xxxorrr
无壳直接看源码
__int64 __fastcall main(int a1, char **a2, char **a3)
{
int i; // [rsp+Ch] [rbp-34h]
char s[40]; // [rsp+10h] [rbp-30h] BYREF
unsigned __int64 v6; // [rsp+38h] [rbp-8h]
v6 = __readfsqword(0x28u);
sub_A90(sub_916);
fgets(s, 35, stdin);
for ( i = 0; i <= 33; ++i )
s1[i] ^= s[i];
return 0LL
看到主函数,输入的s1与s1的元素进行异或,点击sub_916函数找s1
unsigned __int64 sub_916()
{
unsigned __int64 v1; // [rsp+8h] [rbp-8h]
v1 = __readfsqword(0x28u);
if ( !strcmp(s1, s2) )
puts("Congratulations!");
else
puts("Wrong!");
return __readfsqword(0x28u) ^ v1;
}
#.data:0000000000201060 s2 db 'VNWXQQ',9,'F' ; DATA XREF: sub_916+17↑o
.data:0000000000201068 db 17h
.data:0000000000201069 db 46h ; F
.data:000000000020106A db 54h ; T
.data:000000000020106B db 5Ah ; Z
.data:000000000020106C db 59h ; Y
.data:000000000020106D db 59h ; Y
.data:000000000020106E db 1Fh
.data:000000000020106F db 48h ; H
.data:0000000000201070 db 32h ; 2
.data:0000000000201071 db 5Bh ; [
.data:0000000000201072 db 6Bh ; k
.data:0000000000201073 db 7Ch ; |
.data:0000000000201074 db 75h ; u
.data:0000000000201075 db 6Eh ; n
.data:0000000000201076 db 7Eh ; ~
.data:0000000000201077 db 6Eh ; n
.data:0000000000201078 db 2Fh ; /
.data:0000000000201079 db 77h ; w
.data:000000000020107A db 4Fh ; O
.data:000000000020107B db 7Ah ; z
.data:000000000020107C db 71h ; q
.data:000000000020107D db 43h ; C
.data:000000000020107E db 2Bh ; +
.data:000000000020107F db 26h ; &
.data:0000000000201080 db 89h
这里将s1和s2对比,相同就正确,所以s1应该就是flag加密后的字符串
unsigned __int64 sub_84A()
{
int i; // [rsp+Ch] [rbp-14h]
unsigned __int64 v2; // [rsp+18h] [rbp-8h]
v2 = __readfsqword(0x28u);
for ( i = 0; i <= 33; ++i )
s1[i] ^= 2 * i + 65;
return __readfsqword(0x28u) ^ v2;
}
这是加密s1的函数,看到进行了一次异或
函数整体分析,函数先将输入的s与s1进行异或得到新s1,新s1经过sub_84A()函数加密后得到的s1与s2相同
解题思路:将s2与s1异或得到s1异或前的元素,通过加密函数逆向推出正确的flag
exp
s2=[ 0x56, 0x4E, 0x57, 0x58, 0x51, 0x51, 0x09, 0x46, 0x17, 0x46,
0x54, 0x5A, 0x59, 0x59, 0x1F, 0x48, 0x32, 0x5B, 0x6B, 0x7C,
0x75, 0x6E, 0x7E, 0x6E, 0x2F, 0x77, 0x4F, 0x7A, 0x71, 0x43,
0x2B, 0x26, 0x89, 0xFE, 0x00]
s1 = 'qasxcytgsasxcvrefghnrfghnjedfgbhn'
flag=''
for i in range(33):
flag+=chr(ord(s1[i])^ (2 * i + 65)^s2[i])
print(flag)
# flag{c0n5truct0r5_functi0n_in_41f}