[MRCTF2020]Xor

首先查壳，无壳，32位程序
拖入IDA pro,main函数反汇编

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int i; // eax

  sub_401020((int)"Give Me Your Flag String:\n");
  sub_401050("%s", byte_4212C0);
  if ( strlen(byte_4212C0) != 27 )
  {
LABEL_6:
    sub_401020((int)"Wrong!\n");
    sub_404B7E("pause");
    _loaddll(0);
    __debugbreak();
  }
  for ( i = 0; i < 0x1B; ++i )   //1B即27
  {
    if ( ((unsigned __int8)i ^ (unsigned __int8)byte_4212C0[i]) != byte_41EA08[i] )
      goto LABEL_6;
  }
  sub_401020((int)"Right!\n");
  sub_404B7E("pause");
  return 0;
}

byte_41EA08存储的字符串为'MSAWB~FXZ:J:`tQJ"N@ bpdd}8g'

.rdata:0041EA08 ; char byte_41EA08[]
.rdata:0041EA08 byte_41EA08     db 'M'                  ; DATA XREF: _main+48↑r
.rdata:0041EA09 aSawbFxzJTqjNBp db 'SAWB~FXZ:J:`tQJ"N@ bpdd}8g',0

输入字符串的长度为27,每一位与i进行xor，且与该字符串'MSAWB~FXZ:J:`tQJ"N@ bpdd}8g'相同

#-*- codeing = utf-8 -*-
crypto='MSAWB~FXZ:J:`tQJ"N@ bpdd}8g'
flag=''
for i in range(len(crypto)):
    flag+=chr(ord(crypto[i])^i)
print(flag)

MRCTF{@_R3@1ly_E2_R3verse!},flag为flag

posted @ 2021-09-25 22:26 超级想睡觉阅读(290) 评论(0) 收藏举报

刷新页面返回顶部

博客

[MRCTF2020]Xor

公告