6.《logmein》
void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
size_t v3; // rsi
int i; // [rsp+3Ch] [rbp-54h]
char s[36]; // [rsp+40h] [rbp-50h]
int v6; // [rsp+64h] [rbp-2Ch]
__int64 v7; // [rsp+68h] [rbp-28h]
char v8[8]; // [rsp+70h] [rbp-20h]
int v9; // [rsp+8Ch] [rbp-4h]
v9 = 0;
strcpy(v8, ":\"AL_RT^L*.?+6/46");
v7 = 28537194573619560LL;
v6 = 7;
printf("Welcome to the RC3 secure password guesser.\n", a2, a3);
printf("To continue, you must enter the correct password.\n");
printf("Enter your guess: ");
__isoc99_scanf("%32s", s);
v3 = strlen(s);
if ( v3 < strlen(v8) )
sub_4007C0();
for ( i = 0; i < strlen(s); ++i )
{
if ( i >= strlen(v8) )
sub_4007C0();
if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) ) //看到sub_4007c0()为输出错误flag,所以只要满足两边相等即可
sub_4007C0();
}
sub_4007F0();
}
很简单的一段逻辑,不对以上代码进行细致分析了,我们注意到的是在第二个if判断里,有一个对i大小的限制,这里duck不必,直接写脚本实现第三个if两边相等即可得到flag
int main(){
long long v7 = 28537194573619560;
char *a = (char *)&V7;
char V8[] = ":\"AL_RT^L*.?+6/46";
for(int i=0;V8[i]!=0;i++){
V8[i]=V8[i]^a[i%7];
}
cout<<V8<<endl;
return 0;
}
7.《python-trade》
是个pyc文件,反编译一下,网址:https://tool.lu/pyc/ ,下面是反编译的源码
import base64
def encode(message): //加密过程,最后来个base64...
s = ''
for i in message:
x = ord(i) ^ 32
x = x + 16
s += chr(x)
return base64.b64encode(s)
correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
flag = ''
print 'Input flag:'
flag = raw_input()
if encode(flag) == correct:
print 'correct'
else:
print 'wrong'
解密脚本:
import base64
flag = ""
correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
b64_flag = base64.b64decode(correct)
for i in b64_flag:
x = (i-16) ^ 32
flag += chr(x)
print(flag)