攻防世界REVERSE新手区/logmein

攻防世界 REVERSE 新手区/logmein

看题&＃xff0c;是和算法逆向相关的

查一下并没有加壳&＃xff0c;是个64位的程序

用IDA64位打开&＃xff0c;找到main函数&＃xff0c;F5反汇编

分析算法

void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{size_t v3; // rsiint i; // [rsp&＃43;3Ch] [rbp-54h]char s[36]; // [rsp&＃43;40h] [rbp-50h]int v6; // [rsp&＃43;64h] [rbp-2Ch]__int64 v7; // [rsp&＃43;68h] [rbp-28h]char v8[8]; // [rsp&＃43;70h] [rbp-20h]int v9; // [rsp&＃43;8Ch] [rbp-4h]v9 &＃61; 0;strcpy(v8, ":\"AL_RT^L*.?&＃43;6/46"); v7 &＃61; 28537194573619560LL; v6 &＃61; 7;printf("Welcome to the RC3 secure password guesser.\n", a2, a3);printf("To continue, you must enter the correct password.\n");printf("Enter your guess: ");__isoc99_scanf("%32s", s);v3 &＃61; strlen(s);if ( v3 < strlen(v8) )sub_4007C0(v8);for ( i &＃61; 0; i < strlen(s); &＃43;&＃43;i ){if ( i >&＃61; strlen(v8) )((void (*)(void))sub_4007C0)();if ( s[i] !&＃61; (char)(*((_BYTE *)&v7 &＃43; i % v6) ^ v8[i]) ) //字符比较((void (*)(void))sub_4007C0)();}sub_4007F0();
}


v7的v7[0]到v7[6 ]依次与v8[i]异或

if ( s[i] !&＃61; (char)(*((_BYTE *)&v7 &＃43; i % v6) ^ v8[i]) ) //字符比较((void (*)(void))sub_4007C0)(); //有一个字符对不上就输出答案错误


将v7转为字符

注意在汇编语言中字符串是以小端存储的&＃xff0c;所以要反过来&＃xff0c;脚本如下

#include
#include
#include int main() {char v8[] &＃61; ":\"AL_RT^L*.?&＃43;6/46";char v7[] &＃61; "harambe";for(int i &＃61; 0; i < strlen(v8) ; i&＃43;&＃43;){v8[i] &＃61; v7[i % 7] ^ v8[i];printf("%c",v8[i]);}return 0;
}!

运行得到flag