sus-helloworld

题目地址

ida启动 main函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
*(_DWORD *)flag = 0xC881E8F1;
*(_DWORD *)&flag[4] = 0xCECF81D2;
*(_DWORD *)&flag[8] = 0x81C081D5;
*(_DWORD *)&flag[12] = 0xC8D5C0D3;
*(_DWORD *)&flag[16] = 0xCDC0CFCE;
*(_DWORD *)&flag[20] = 0xCCD4CF81;
*(_DWORD *)&flag[24] = 0x8FD3C4C3;
flag[28] = 0;
printf("What is magic number? ");
__isoc99_scanf("%d", &n);
if ( n == 0x12B9B0A1 )
{
for ( i = 0; flag[i]; ++i )
flag[i] ^= n;
printf("Flag is FLAG{%s}\n", flag);
}
else
{
puts("Try Hard.");
}
return 0;

如果输入的n为0x12b9b0a1,flag[i]^=n

通过汇编命令可以发现此处n取一个byte,也就是0xa1

逆运算脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
flag=[0xf1,0xe8,0x81,0xc8,
0xd2,0x81,0xcf,0xce,
0xd5,0x81,0xc0,0x81,
0xd3,0xc0,0xd5,0xc8,
0xce,0xcf,0xc0,0xcd,
0x81,0xcf,0xd4,0xcc,
0xc3,0xc4,0xd3,0x8f]
s=''
for i in flag:
i^=0xa1
s+=chr(i)
print s

flag get

因为不会啥操作,所以flag list只能手打了……

文章目录
|