攻防世界—RE—新手区—logmein
exeinfo分析,64位,
main函数:
void __fastcall __noreturn main(int a1, char **a2, char **a3) { size_t v3; // rsi int i; // [rsp+3Ch] [rbp-54h] char s[36]; // [rsp+40h] [rbp-50h] BYREF int v6; // [rsp+64h] [rbp-2Ch] __int64 v7; // [rsp+68h] [rbp-28h] char v8[28]; // [rsp+70h] [rbp-20h] BYREF int v9; // [rsp+8Ch] [rbp-4h] v9 = 0; strcpy(v8, ":\"AL_RT^L*.?+6/46"); v7 = 0x65626D61726168LL; v6 = 7; printf("Welcome to the RC3 secure password guesser.\n"); printf("To continue, you must enter the correct password.\n"); printf("Enter your guess: "); __isoc99_scanf("%32s", s); v3 = strlen(s); if ( v3 < strlen(v8) ) sub_4007C0(); for ( i = 0; i < strlen(s); ++i ) { if ( i >= strlen(v8) ) sub_4007C0(); if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) ) sub_4007C0(); } sub_4007F0(); }
函数sub_4007c0:
printf("Incorrect password!\n");
所以关键步就是循环中得第二个if:
if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
那么key就是数组s
脚本:
#注意:if语句里面得char和BYTE要定义。
#include <stdio.h> #include <string.h> #define BYTE unsigned char int main(int argc, char* argv[]) { unsigned int i; char v8[18] = ":\"AL_RT^L*.?+6/46"; __int64 v7 = 28537194573619560; int v6 = 7; char s[18] = ""; for (i = 0; i < strlen(v8); ++i) { s[i] = (char)(*((BYTE*)&v7 + i % v6)^v8[i]); } printf("%s\n", s); return 0; }
得到:
RC3-2016-XORISGUD