Nep Happy Individual Tournament-RE-Two Hexadecimal

A cat cat, facing the wp recurrence of the big guys (so difficult... my good dish 5555)
refer to the official wp and the big guy’s article
REVERSE-COMPETITION-NEPCTF

Title link:
Link: https://pan.baidu.com/s/1PzZ7uYlxSHjj9L7-iuWqjQ
Extraction code: 8lw2 After
copying this content, open the Baidu Netdisk mobile app, which is more convenient for operation

No shell, ida32-bit open, cross-reference string plz input right num:\n:comes to the sub_4010A0()function

void __noreturn sub_4010A0()
{
    
    
  __int64 v0; // rax
  char Dst; // [esp+0h] [ebp-108h]

  memset(&Dst, 0, 0xFFu);
  dword_403378 = (int)malloc(8u);
  Memory = (void *)dword_403378;
  *(_DWORD *)(dword_403378 + 4) = 0;
  sub_401020("plz input right num:\n", Dst);
  sub_401060("%s", (unsigned int)&Dst);
  v0 = atoi64(&Dst);                            // 将输入的字符转换为整型数字
  sub_401120(v0, HIDWORD(v0));                  // 对输入进行变换和检查
}

Enter sub_401120
Here to popularize
HIDWORD: refers to the low-order
LODWORD: refers to the high-order . Explanation of

line 13 About sub_401F00the explanation


of v3==Fb72>&6,
we found the word “flag right” in the string window before, and after jumping over it I found that the last is to judge aFb726 and

look up and find that

double-click aFb726 to get Fb72>&6

View byte_402194

2163qwe)(*&^%489$!057@#><A

The sub_401160() in line 17 should be compared, and the content of the comparison is v3

Ready to write script

arr="2163qwe)(*&^%489$!057@#><A"
v3="Fb72>&6"
flag=[]
for i in range(len(v3)):
    v4=chr(ord(v3[i])^7)
    index=arr.find(v4)
    flag.append(index)
sum=0
for i in range(len(flag)-1,0,-1):
    sum=(flag[i]+sum)*26
sum+=flag[0]
print(sum)

The result is:

flag: Nep{md5(518100101)}

The following is the official source code of this question

源码:
#include<stdio.h>
#include<stdlib.h>
#include<windows.h>
/*
进制加密的思路input_data: 518100101
加密后的数据: Fb72>&6
*/
const char jinzhi_table[] = "2163qwe)(*&^%489$!057@#><A";
const int jz = 26;
char key[] = {
    
     "Fb72>&6" };
struct node {
    
    
char data;
struct node* next;
}*head, * cur_node;
void check_the_flag(); // 检查flag 是否正确
//void wrong();
//void right();
void linklist_add(char i);
void base_conversion(long long int n);
int del_linked(int sum);
int v6 = 0;
int main()
{
    
    
char input[255] = {
    
     0 };
long long int x;
head = cur_node = (struct node*)malloc(sizeof(struct node));
cur_node->next = NULL;
printf("plz input right num:\n");
scanf_s("%s", input, 32);
x = _atoi64(input);
base_conversion(x);
return 0;
}
void base_conversion(long long int n)
{
    
    
// 进制转换
int i = 0;
char a;
while (n)
{
    
    
a = jinzhi_table[n % jz];
n = n / jz;
linklist_add(a ^ 7);
i++;
}check_the_flag();
}
void linklist_add(char i)
{
    
    
cur_node->next = (struct node*)malloc(sizeof(struct node));
cur_node->data = i;
cur_node = cur_node->next;
cur_node->next = NULL;
}
void check_the_flag()
{
    
    
int i, sum = 0;
struct node* tmp = head;
for (i = 0; i < 8; i++)
{
    
    
if (tmp == NULL) {
    
    
break;
}
//printf("%c", tmp->data);
if (tmp->data == key[i]) {
    
    
sum++;
}
tmp = tmp->next;
}
// 链表释放内存
int code = del_linked(sum);
if (sum != 8) {
    
    
/*right();*/
puts("flag is Error!!!");
exit(code);
}
else {
    
    
//wrong();
puts("flag is Right!!!, please md5('Nep{you_input_num}') submit th4
flag");
system("pause");
exit(code);
}
}
int del_linked(int sum){
    
    
if (head == NULL) {
    
    
return -1;
}
int tmp = sum;while (head != NULL) {
    
    
cur_node = head;
head = head->next;
free(cur_node);
tmp -= 1;
}
return tmp;
}