先查看文件信息:没有加壳且为32位程序
运行,发现又是一道字符串比较的题目
用IDA32位打开分析代码
void __noreturn start()
{
DWORD NumberOfBytesWritten; // [esp+0h] [ebp-4h] BYREF
NumberOfBytesWritten = 0;
hFile = GetStdHandle(0xFFFFFFF6);
dword_403074 = GetStdHandle(0xFFFFFFF5);
WriteFile(dword_403074, aG1v3M3T3hFl4g, 0x13u, &NumberOfBytesWritten, 0);
sub_4010F0();
if ( sub_401050() )
WriteFile(dword_403074, aG00dJ0b, 0xAu, &NumberOfBytesWritten, 0);
else
WriteFile(dword_403074, aN0tT00H0tRWe7r, 0x24u, &NumberOfBytesWritten, 0);
ExitProcess(0);
}
跟进查看
看到这个只是个输入函数,将输入的字符串存储在byte_403078中
int sub_4010F0()
{
unsigned int v0; // eax
char Buffer[260]; // [esp+0h] [ebp-110h] BYREF
DWORD NumberOfBytesRead; // [esp+104h] [ebp-Ch] BYREF
unsigned int i; // [esp+108h] [ebp-8h]
char v5; // [esp+10Fh] [ebp-1h]
v5 = 0;
for ( i = 0; i < 0x104; ++i )
Buffer[i] = 0;
ReadFile(hFile, Buffer, 0x104u, &NumberOfBytesRead, 0);
for ( i = 0; ; ++i )
{
v0 = sub_401020((int)Buffer);
if ( i >= v0 )
break;
v5 = Buffer[i];
if ( v5 != 10 && v5 != 13 )
{
if ( v5 )
byte_403078[i] = v5;
}
}
return 1;
}
那重点就是这个if条件中 的语句
跟进查看
int sub_401050()
{
int v1; // [esp+0h] [ebp-Ch]
int i; // [esp+4h] [ebp-8h]
unsigned int j; // [esp+4h] [ebp-8h]
char v4; // [esp+Bh] [ebp-1h]
v1 = sub_401020((int)byte_403078);
v4 = sub_401000();
for ( i = v1 - 1; i >= 0; --i )
{
byte_403180[i] = v4 ^ byte_403078[i];
v4 = byte_403078[i];
}
for ( j = 0; j < 0x27; ++j )
{
if ( byte_403180[j] != (unsigned __int8)byte_403000[j] )
return 0;
}
return 1;
}
推测v1应该是字符串的长度,且flag的长度为38
简单的异或题,重点就是求
v4 = sub_401000();
的值了
__int16 sub_401000()
{
return (unsigned __int16)__ROL4__(0x80070000, 4) >> 1;
}
搜了下这个_ROL4_感觉像这个循环左移,但是算出来又不像
然后根据提示 Hint:本题解出相应字符串后请用flag{}包裹,形如:flag{[email protected]} flag中的最后一位数一定是m,然后 m ^ 4 = 0x69。那么v4 = 4
用动态调试也能得到v4的值,我输入的数为123456,异或是从最后一位开始的,将6放入了eax中,然后eax与ecx进行异或,由此可以推出ecx中存储的就是v4的值(具体的计算可以看这个大佬的博客)
根据这个条件,以及byte_403000 写出脚本
for ( j = 0; j < 0x27; ++j )
{
if ( byte_403180[j] != (unsigned __int8)byte_403000[j] )
return 0;
}
脚本
#include
#include
#include
int main()
{
int i,j,k;
int fin[] = {0x0D,0x26,0x49,0x45,0x2A,0x17,0x78,0x44,0x2B,0x6C,0x5D,0x5E,
0x45,0x12,0x2F,0x17,0x2B,0x44,0x6F,0x6E,0x56,0x9,0x5F,0x45,
0x47,0x73,0x26,0x0A,0x0D,0x13,0x17,0x48,0x42,0x1,0x40,0x4D,
0x0C,0x2,0x69};
int flag[40] = {0};
int v4 = 4;
for(i = 38 ; i >= 0; i--)
{
flag[i] = fin[i] ^ v4;
v4 = flag[i];
}
for(i = 0 ; i < 39; i++)
{
printf("%c",flag[i]);
}
return 0;
}
运行结果
最终flag : flag{[email protected]}