流浪者
打开.exe,输入错误显示加油
拖进IDA,查找字符串,找到刚刚的请输入pass!
反汇编:for语句里面有if循环,对数字,大写字母,小写字母进行加密,sub_4017B0()是输出错误,要执行后面的else
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| int __thiscall sub_401890(CWnd *this)
{
CWnd *v1;
int v2;
struct CString *v4;
int v5[26];
int i;
char *Str;
CWnd *v8;
v8 = this;
v4 = (CWnd *)((char *)this + 100);
v1 = CWnd::GetDlgItem(this, 1002);
CWnd::GetWindowTextA(v1, v4);
v2 = sub_401A30((char *)v8 + 100);
Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v2);
if ( !strlen(Str) )
return CWnd::MessageBoxA(v8, "请输入pass!", 0, 0);
for ( i = 0; Str[i]; ++i )
{
if ( Str[i] > '9' || Str[i] < '0' )
{
if ( Str[i] > 'z' || Str[i] < 'a' )
{
if ( Str[i] > 'Z' || Str[i] < 'A' )
sub_4017B0();
else
v5[i] = Str[i] - 29;
}
else
{
v5[i] = Str[i] - 'W';
}
}
else
{
v5[i] = Str[i] - 48;
}
}
return sub_4017F0((int)v5);
}
|
查看sub_4017F0:遍历a1数组,加密得到Str1,再与字符串KanXueCTF2019JustForhappy进行比较
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| int __cdecl sub_4017F0(int a1)
{
int result;
char Str1[28];
int v3;
int v4;
v4 = 0;
v3 = 0;
while ( *(int *)(a1 + 4 * v4) < 62 && *(int *)(a1 + 4 * v4) >= 0 )
{
Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)];
++v4;
}
Str1[v4] = 0;
if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") )
result = sub_401770();
else
result = sub_4017B0();
return result;
}
|
写脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| str1='abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ'
s='KanXueCTF2019JustForhappy'
f=[]
for i in s:
f.append(str1.index(i))
flag=''
for i in f:
if 0 <= i <= 9:
flag+=chr(i+48)
if 10 <= i <= 35:
flag+=chr(i+87)
if i>35:
flag+=chr(i+29)
print(flag)
|
运行:
1
| j0rXI4bTeustBiIGHeCF70DDM
|