这是攻防世界中一个入门级的逆向题目。
IDA打开
(从IDA中还原C代码,如下:)
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int i; // [esp+4Ch] [ebp-8Ch]
char v5[8]; // [esp+50h] [ebp-88h] BYREF
char Str[128]; // [esp+58h] [ebp-80h] BYREF
sub_402B30(&unk_446360, "Give me your flag:");
sub_4013F0(sub_403670);
sub_401440(Str, 127);
if ( strlen(Str) < 0x1Eu && strlen(Str) > 4u )
{
strcpy(v5, "EIS{");
for ( i = 0; i < strlen(v5); ++i )
{
if ( Str[i] != v5[i] )
goto LABEL_7;
}
if ( Str[28] != 125 )
{
LABEL_7:
sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
return 0;
}
if ( (unsigned __int8)sub_4011C0(Str) )
sub_402B30(&unk_446360, "Congratulations! ");
else
sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(sub_403670);
return 0;
}
else
{
sub_402B30(&unk_446360, "Sorry, keep trying!");
sub_4013F0(sub_403670);
return 0;
}
}
代码分析:
可以判断出长度为29,格式为EIS{…},如果任意一项不符合,程序打印Sorry, keep trying! 并退出。如果符合进入sub_402B30中。
首先把数组中大写字母转为小写字母,小写字母转为大写字母。然后把数组与0x55异或后+72,然后再与数组byte_4420B0异或。
byte_4420B0为{ 0x0D, 0x13, 0x17, 0x11, 0x02, 0x01, 0x20, 0x1D, 0x0C, 0x02, 0x19, 0x2F, 0x17, 0x2B,0x24, 0x1F, 0x1E, 0x16, 0x09, 0x0F, 0x15, 0x27, 0x13, 0x26, 0x0A, 0x2F, 0x1E, 0x1A, 0x2D, 0x0C, 0x22, 0x04 };
和GONDPHyGjPEKruv{{pj]X@rF进行比较。
判断出执行结果为GONDPHyGjPEKruv{{pj]X@rF。如果相同则正确
写出代码获取flag
int main()
{
int a[] = { 0x0D, 0x13, 0x17, 0x11, 0x02, 0x01, 0x20, 0x1D, 0x0C, 0x02, 0x19, 0x2F, 0x17, 0x2B,
0x24, 0x1F, 0x1E, 0x16, 0x09, 0x0F, 0x15, 0x27, 0x13, 0x26, 0x0A, 0x2F, 0x1E, 0x1A,
0x2D, 0x0C, 0x22, 0x04 };
char* m = (char *)"GONDPHyGjPEKruv{{pj]X@rF";
char s;
int v2=0;
printf("EIS{");
int i = 0;
while (i<24)
{
for (char j = 0; j < 255; j++)
{
if ((((j ^ 0x55) + 72)^a[i]) == m[i])
{
s = j;
break;
}
}
if (s>= 'a' && s <= 'z')
{
s -= 32;
v2 = 1;
}
if (!v2 && s >= 'A' && s <= 'Z')
s += 32;
printf("%c", s);
i++;
}
printf("}");
}
根据分析出的算法进行还原得到flag
flag为
EIS{wadx_tdgk_aihc_ihkn_pjlm}