reverse(xor)
首先用exeinfoPE判断一下,得到是64位的,没有加壳。接下来,用IDA64打开,找到main函数,F5反编译,查看伪代码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char *v3; // rsi
int result; // eax
signed int i; // [rsp+2Ch] [rbp-124h]
char v6[264]; // [rsp+40h] [rbp-110h]
__int64 v7; // [rsp+148h] [rbp-8h]
memset(v6, 0, 0x100uLL);
v3 = (char *)256;
printf("Input your flag:\n", 0LL);
get_line(v6, 256LL);
if ( strlen(v6) != 33 )
goto LABEL_12;
for ( i = 1; i < 33; ++i )
v6[i] ^= v6[i - 1];
v3 = global;
if ( !strncmp(v6, global, 0x21uLL) )
printf("Success", v3);
else
LABEL_12:
printf("Failed", v3);
result = __stack_chk_guard;
if ( __stack_chk_guard == v7 )
result = 0;
return result;
}
分析伪代码,可以得到最为关键的两点:
if ( strlen(v6) != 33 )
可以猜测flag的长度为33for ( i = 1; i < 33; ++i ) v6[i] ^= v6[i - 1];
经过了异或运算
之后,查看汇编代码,可以看到字母和对应的16进制表示:
__cstring:0000000100000F6E aFKWOXZUPFVMDGH db 'f',0Ah ; DATA XREF: __data:_global↓o
__cstring:0000000100000F6E db 'k',0Ch,'w&O.@',11h,'x',0Dh,'Z;U',11h,'p',19h,'F',1Fh,'v"M#D',0Eh,'g'
__cstring:0000000100000F6E db 6,'h',0Fh,'G2O',0
最后,就可以编写相应的脚本 了:
string = ['f', 0x0A, 'k', 0x0C, 'w', '&', 'O', '.', '@', 0x11, 'x', 0x0D, 'Z', ';', 'U', 0x11, 'p', 0x19, 'F', 0x1F, 'v',
'"', 'M', '#', 'D', 0x0E, 'g', 6, 'h', 0x0F, 'G', '2', 'O']
for i in range(1, len(string)):
if (isinstance(string[i], int)):
string[i] = chr(string[i])
string = ''.join(string)
flag = 'f'
for i in range(1, len(string)):
flag += chr(ord(string[i]) ^ ord(string[i-1]))
print(flag)
用一个列表string存放字母和对应的16进制
之后,利用isinstance函数判断是否有int的,将它转为char字符
再将列表里的字符及合成字符串,进行异或运算,即可得到最终的flag
flag{QianQiuWanDai_YiTongJiangHu}