BUU ctf之xor_buuctf xor-CSDN博客

本文链接：https://blog.csdn.net/weixin_47158947/article/details/107354379

需要用的知识点：两次xor等于没有xor

学到的软件操作：shift+e提取字符数组！！！！
1.主函数反汇编得到伪代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *v3; // rsi
  int result; // eax
  signed int i; // [rsp+2Ch] [rbp-124h]
  char v6[264]; // [rsp+40h] [rbp-110h]
  __int64 v7; // [rsp+148h] [rbp-8h]

  memset(v6, 0, 0x100uLL);
  v3 = (char *)256;
  printf("Input your flag:\n", 0LL);
  get_line(v6, 256LL);
  if ( strlen(v6) != 33 )
    goto LABEL_12;
  for ( i = 1; i < 33; ++i )
    v6[i] ^= v6[i - 1];
  v3 = global;
  if ( !strncmp(v6, global, 0x21uLL) )
    printf("Success", v3);
  else
LABEL_12:
    printf("Failed", v3);
  result = __stack_chk_guard;
  if ( __stack_chk_guard == v7 )
    result = 0;
  return result;
}

if ( strlen(v6) != 33 )//可以看出flag为33位

for ( i = 1; i < 33; ++i )
v6[i] ^= v6[i - 1];//v6[1]=v6[1]^v6[0]。
可以发现xor的规律。
提取到的global字符串
unsigned char ida_chars[] =
{
102, 10, 107, 12, 119, 38, 79, 46, 64, 17,
120, 13, 90, 59, 85, 17, 112, 25, 70, 31,
118, 34, 77, 35, 68, 14, 103, 6, 104, 15,
71, 50, 79, 0
};
就是将我们的flag xor后和这个gloabl字符串比较，相等就正确了，
前文提到，两次xor即可还原，so~再xor一次！

s=""
a = [102, 10, 107, 12, 119, 38, 79, 46, 64, 17, 120, 13, 90, 59, 85, 17, 112, 25, 70, 31, 118, 34, 77, 35, 68, 14, 103, 6, 104, 15, 71, 50, 79 ,0]
for i in range(len(a)-1):
s+= chr(a[i]^a[i-1])
print(s)
![在这里插入图片描述](https://img-blog.csdnimg.cn/20200715104441132.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NzE1ODk0Nw==,size_16,color_FFFFFF,t_70)
flag{QianQiuWanDai_YiTongJiangHu}