1. Drag into ida static analysis to
find the key function, and then
this step can be drawn that the first 4 characters are flags, I do n’t know why the memory address of my v15 is empty, otherwise it can be XORed out, ida daily ventilation . . .
Ten times of base64 encryption, I used the online platform to copy and paste, it is a bit dumb, the script can also be, and faster to
get this URL, after opening, it is not what we want. . . . Autistic
After reading the master's wp, I found that this program will run a program after running, because there is a fini section, at the end of the program, the program will be run, and at the same time, the program will not be given for no reason Your data must have its effect, and this program will be executed at the same time, indicating that it must be useful. **
There is a piece of data that is
useless here. Press x to view the reference key function, and the first word of v5 and the first byte of 6cc0a0 are exclusive or f. Bold guess, the remaining three bytes are fag , The latter also confirmed that this is correct.
Write a script to get our flag.
r=[0x40, 0x35, 0x20, 0x56, 0x5D, 0x18, 0x22, 0x45, 0x17, 0x2F, 0x24, 0x6E, 0x62, 0x3C, 0x27, 0x54, 0x48, 0x6C, 0x24, 0x6E, 0x72, 0x3C, 0x32, 0x45]
enc="flag"
key=""
for i in range(4):
key+=chr(r[i]^ord(enc[i]))
print(key)
flag=""
for i in range(24):
flag+=chr(r[i]^ord(key[i%4]))
print(flag)
