GFSJ0419-【key】
xor
main函数
void sub_401100()
{
int v0; // esi
int v1; // esi
unsigned int v2; // edi
void **v3; // ebx
void **v4; // eax
int v5; // ecx
int *v6; // eax
int *v7; // esi
int v8; // ecx
void **v9; // eax
int v10; // eax
int *v11; // ecx
int *v12; // eax
int *v13; // eax
int *v14; // eax
int *v15; // eax
int *v16; // eax
int *v17; // eax
int *v18; // eax
const char *v19; // edx
int *v20; // eax
int v21; // [esp-Ch] [ebp-144h]
int v22; // [esp-8h] [ebp-140h]
int v23; // [esp-4h] [ebp-13Ch]
int v24[46]; // [esp+14h] [ebp-124h] BYREF
void *v25[5]; // [esp+CCh] [ebp-6Ch] BYREF
int v26; // [esp+E0h] [ebp-58h]
void *v27; // [esp+E4h] [ebp-54h] BYREF
int v28; // [esp+F4h] [ebp-44h]
unsigned int v29; // [esp+F8h] [ebp-40h]
void *Block[6]; // [esp+FCh] [ebp-3Ch] BYREF
char v31[20]; // [esp+114h] [ebp-24h] BYREF
int v32; // [esp+134h] [ebp-4h]
v29 = 15;
v28 = 0;
LOBYTE(v27) = 0;
v32 = 1;
v26 = 15;
v25[4] = nullptr;
LOBYTE(v25[0]) = 0;
v0 = 0;
strcpy((char *)Block, "themidathemidathemida");
strcpy(v31, ">----++++....<<<<.");
do
{
sub_4021E0(v25, 1u, (*((_BYTE *)Block + v0) ^ v31[v0]) + 22);
++v0;
}
while ( v0 < 18 );
v1 = 0;
Block[5] = (void *)15;
Block[4] = nullptr;
LOBYTE(Block[0]) = 0;
LOBYTE(v32) = 2;
v2 = v26;
v3 = (void **)v25[0];
do
{
v4 = v25;
if ( v2 >= 0x10 )
v4 = v3;
sub_4021E0(Block, 1u, *((_BYTE *)v4 + v1++) + 9);
}
while ( v1 < 18 );
memset(v24, 0, sizeof(v24));
sub_401620(v24, v5, v21, v22, v23);
LOBYTE(v32) = 3;
if ( (*((_BYTE *)&v24[3] + *(_DWORD *)(v24[0] + 4)) & 6) != 0 )
{
v6 = sub_402A00(std::cerr, "?W?h?a?t h?a?p?p?e?n?");
std::ostream::operator<<(v6);
exit(-1);
}
sub_402E90(v24, &v27);
v7 = &v24[4];
if ( v24[23] )
{
if ( !(unsigned __int8)sub_4022F0() )
v7 = nullptr;
if ( fclose((FILE *)v24[23]) )
v7 = nullptr;
}
else
{
v7 = nullptr;
}
LOBYTE(v24[22]) = 0;
BYTE1(v24[19]) = 0;
std::streambuf::_Init(&v24[4]);
v24[20] = dword_408590;
v24[23] = 0;
v24[21] = dword_408594;
v24[18] = 0;
if ( !v7 )
std::ios::setstate((char *)v24 + *(_DWORD *)(v24[0] + 4), 2, 0);
v9 = Block;
if ( Block[5] >= (void *)0x10 )
v9 = (void **)Block[0];
v10 = sub_4020C0(v8, v28, v9, Block[4]);
v11 = (int *)std::cout;
if ( v10 )
{
v19 = "=W=r=o=n=g=K=e=y=";
}
else
{
v12 = sub_402A00(std::cout, "|------------------------------|");
std::ostream::operator<<(v12);
v13 = sub_402A00(std::cout, "|==============================|");
std::ostream::operator<<(v13);
v14 = sub_402A00(std::cout, "|==============================|");
std::ostream::operator<<(v14);
v15 = sub_402A00(std::cout, "|==============================|");
std::ostream::operator<<(v15);
v16 = sub_402A00(std::cout, "\\ /\\ /\\ /\\ /\\==============|");
std::ostream::operator<<(v16);
v17 = sub_402A00(std::cout, " \\/ \\/ \\/ \\/ \\=============|");
std::ostream::operator<<(v17);
v18 = sub_402A00(std::cout, " |-------------|");
std::ostream::operator<<(v18);
std::ostream::operator<<(std::cout);
v11 = (int *)std::cout;
v19 = "Congrats You got it!";
}
v20 = sub_402A00(v11, v19);
std::ostream::operator<<(v20);
sub_401570();
std::ios::~ios<char,std::char_traits<char>>(&v24[28]);
if ( Block[5] >= (void *)0x10 )
sub_402630((_DWORD *)Block[0], (unsigned int)Block[5] + 1);
if ( v2 >= 0x10 )
sub_402630(v3, v2 + 1);
if ( v29 >= 0x10 )
sub_402630(v27, v29 + 1);
}
关键点
strcpy((char *)Block, "themidathemidathemida");
strcpy(v31, ">----++++....<<<<.");
do
{
sub_4021E0(v25, 1u, (*((_BYTE *)Block + v0) ^ v31[v0]) + 22);
++v0;
}
while ( v0 < 18 );
v1 = 0;
Block[5] = (void *)15;
Block[4] = nullptr;
LOBYTE(Block[0]) = 0;
LOBYTE(v32) = 2;
v2 = v26;
v3 = (void **)v25[0];
do
{
v4 = v25;
if ( v2 >= 0x10 )
v4 = v3;
sub_4021E0(Block, 1u, *((_BYTE *)v4 + v1++) + 9);
}
while ( v1 < 18 );
就没了 而我们看到的他是一个函数包裹着的是往 std::string 末尾追加字符的函数 真正的变换逻辑来自调用它时传进去的第三个参数 a3 那我们的a3不就是异或 + 22 吗 其实有挺多这样的题目 函数里面一般都会有 string too long 这个字符串提示
_DWORD *__thiscall sub_4021E0(_DWORD *this, size_t Size, char a3)
{
int v4; // ecx
size_t v5; // ebx
int v6; // edx
_DWORD *v7; // ecx
v4 = *(this + 4);
if ( -1 - v4 <= Size )
std::_Xlength_error("string too long");
if ( Size )
{
v5 = v4 + Size;
if ( sub_402690(this, v4 + Size, v4) )
{
v6 = *(this + 4);
if ( Size == 1 )
{
if ( *(this + 5) < 0x10u )
*((_BYTE *)this + v6) = a3;
else
*(_BYTE *)(*this + v6) = a3;
}
else
{
if ( *(this + 5) < 0x10u )
v7 = this;
else
v7 = (_DWORD *)*this;
memset((char *)v7 + v6, a3, Size);
}
*(this + 4) = v5;
if ( *(this + 5) >= 0x10u )
{
*(_BYTE *)(*this + v5) = 0;
return this;
}
*((_BYTE *)this + v5) = 0;
}
}
return this;
}
exp
s1 = b"themidathemidathemida"
s2 = b">----++++....<<<<."
key = b""
for i in range(18):
tmp = (s1[i] ^ s2[i]) + 22
key += bytes([tmp + 9])
print(key.decode())
flag
idg_cni~bjbfi|gsxb
一把梭
评论