使用IDA查看源码
查看代码
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rdx
__int64 v4; // rcx
int v6; // [rsp+4h] [rbp-8Ch]
unsigned int v7; // [rsp+8h] [rbp-88h]
int v8; // [rsp+Ch] [rbp-84h]
int v9[31]; // [rsp+10h] [rbp-80h] BYREF
char v10[4]; // [rsp+8Ch] [rbp-4h] BYREF
v9[0] = 0x66;
v9[1] = 109;
v9[2] = 99;
v9[3] = 98;
v9[4] = 127;
v9[5] = 58;
v9[6] = 85;
v9[7] = 106;
v9[8] = 57;
v9[9] = 82;
v9[10] = 122;
v9[11] = 55;
v9[12] = 81;
v9[13] = 19;
v9[14] = 51;
v9[15] = 35;
v9[16] = 67;
v9[17] = 70;
v9[18] = 41;
v9[19] = 61;
v9[20] = 41;
v9[21] = 32;
v9[22] = 127;
v9[23] = 28;
v9[24] = 38;
v9[25] = 77;
v9[26] = 49;
v9[27] = 20;
v9[28] = 80;
v9[29] = 94;
v9[30] = -24;
sub_4007F8(v10, 0LL, 4LL);
v7 = 0;
v6 = 0;
a_puts((__int64)aFlag);
do
{
v8 = a_getc();
v6 |= v8 ^ v7 ^ (v7 + (v7 ^ v9[v7]));
v4 = v7++;
}
while ( v8 && v8 != 10 && v8 != -1 );
if ( v6 )
a_write((__int64)aFailed, 0LL, v3, v4);
else
a_write((__int64)aCorrect, 0LL, v3, v4);
return 0;
}一上来的数字,应该是加密后的flag
aFlag为FLAG:说明这个函数是puts之类的输出函数,对应后边的aFailed就应该也是输出可能是printf,不重要
v8 = XXX 这里在循环里最后还比较-1和10说明是getc类的。
梳理完这个流程就比较明白了:flag输入每次一个字符,然与密文后作运算最后或到v6上,那么如果让v6为0就必需每个字符的运算结果都为0,也就得到了校验公式
v8 = v7 ^ (v7 + (v7 ^ v9[v7]))对应解码程序
a = [102,109,99,98,127,58,85,106,57,82,122,55,81,19,51,35,67,70,41,61,41,32,127,28,38,77,49,20,80,94]
for i in range(len(a)):
print(chr(i^(i+(i^a[i]))), end='')最终得到flag{A_s1mpLe&E4sy_RE_i5Nt_1t}