Test file: https://www.lanzous.com/ib50fkb
File Analysis
After IDA Open, locate the ques in Function Window inside () function is the output of our flag. We can go to the ques function (0x00401520) flag output by modifying the debugging EIP address
int ques() { int v0; // edx int result; // eax int v2[50]; // [esp+20h] [ebp-128h] int v3; // [esp+E8h] [ebp-60h] int v4; // [esp+ECh] [ebp-5Ch] int v5; // [esp+F0h] [ebp-58h] int v6; // [esp+F4h] [ebp-54h] int v7; // [esp+F8h] [ebp-50h] int v8; // [esp+FCh] [ebp-4Ch] int v9; // [esp+100h] [ebp-48h] int v10; // [esp+104h] [ebp-44h] int v11; // [esp+108h] [ebp-40h] int v12; // [esp+10Ch] [ebp-3Ch] int j; // [esp+114h] [ebp-34h] __int64 v14; // [esp+118h] [ebp-30h] int v15; // [esp+124h] [ebp-24h] int v16; // [esp+128h] [ebp-20h] int i; // [esp+12Ch] [ebp-1Ch] v3 = 2147122737; v4 = 140540; v5 = -2008399303; v6 = 141956; v7 = 139457077; v8 = 262023; v9 = -2008923597; v10 = 143749; v11 = 2118271985; v12 = 143868; for ( i = 0; i <= 4; ++i ) { memset(v2, 0, sizeof(v2)); v16 = 0; v15 = 0; v0 = *(&v4 + 2 * i); LODWORD(v14) = *(&v3 + 2 * i); HIDWORD(v14) = v0; while ( SHIDWORD(v14) > 0 || v14 >= 0 && (_DWORD)v14 ) { v2[v16++] = ((SHIDWORD(v14) >> 31) ^ (((unsigned __int8)(SHIDWORD(v14) >> 31) ^ (unsigned __int8)v14) - (unsigned __int8)(SHIDWORD(v14) >> 31)) & 1) - (SHIDWORD(v14) >> 31); v14 /= 2LL; } for ( j = 50; j >= 0; --j ) { if ( v2[j] ) { if ( v2[j] == 1 ) { putchar(42); ++v15; } } else { putchar(32); ++v15; } if ( !(v15 % 5) ) putchar(32); } result = putchar(10); } return result; }
get flag!
flag{HACKIT4FUN}