Topic Address: http: //www.shiyanbar.com/ctf/28
No shell, vc ++ to write
Dragged OD observe the observation, we found that it is very short yo, so we'd suspect that maybe has a call in which they have the right flag and what we input comparison
End forced blasting register is not correct flag appeared, certainly counted out at a function in.
And then into the IDA in the main space, find the key function is sub_401060
Double-click to enter see sub_401060 pseudo-C code
Divided into three parts:
First, the input is compared with our a1 v5 length of a1 are each an exclusive or.
Second, each v5 are minus 5
Third, as this view, while (* (a1 + v3) == * (_ BYTE *) & V5 + V3)) is to enter and v5 a1 we compare apples to apples
ps: where if (strlen ((const char *) v5) == 0) return 1; Analyzing v5 return element is a 0, futile. A little confused, regardless.
So here we Backward, first v5 minus 5 and then XOR (exclusive attention to the nature of the order or make no mistake), do not get the correct value should be entered yet
V5 data may be to find the address, v5 = dword_40708C, more convenient where the OD ctrl + G, V5 as a string, so that points to the first address of the string, V5 is 68 57 19 48 50 6e 58 78 54 6a19 58 5e 06 (both hexadecimal)
Win, write a script in python or C language to solve for the answer.
python:
a=" "
code=(0x68,0x57,0x19,0x48,0x50,0x6E,0x58,0x78,0x54,0x6A,0x19,0x58,0x5E,0x06)
for i in code:
i=(i-5)^0x20
a+=chr(i)
print(a)
C:
#include<stdio.h>
int main()
{
int a[14]={0x68,0x57,0x19,0x48,0x50,0x6e,0x58,0x78,0x54,0x6a,0x19,0x58,0x5e,0x06};
int i;
for(i=0;i<14;i++)
{
a[i]=a[i]-5;
a[i]=a[i]^0x20;
printf("%c",a[i]);
}
return 0;
}
Verify, right
