Analysis

题目提示分析,直接打开IDA分析

shift+F12查看字符串,找到flag的句子

zid

找到主函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str[3]; // [esp+11h] [ebp-97h] BYREF
  _BYTE v5[57]; // [esp+14h] [ebp-94h] BYREF
  int v6; // [esp+4Dh] [ebp-5Bh]
  char v7[64]; // [esp+51h] [ebp-57h] BYREF
  char v8[7]; // [esp+91h] [ebp-17h] BYREF
  int v9; // [esp+98h] [ebp-10h]
  int i; // [esp+9Ch] [ebp-Ch]

  __main();
  v6 = 0;
  memset(v5, 0, 4 * (((Str - v5 + 64) & 0xFFFFFFFC) >> 2));
  Str[0] = 67;
  Str[1] = -33;
  Str[2] = 20;
  v5[0] = 3;
  v5[1] = 13;
  v5[2] = 44;
  v5[3] = 9;
  v5[4] = 1;
  v5[5] = 23;
  v5[6] = 23;
  v5[7] = 8;
  v5[8] = -4;
  v5[9] = 43;
  v5[10] = -6;
  v5[11] = 20;
  v5[12] = 23;
  v5[13] = -7;
  v5[14] = 37;
  v5[15] = -11;
  v5[16] = 34;
  v5[17] = 61;
  v5[18] = -50;
  v5[19] = 24;
  v5[20] = 22;
  v5[21] = 10;
  qmemcpy(v8, "REVERSE", sizeof(v8));
  v9 = strlen(Str);              
  printf(Format);                        
  scanf("%s", v7);                              //输入flag
  mix(v7, v8, v9);                             //经过mix混淆
  for ( i = 0; i < v9; ++i )
  {
    if ( v7[i] != Str[i] )                     //与明文比较
    {
      puts(Buffer);
      return 0;
    }
  }
  puts(aFlag);
  return 0;
}

进入mix查看

mix

第一个for先全部减去64,因为‘A’的ASCII 码为65,这里可以理解为获取在字母表中位置

第二个for当前值=当前值与下一值得差

第三个for判断k是不是小于7,str取余

第四个for将str作为密匙循环自加

第五个for 中间对称互换

最后利用str作为判断依据

用7.5的IDA找不到str,很神奇,用7.0的可以

捕获

91-97是str密钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
a =[67,-33,20,3,13,44,9,1,23,23,8,-4,43,-6,20,23,-7,37,-11,34,61,-50,24,22,10]
str = [82,69,86,69,82,83,69]
for k in range(len(str)):
str[k] %= 64
#加密用的密匙都是取余后的,所以先取余操作
for n in range(len(a)):
if str[n%7] & 1:
a[n] -= 2
else:
a[n] -= 1
#先逆加一和加二
for m in range(len(a)//2):
x = a[m]
a[m] = a[len(a)-1-m]
a[len(a)-1-m] = x
#对称互换
for l in range(len(a)):
a[l] -= str[l%7]
#逆自加,既自减
for j in range(len(a)-2,-1,-1):
a[j] += a[j+1]
#这一步需要从后往前,因为最后一个字符是不变的
for i in range(len(a)):
a[i] += 64
#加回64
print(a)
#列表形式输出(ASCII码形式)
for i in range(len(a)):
a[i] = chr(a[i])
#转为字符
flag = ''.join(a)#串成串
print(flag)
#输出
'''
[73, 83, 67, 67, 123, 82, 69, 86, 69, 82, 83, 69, 95, 73, 83, 95, 78, 79,
84, 95, 72, 65, 82, 68, 125]
ISCC{REVERSE_IS_NOT_HARD}
'''