NSSCTF_RE_[NSSRound#3 Team]jump_by_jump_revenge

32位exe程序

主函数没什么,但是能找到字符串:

这里爆红了,由上一题得知,这又是花指令:

依然是在空行那里nop

然后在主函数的开头按P解析函数再按F5就可以得到反汇编:

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
int i; // [esp+D0h] [ebp-40h]
char Str1[36]; // [esp+E8h] [ebp-28h] BYREF

sub_411037("%s", (char)Str1);
for ( i = 0; i < 29; ++i )
Str1[i] = (Str1[i] + Str1[(i * i + 123) % 21]) % 96 + 32;
if ( !j_strcmp(Str1, "~4G~M:=WV7iX,zlViGmu4?hJ0H-Q*") )
puts("right!");
else
puts("nope!");
return 0;
}

s=['~','4','G','~','M',':','=','W','V','7','i','X',',','z','l','V','i','G','m','u','4','?','h','J','0','H','-','Q','*']
flag=''
for i in range(28,-1,-1):
    k=(i*i+123)%21
    
    for j in range(3):
        s1=ord(s[i])-0x20+j*0x60-ord(s[k])
        if s1>=33 and s1<=126:
            s[i]=chr(s1)
            break
print(s)

NSSCTF{Jump_b9_jump!_r3V3n9e}

posted @ 2022-05-28 11:57 Luccky 阅读(727) 评论(0) 编辑收藏举报

刷新页面返回顶部

Luccky

NSSCTF_RE_[NSSRound#3 Team]jump_by_jump_revenge

公告