测试文件:https://adworld.xctf.org.cn/media/task/attachments/a00849bb514c413f8a6526f6bb56c628
1.准备
得到信息
- 64位文件
- obj文件
2.IDA打开
将main函数转换为C语言代码
1 void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
2 {
3 size_t v3; // rsi
4 int i; // [rsp+3Ch] [rbp-54h]
5 char s[36]; // [rsp+40h] [rbp-50h]
6 int v6; // [rsp+64h] [rbp-2Ch]
7 __int64 v7; // [rsp+68h] [rbp-28h]
8 char v8[8]; // [rsp+70h] [rbp-20h]
9 int v9; // [rsp+8Ch] [rbp-4h]
10
11 v9 = 0;
12 strcpy(v8, ":\"AL_RT^L*.?+6/46");
13 v7 = 28537194573619560LL;
14 v6 = 7;
15 printf("Welcome to the RC3 secure password guesser.\n", a2, a3);
16 printf("To continue, you must enter the correct password.\n");
17 printf("Enter your guess: ");
18 __isoc99_scanf("%32s", s);
19 v3 = strlen(s);
20 if ( v3 < strlen(v8) )
21 sub_4007C0(v8);
22 for ( i = 0; i < strlen(s); ++i )
23 {
24 if ( i >= strlen(v8) )
25 ((void (*)(void))sub_4007C0)();
26 if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
27 ((void (*)(void))sub_4007C0)();
28 }
29 sub_4007F0();
30 }
2.1 分析代码
进入sub_4007C0)()
void __noreturn sub_4007C0()
{
printf("Incorrect password!\n");
exit(0);
}
进入sub_4007F0();
void __noreturn sub_4007F0()
{
printf("You entered the correct password!\nGreat job!\n");
exit(0);
}
通过第26行代码,我们了解到flag的获取
for(i =0; i < strlen(v8); ++i){
s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i];
}
2.2 算法代码
通过分析,实现算法的代码
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define BYTE unsigned char
int main(int argc, char* argv[]) {
unsigned int i;
char v8[18] = ":\"AL_RT^L*.?+6/46";
__int64 v7 = 28537194573619560;
int v6 = 7;
char s[18] = "";
for (i = 0; i < strlen(v8); ++i) {
s[i] = (char)(*((BYTE*)&v7 + i % v6)^v8[i]);
}
printf("%s\n", s);
system("PAUSE");
return 0;
}
3. get flag!
