题目
解题思路
1、附件下载是一个base.exe,运行如下图:
2、扔到IDA,F5查看伪代码如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Str[112]; // [rsp+20h] [rbp-70h] BYREF
sub_402300();
puts("please input your flag");
sub_40AA40("%100s", Str);
if ( strlen(Str) == 42
&& !strncmp("flag{", Str, 5ui64) // flag长度42位
&& asc_40C030[0] == Str[41]
&& (unsigned __int8)sub_401530()
&& sub_401594((__int64)Str) ) // 将42位flag带入sub_401594函数中
{
puts("correct");
}
else
{
puts("try again");
}
system("pause");
return 0;
}
sub_401594函数分析
bool __fastcall sub_401594(__int64 a1)
{
char Destination[48]; // [rsp+20h] [rbp-50h] BYREF
char Str2[24]; // [rsp+50h] [rbp-20h] BYREF
int j; // [rsp+68h] [rbp-8h]
int i; // [rsp+6Ch] [rbp-4h]
strncpy(Destination, (const char *)(a1 + 5), 0x24ui64);// 0x24 36 a1+5
for ( i = 0; i <= 35; ++i )
{
if ( Destination[i] <= 47 || Destination[i] > 51 )
return 0;
Destination[i] -= 48;
}
for ( j = 0; j <= 11; ++j )
Str2[j] = Str[(4 * Destination[3 * j + 1]) | (16 * Destination[3 * j]) | Destination[3 * j + 2]];// __int64 sub_401530()
// {
// int i; // [rsp+2Ch] [rbp-54h]
//
// for ( i = 0; i < strlen(Str); ++i )
// Str[i] ^= 0x20u;
// return 1i64;
// }
return strncmp("Agf2zwz1BML0", Str2, 0xCui64) == 0;// 比较前12个字节,如果相等返回0
}
sub_401530函数分析
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Str[112]; // [rsp+20h] [rbp-70h] BYREF
sub_402300();
puts("please input your flag");
sub_40AA40("%100s", Str);
if ( strlen(Str) == 42
&& !strncmp("flag{", Str, 5ui64) // flag长度42位
&& asc_40C030[0] == Str[41]
&& (unsigned __int8)sub_401530()
&& sub_401594((__int64)Str) ) // 将42位flag带入sub_401594函数中
{
puts("correct");
}
else
{
puts("try again");
}
system("pause");
return 0;
}
编写解题脚本
str1='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/'
f = 'Agf2zwz1BML0'
list1 = []
for i in f:
print(i)
n = str1.find(i)
list1.append(n)
print(list1)
flag=''
list2 = [0,1,2,3]
for l in list1:
for i_16 in list2:
for i_4 in list2:
for i_1 in list2:
if (i_4*4 | i_16*16 |i_1)==l:
flag = flag+ chr(i_16 + 48)
flag = flag+ chr(i_4 + 48)
flag = flag+ chr(i_1 + 48)
flag = 'flag{' + flag + '}'
print(flag)