re入门2

RevMethod
直接搜索flag找到真正的主函数
`int sub_411990()
{
unsigned int v0; // eax
int v1; // edx
int v2; // ecx
int v3; // edx
int v5; // [esp-4h] [ebp-21Ch]
char v6; // [esp+0h] [ebp-218h]
char v7; // [esp+0h] [ebp-218h]
int j; // [esp+D0h] [ebp-148h]
int i; // [esp+DCh] [ebp-13Ch]
char v10[264]; // [esp+E8h] [ebp-130h] BYREF
int v11; // [esp+1F0h] [ebp-28h]
char v12[24]; // [esp+1FCh] [ebp-1Ch] BYREF
int v13; // [esp+214h] [ebp-4h]
int savedregs; // [esp+218h] [ebp+0h] BYREF

sub_411334(&unk_41D006);
v0 = sub_411E80(0);
srand(v0);
((void (*)(void))sub_411258)();
strcpy(v12, "abcdef0123456789");
v11 = 0;
j_memset(v10, 0, 0x100u);
for ( i = 0; i < 100; ++i )
{
for ( j = 0; j < 32; ++j )
{
rand();
v10[j] = v12[sub_411258(v2, v1) % 16];
}
sub_4110D7(""flag{%s}", \r\n", (char)v10);
}
sub_4110D7("What is the true flag???\r\n", v6);
sub_411037("%s", (char)v10);
v3 = v10[0];
if ( v10[0] == *(&byte_41A000 + 160) )
{
v3 = 1;
if ( v10[1] == *(&byte_41A000 + 561) )
{
v3 = 2;
if ( v10[2] == *(&byte_41A000 + 962) )
{
v3 = v10[3];
if ( v10[3] == *(&byte_41A000 + 1363) )
{
v3 = 4;
if ( v10[4] == *(&byte_41A000 + 1764) )
{
v3 = v10[5];
if ( v10[5] == *(&byte_41A000 + 2565) )
{
v3 = v10[6];
if ( v10[6] == *(&byte_41A000 + 2566) )
sub_4110D7("Just is it!!!", v7);
}
}
}
}
}
}
sub_4111F4(&savedregs, &dword_411C54, 0, v3);
return sub_411258((unsigned int)&savedregs ^ v13, v5);
}`
简单来说是对比每一位和对应地址偏移量的内容，flag的前五位是固定的flag{，也就是说0x41A000 + 2566 = 0x41AA06地址一定是flag
v10[0] == byte at 0x41A000 + 160 = 0x41A0A0

v10[1] == byte at 0x41A000 + 561 = 0x41A231

v10[2] == byte at 0x41A000 + 962 = 0x41A3C2

v10[3] == byte at 0x41A000 + 1363 = 0x41A553

v10[4] == byte at 0x41A000 + 1764 = 0x41A6E4

v10[5] == byte at 0x41A000 + 2565 = 0x41AA05

v10[6] == byte at 0x41A000 + 2566 = 0x41AA06