BABYRE XCTF 4th-WHCTF-2017
int __cdecl main(int argc, const char **argv, const char **envp) { char s; // [rsp+0h] [rbp-20h] int v5; // [rsp+18h] [rbp-8h] int i; // [rsp+1Ch] [rbp-4h] for ( i = 0; i <= 181; ++i ) { envp = (const char **)(*((unsigned __int8 *)judge + i) ^ 0xCu); *((_BYTE *)judge + i) ^= 0xCu; } printf("Please input flag:", argv, envp); __isoc99_scanf("%20s", &s); v5 = strlen(&s); if ( v5 == 14 && (unsigned int)judge((__int64)&s) ) puts("Right!"); else puts("Wrong!"); return 0; }
程序流程很清晰,关键点在judge,程序开始先将judge处数据异或0xc 然后在后面调用解密出的函数
signed __int64 __fastcall judge(__int64 a1) { char v2; // [rsp+8h] [rbp-20h] char v3; // [rsp+9h] [rbp-1Fh] char v4; // [rsp+Ah] [rbp-1Eh] char v5; // [rsp+Bh] [rbp-1Dh] char v6; // [rsp+Ch] [rbp-1Ch] char v7; // [rsp+Dh] [rbp-1Bh] char v8; // [rsp+Eh] [rbp-1Ah] char v9; // [rsp+Fh] [rbp-19h] char v10; // [rsp+10h] [rbp-18h] char v11; // [rsp+11h] [rbp-17h] char v12; // [rsp+12h] [rbp-16h] char v13; // [rsp+13h] [rbp-15h] char v14; // [rsp+14h] [rbp-14h] char v15; // [rsp+15h] [rbp-13h] int i; // [rsp+24h] [rbp-4h] v2 = 102; v3 = 109; v4 = 99; v5 = 100; v6 = 127; v7 = 107; v8 = 55; v9 = 100; v10 = 59; v11 = 86; v12 = 96; v13 = 59; v14 = 110; v15 = 112; for ( i = 0; i <= 13; ++i ) *(_BYTE *)(i + a1) ^= i; for ( i = 0; i <= 13; ++i ) { if ( *(_BYTE *)(i + a1) != *(&v2 + i) ) return 0LL; } return 1LL; }
解出的函数也非常简单,指定数据按照序号异或,结果在与输入进行比较。
wp:
v2 = 102; v3 = 109; v4 = 99; v5 = 100; v6 = 127; v7 = 107; v8 = 55; v9 = 100; v10 = 59; v11 = 86; v12 = 96; v13 = 59; v14 = 110; v15 = 112 data=[] for i in range(2,16): data.append(locals()['v'+str(i)]) flag='' for i in range(14): flag+=chr(data[i]^i) print(flag)
flag{n1c3_j0b}