文本文档内容:

1
'CoolerCoolCoolestCoolerCoolCoolerCoolerCoolCoolCoolCoolerCoolCoolerCoolestCoolerCoolerCoolCoolestCoolerCoolerCoolerCoolerCoolerCoolestCoolCoolCoolestCoolestCoolerCoolerCoolCoolerCoolestCoolerCoolerCoolerCoolCoolerCoolerCoolestCoolCoolerCoolestCoolestCoolerCoolerCoolerCoolCoolestCoolCoolerCoolCoolestCoolCoolestCoolerCoolCoolerCoolerCoolestCoolerCoolCoolestCoolerCoolerCoolCoolerCoolestCoolerCoolCoolCoolerCoolestCoolerCoolCoolerCoolCoolestCoolCoolerCoolerCoolCoolerCoolerCoolestCoolCoolestCoolerCoolCoolerCoolerCoolCoolerCoolerCoolestCoolCoolestCoolCoolCoolerCoolCoolestCoolerCoolestCoolCoolerCoolerCoolCoolestCoolCoolerCoolerCoolCoolCoolestCoolCoolerCoolestCoolestCoolerCoolerCoolerCoolCoolestCoolCoolerCoolCoolCoolestCoolestCoolerCoolerCoolerCoolestCoolest'

.exe文件拖进IDA查看main函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 __main();
  memset(Destination, 0, sizeof(Destination));
  strcpy(Destination, argv[1]);
  D2T(Destination); //一次加密
  v8 = 0;
  memset(cipertext, 0, sizeof(cipertext));
  for ( i = 0; ; ++i )
  {
    v4 = strlen(terCode);
    if ( v4 <= i )
      break;
    v3 = terCode[i];
    if ( v3 == 50 )
    {
      strncpy(&cipertext[v8], &keys[10], 7u);//keys中取7位复制到cipertext中
      v8 += 7;
    }
    else if ( v3 <= 50 )
    {
      if ( v3 == 48 )
      {
        strncpy(&cipertext[v8], keys, 4u);//keys中取4位复制到cipertext中
        v8 += 4;
      }
      else if ( v3 == 49 )
      {
        strncpy(&cipertext[v8], &keys[4], 6u);//keys中取6位复制到cipertext中
        v8 += 6;
      }
    }
  }
  printf("%s", cipertext);//输出二次加密后字符串,也就是文本文档中字符串
  return 0;
}

查看一次加密函数D2T

1
2
3
4
5
6
7
8
9
10
11
v3 = strlen(Str);
  for ( i = 0; ; ++i )
  {
    result = i;
    if ( i >= v3 )
      break;
    memset(Source, 0, sizeof(Source));
    d2t(Str[i], (int)Source); //又一个加密函数
    strncpy(&terCode[5 * i], Source, 5u);//五次循环
  }
  return result;
1
2
3
4
5
6
7
8
9
result = a1;
 v4 = a1;
 for ( i = 4; i >= 0; --i )
 {
   *(_BYTE *)(i + a2) = (char)v4 % 3 + '0';
   result = v4 / 3;
   v4 /= 3;
 }
 return result;

写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
str1='CoolerCoolCoolestCoolerCoolCoolerCoolerCoolCoolCoolCoolerCoolCoolerCoolestCoolerCoolerCoolCoolestCoolerCoolerCoolerCoolerCoolerCoolestCoolCoolCoolestCoolestCoolerCoolerCoolCoolerCoolestCoolerCoolerCoolerCoolCoolerCoolerCoolestCoolCoolerCoolestCoolestCoolerCoolerCoolerCoolCoolestCoolCoolerCoolCoolestCoolCoolestCoolerCoolCoolerCoolerCoolestCoolerCoolCoolestCoolerCoolerCoolCoolerCoolestCoolerCoolCoolCoolerCoolestCoolerCoolCoolerCoolCoolestCoolCoolerCoolerCoolCoolerCoolerCoolestCoolCoolestCoolerCoolCoolerCoolerCoolCoolerCoolerCoolestCoolCoolestCoolCoolCoolerCoolCoolestCoolerCoolestCoolCoolerCoolerCoolCoolestCoolCoolerCoolerCoolCoolCoolestCoolCoolerCoolestCoolestCoolerCoolerCoolerCoolCoolestCoolCoolerCoolCoolCoolestCoolestCoolerCoolerCoolerCoolestCoolest'
str2=str1.replace('Coolest','2')
str3=str2.replace('Cooler','1')
str=str3.replace('Cool','0')
flag=''
for i in range(len(str)//5):
    for a in range(32,127):
        b = a//3
        c = b//3
        d = c//3
        e = d//3
        if a % 3==int(str[i*5+4]) and b % 3==int(str[i*5+3]) and c % 3==int(str[i*5+2]) and d % 3==int(str[i*5+1]) and e % 3==int(str[i*5]):
           flag+=chr(a)
           break
print(flag)

1
flag{L1_4re_g00d_@_7Ern4rY}