签到题一般简单,上来就是IDA(不管了,IDA!!!)
找主函数,这个题类似的做过好几个了
int __fastcall main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rdx
__int64 v4; // rcx
int v6; // [rsp+4h] [rbp-8Ch]
unsigned int v7; // [rsp+8h] [rbp-88h]
int v8; // [rsp+Ch] [rbp-84h]
_DWORD v9[31]; // [rsp+10h] [rbp-80h] BYREF
_BYTE v10[4]; // [rsp+8Ch] [rbp-4h] BYREF
v9[0] = 102;
v9[1] = 109;
v9[2] = 99;
v9[3] = 98;
v9[4] = 127;
v9[5] = 58;
v9[6] = 85;
v9[7] = 106;
v9[8] = 57;
v9[9] = 82;
v9[10] = 122;
v9[11] = 55;
v9[12] = 81;
v9[13] = 19;
v9[14] = 51;
v9[15] = 35;
v9[16] = 67;
v9[17] = 70;
v9[18] = 41;
v9[19] = 61;
v9[20] = 41;
v9[21] = 32;
v9[22] = 127;
v9[23] = 28;
v9[24] = 38;
v9[25] = 77;
v9[26] = 49;
v9[27] = 20;
v9[28] = 80;
v9[29] = 94;
v9[30] = -24;
sub_4007F8(v10, 0LL, 4LL);
v7 = 0;
v6 = 0;
sub_400808(aFlag);
do
{
v8 = sub_400818();
v6 |= v8 ^ v7 ^ (v7 + (v7 ^ v9[v7]));
v4 = v7++;
}
while ( v8 && v8 != 10 && v8 != -1 );
if ( v6 )
sub_400828(aFailed, 0LL, v3, v4);
else
sub_400828(aCorrect, 0LL, v3, v4);
return 0;
}
主函数的代码找到,一看一堆数据,拿AI分析代码逻辑
- 初始化一个包含 31 个整数的数组
v9,这些值是某种加密后的 flag - 调用
sub_4007F8函数读取用户输入(可能是 4 个字节) - 进入一个循环,每次迭代:
- 调用
sub_400818读取一个字符 - 进行一系列异或和加法运算,更新校验值
v6
- 调用
- 根据校验值
v6判断输入是否正确
依旧异或这一块,那就按照逻辑写脚本呗
v9 = [
102, 109, 99, 98, 127, 58, 85, 106, 57, 82,
122, 55, 81, 19, 51, 35, 67, 70, 41, 61,
41, 32, 127, 28, 38, 77, 49, 20, 80, 94, -24
]
flag = []
for v7 in range(len(v9)):
# 计算 v8 = v7 ^ (v7 + (v7 ^ v9[v7]))
x = v7 ^ v9[v7]
y = v7 + x
v8 = v7 ^ y
flag.append(chr(v8 & 0xFF)) # 确保在ASCII范围内
print('Flag:', ''.join(flag))
运行就是:
Flag: flag{A_s1mpLe&E4sy_RE_i5Nt_1t}overoverover!!!