20211011gfsj_re_lgniteMe

查壳，无壳。拉去IDA

int __cdecl main(int argc, const char **argv, const char **envp)
{int result; // eaxsize_t i; // [esp+4Ch] [ebp-8Ch]char v5[4]; // [esp+50h] [ebp-88h]char v6[28]; // [esp+58h] [ebp-80h]char v7; // [esp+74h] [ebp-64h]sub_402B30(&unk_446360, "Give me your flag:");//这个应该是类似于printf函数sub_4013F0(sub_403670);sub_401440(v6, 127);if ( strlen(v6) < 0x1E && strlen(v6) > 4 )//输入的字符串要大于4个字符小于0x1E个字符{strcpy(v5, "EIS{");for ( i = 0; i < strlen(v5); ++i ){//验证前4个字符符合“EIS{”if ( v6[i] != v5[i] ){sub_402B30(&unk_446360, "Sorry, keep trying! ");sub_4013F0(sub_403670);return 0;}}if ( v7 == 125 )//"}"的ASCII码为125{if ( (unsigned __int8)sub_4011C0(v6) )//最重要的函数sub_4011C0(v6)sub_402B30(&unk_446360, "Congratulations! ");elsesub_402B30(&unk_446360, "Sorry, keep trying! ");sub_4013F0(sub_403670);result = 0;}else{sub_402B30(&unk_446360, "Sorry, keep trying! ");sub_4013F0(sub_403670);result = 0;}}else{sub_402B30(&unk_446360, "Sorry, keep trying!");sub_4013F0(sub_403670);result = 0;}return result;
}

bool __cdecl sub_4011C0(char *a1)
{size_t v2; // eaxsigned int v3; // [esp+50h] [ebp-B0h]char v4[32]; // [esp+54h] [ebp-ACh]int v5; // [esp+74h] [ebp-8Ch]int v6; // [esp+78h] [ebp-88h]size_t i; // [esp+7Ch] [ebp-84h]char v8[128]; // [esp+80h] [ebp-80h]if ( strlen(a1) <= 4 )return 0;i = 4;v6 = 0;while ( i < strlen(a1) - 1 )v8[v6++] = a1[i++];//将EIS{xxxx}中的内容赋值到v8数组     b[i]v8[v6] = 0;v5 = 0;v3 = 0;memset(v4, 0, 0x20u);for ( i = 0; ; ++i ){v2 = strlen(v8);if ( i >= v2 )break;if ( v8[i] >= 97 && v8[i] <= 122 )//97->a,122->z{//将小写改为大写v8[i] -= 32;v3 = 1;}if ( !v3 && v8[i] >= 65 && v8[i] <= 90 )//65->A,90->Zv8[i] += 32;//将大写改为小写v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]);//byte_4420B0[i]		c[i]与sub_4013C0()函数异或v3 = 0;}return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0;		//a[i]
}

.data:004420B0 ; char byte_4420B0[32]
.data:004420B0 byte_4420B0     db 0Dh                  ; DATA XREF: sub_4011C0+1A0↑r
.data:004420B1                 db  13h
.data:004420B2                 db  17h
.data:004420B3                 db  11h
.data:004420B4                 db    2
.data:004420B5                 db    1
.data:004420B6                 db  20h
.data:004420B7                 db  1Dh
.data:004420B8                 db  0Ch
.data:004420B9                 db    2
.data:004420BA                 db  19h
.data:004420BB                 db  2Fh ; /
.data:004420BC                 db  17h
.data:004420BD                 db  2Bh ; +
.data:004420BE                 db  24h ; $
.data:004420BF                 db  1Fh
.data:004420C0                 db  1Eh
.data:004420C1                 db  16h
.data:004420C2                 db    9
.data:004420C3                 db  0Fh
.data:004420C4                 db  15h
.data:004420C5                 db  27h ; '
.data:004420C6                 db  13h
.data:004420C7                 db  26h ; &
.data:004420C8                 db  0Ah
.data:004420C9                 db  2Fh ; /
.data:004420CA                 db  1Eh
.data:004420CB                 db  1Ah
.data:004420CC                 db  2Dh ; -
.data:004420CD                 db  0Ch
.data:004420CE                 db  22h ; "
.data:004420CF                 db    4

int __cdecl sub_4013C0(int a1)
{//内容与0x55异或再加上72return (a1 ^ 0x55) + 72;//b[i]=(a[i]^0x55)+72//a[i]=(b[i]-72)^0x55
}

exp

#include
#include
int main()
{char a[] = "GONDPHyGjPEKruv{{pj]X@rF";int b[25];int c[32] = { 0x0D,0x13,0x17,0x11,2,1,0x20,0x1D,0x0C,2,0x19,0x2F,0x17,0x2B,0x24,0x1F,0x1E,0x16,9,0x0F,0x15,0x27,0x13,0x26,0x0A,0x2F,0x1E,0x1A,0x2D,0x0C,0x22,4 };int i;int v3;for (i = 0; i < strlen(a); i++){v3 = 0;b[i] = c[i]^a[i];b[i] = (b[i] - 72) ^ 0x55;if (b[i] >= 97 && b[i] <= 122)//97->a,122->z{//将小写改为大写b[i] -= 32;v3 = 1;}if (!v3 && b[i] >= 65 && b[i] <= 90)//65->A,90->Zb[i] += 32;//将大写改为小写}for(i=0;i<strlen(a);i++)printf("%c",(char)b[i]);}
//wadx_tdgk_aihc_ihkn_pjlm

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！