666
64位程序,无壳,拖进ida,找到关键函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [rsp+0h] [rbp-1E0h]
char v5; // [rsp+F0h] [rbp-F0h]
memset(&s, 0, 0x1EuLL);
printf("Please Input Key: ", 0LL);
__isoc99_scanf("%s", &v5);
encode(&v5, (__int64)&s);
if ( strlen(&v5) == key ) // 长度18
{
if ( !strcmp(&s, enflag) ) // izwhroz""w"v.K".Ni
puts("You are Right");
else
puts("flag{This_1s_f4cker_flag}");
}
return 0;
}
有个加密函数,加密后的密文我们知道的,查看加密函数
int __fastcall encode(const char *a1, __int64 a2)
{
char v3[32]; // [rsp+10h] [rbp-70h]
char v4[32]; // [rsp+30h] [rbp-50h]
char v5[40]; // [rsp+50h] [rbp-30h]
int v6; // [rsp+78h] [rbp-8h]
int i; // [rsp+7Ch] [rbp-4h]
i = 0;
v6 = 0;
if ( strlen(a1) != key )
return puts("Your Length is Wrong");
for ( i = 0; i < key; i += 3 )
{
v5[i] = key ^ (a1[i] + 6);
v4[i + 1] = (a1[i + 1] - 6) ^ key;
v3[i + 2] = a1[i + 2] ^ 6 ^ key;
*(_BYTE *)(a2 + i) = v5[i];
*(_BYTE *)(a2 + i + 1LL) = v4[i + 1];
*(_BYTE *)(a2 + i + 2LL) = v3[i + 2];
}
return a2;
}
非常简单,写一个逆算法脚本,得到flag
a = 'izwhroz""w"v.K".Ni'
key = 18
a_ = list(map(ord,list(a)))
flag = ''
for i in range(0,key,3):
flag += chr((a_[i]^key)-6)
flag += chr((a_[i+1]^key)+6)
flag += chr(a_[i+2]^key^6)
print(flag)