logmein
拖进IDA看main函数
其中s就是要求的flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
v9 = 0;
 strcpy(v8, ":\"AL_RT^L*.?+6/46");
 v7 = 'ebmarah';  
 v6 = '\a';
 printf("Welcome to the RC3 secure password guesser.\n");
 printf("To continue, you must enter the correct password.\n");
 printf("Enter your guess: ");
 __isoc99_scanf("%32s");
 v3 = strlen(s);  //flag的长度
 if ( v3 < strlen(v8) )  
   sub_4007C0();
 for ( i = 0; i < strlen(s); ++i )
 {
   if ( i >= strlen(v8) )
     sub_4007C0();
   if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
     sub_4007C0();
 }
 sub_4007F0();

查看sub_4007C0():

1
2
3
4
5
void __noreturn sub_4007C0()
{
  printf("Incorrect password!\n");
  exit(0);
}

查看sub_4007F0()

1
2
3
4
5
void __noreturn sub_4007F0()
{
  printf("You entered the correct password!\nGreat job!\n");
  exit(0);
}

写脚本:

1
2
3
4
5
6
v8=":\"AL_RT^L*.?+6/46"
v7 = 'harambe'  #小端序,IDA转字符串之后手动逆序
flag=''
for i in range(len(v8)):
    flag+=chr((ord(v7[(i%7)]))^ord(v8[i]))
print(flag)

运行:

1
RC3-2016-XORISGUD