攻防世界--logmein

测试文件：https://adworld.xctf.org.cn/media/task/attachments/a00849bb514c413f8a6526f6bb56c628

 

1.准备

得到信息

1. 64位文件
2. obj文件

 

2.IDA打开

将main函数转换为C语言代码

 1 void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
 2 {
 3   size_t v3; // rsi
 4   int i; // [rsp+3Ch] [rbp-54h]
 5   char s[36]; // [rsp+40h] [rbp-50h]
 6   int v6; // [rsp+64h] [rbp-2Ch]
 7   __int64 v7; // [rsp+68h] [rbp-28h]
 8   char v8[8]; // [rsp+70h] [rbp-20h]
 9   int v9; // [rsp+8Ch] [rbp-4h]
10 
11   v9 = 0;
12   strcpy(v8, ":\"AL_RT^L*.?+6/46");
13   v7 = 28537194573619560LL;
14   v6 = 7;
15   printf("Welcome to the RC3 secure password guesser.\n", a2, a3);
16   printf("To continue, you must enter the correct password.\n");
17   printf("Enter your guess: ");
18   __isoc99_scanf("%32s", s);
19   v3 = strlen(s);
20   if ( v3 < strlen(v8) )
21     sub_4007C0(v8);
22   for ( i = 0; i < strlen(s); ++i )
23   {
24     if ( i >= strlen(v8) )
25       ((void (*)(void))sub_4007C0)();
26     if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
27       ((void (*)(void))sub_4007C0)();
28   }
29   sub_4007F0();
30 }

 

2.1 分析代码

进入sub_4007C0)()

void __noreturn sub_4007C0()
{
  printf("Incorrect password!\n");
  exit(0);
}

 

进入sub_4007F0();

void __noreturn sub_4007F0()
{
  printf("You entered the correct password!\nGreat job!\n");
  exit(0);
}

 

通过第26行代码，我们了解到flag的获取

for(i =0; i < strlen(v8); ++i){
    s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i];
}

 

2.2 算法代码

通过分析，实现算法的代码

#include 
#include 
#include <string.h>

#define BYTE unsigned char

int main(int argc, char* argv[]) {
    unsigned int i;
    char v8[18] = ":\"AL_RT^L*.?+6/46";
    __int64 v7 = 28537194573619560;
    int v6 = 7;

    char s[18] = "";
    for (i = 0; i < strlen(v8); ++i) {
        s[i] = (char)(*((BYTE*)&v7 + i % v6)^v8[i]);
    }

    printf("%s\n", s);

    system("PAUSE");
    return 0;
}

 

3. get flag！

转载于:https://www.cnblogs.com/Mayfly-nymph/p/11399801.html