记事本打开发现文件头是ELF,拖入IDA进行反编译,发现只有几个函数
查看main函数,发现输入以后调用sub_4005B6()函数,然后判断长度是否为24和字符串0x601060比较
再进一步看4005B6,发现是按照0x6010C0的14997个字节来处理,每3个字节为一组,每组的第一个字节为处理方式,通过switch来判断,包括加减乘异或等;第二个字节指定处理第几个字节;第三个字节则为处理数
可以写一个idc脚本:
#include<idc.idc>
static main()
{
auto v0, result, i , v3;
auto addr_fuzhu = 0X6010C0;
for(i = 14997; i >= 0; i = i-3)
{
v0 = Byte(addr_fuzhu+i);
v3 = Byte(addr_fuzhu+i+2);
result = v0;
if(v0 == 1)
{
result = Byte(addr_fuzhu+i+1);
PatchByte(0X601060 + result*4, (Byte(0X601060+result*4) - v3));
// PatchByte(a,v)函数,可以将v写入a字节那么直接对0x601060位置的24个字符串处理即可得到flag
}
if(v0 == 2)
{
result = Byte(addr_fuzhu+i+1);
PatchByte(0X601060 + result*4, (Byte(0X601060+result*4) + v3));
}
if(v0 == 3)
{
result = Byte(addr_fuzhu+i+1);
PatchByte(0X601060 + result*4, (Byte(0X601060+result*4) ^ v3));
}
if(v0 == 4)
{
result = Byte(addr_fuzhu+i+1);
PatchByte(0X601060 + result*4, (Byte(0X601060+result*4) - v3));
}
if(v0 == 5)
{
result = Byte(addr_fuzhu+i+1);
PatchByte(0X601060 + result*4, (Byte(0X601060+result*4) ^ Byte(0X601060+4*Byte(0X6010C0+i+2))));
}
}
for(i = 0; i < 24; i++)
{
Message("%c", Byte(0X601060+i*4));
}
}运行即可得到答案;