高校网络信息安全运维挑战赛：IgniteMe

一道比较简单的逆运算题目。

下载附件查壳，没有加壳：

在IDA中打开，找到主函数：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax
  size_t i; // [esp+4Ch] [ebp-8Ch]
  char v5[4]; // [esp+50h] [ebp-88h]
  char v6[28]; // [esp+58h] [ebp-80h]
  char v7; // [esp+74h] [ebp-64h]

  sub_402B30(&unk_446360, "Give me your flag:");
  sub_4013F0(sub_403670);
  sub_401440(v6, 127);
  if ( strlen(v6) < 036 && strlen(v6) > 4 )  //前四个字符为："EIS{"  长度也有限制
  {
    strcpy(v5, "EIS{");
    for ( i = 0; i < strlen(v5); ++i )
    {
      if ( v6[i] != v5[i] )
      {
        sub_402B30(&unk_446360, "Sorry, keep trying! ");
        sub_4013F0(sub_403670);
        return 0;
      }
    }
    if ( v7 == '}' )  //最后的字符为："}"
    {
      if ( sub_4011C0(v6) )  //关键的比较函数
        sub_402B30(&unk_446360, "Congratulations! ");
      else
        sub_402B30(&unk_446360, "Sorry, keep trying! ");
      sub_4013F0(sub_403670);
      result = 0;
    }
    else
    {
      sub_402B30(&unk_446360, "Sorry, keep trying! ");
      sub_4013F0(sub_403670);
      result = 0;
    }
  }
  else
  {
    sub_402B30(&unk_446360, "Sorry, keep trying!");
    sub_4013F0(sub_403670);
    result = 0;
  }
  return result;
}

跟进比较函数中观察：

bool __cdecl sub_4011C0(char *a1)
{
  size_t v2; // eax
  signed int v3; // [esp+50h] [ebp-B0h]
  char v4[32]; // [esp+54h] [ebp-ACh]
  int v5; // [esp+74h] [ebp-8Ch]
  int v6; // [esp+78h] [ebp-88h]
  size_t i; // [esp+7Ch] [ebp-84h]
  char v8[128]; // [esp+80h] [ebp-80h]

  if ( strlen(a1) <= 4 )
    return 0;
  i = 4;
  v6 = 0;
  while ( i < strlen(a1) - 1 )
    v8[v6++] = a1[i++];
  v8[v6] = 0;
  v5 = 0;
  v3 = 0;
  memset(v4, 0, 0x20u);
  for ( i = 0; ; ++i )
  {
    v2 = strlen(v8);
    if ( i >= v2 )
      break;
    if ( v8[i] >= 97 && v8[i] <= 122 )
    {
      v8[i] -= 32;  //小写转大写
      v3 = 1;
    }
    if ( !v3 && v8[i] >= 65 && v8[i] <= 90 )
      v8[i] += 32;  //大写转小写
    v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]);  //再次进行处理
    v3 = 0;
  }
  return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0; //比较
}

跟进处理函数：

int __cdecl sub_4013C0(int a1)
{
  return (a1 ^ 0x55) + 72;
}

byte_4420B0 中的值：

0D 13 17 11 02 01 20 1D  0C 02 19 2F 17 2B 24 1F
1E 16 09 0F 15 27 13 26  0A 2F 1E 1A 2D 0C 22 04

编写python脚本：

s = "GONDPHyGjPEKruv{{pj]X@rF"
d = [0x0D, 0x13, 0x17, 0x11, 0x2, 0x1, 0x20, 0x1D,
       0x0C, 0x2, 0x19, 0x2F, 0x17, 0x2B, 0x24, 0x1F,
       0x1E, 0x16, 0x9, 0xF, 0x15, 0x27, 0x13, 0x26,
       0x0A, 0x2F, 0x1E, 0x1A, 0x2D, 0x0C, 0x22, 0x4]
print('EIS{',end='')
q=0
for i in range(len(s)):
    i = ((ord(s[i]) ^ d[i]) - 72)^0x55
    if(i<=ord('z') and i>=ord('a')):
        p = i-32
    elif(i<=ord('Z') and i>=ord('A')):
        p = i+32
    else:
        p = i
    print(chr(p),end='')

print('}')

输出：EIS{wadx_tdgk_aihc_ihkn_pjlm}

解题完毕~~~~