IgniteMe -高校网络信息安全运维挑战赛
1 int __cdecl main(int argc, const char **argv, const char **envp) 2 { 3 void *v3; // eax 4 int v4; // edx 5 void *v5; // eax 6 int result; // eax 7 void *v7; // eax 8 void *v8; // eax 9 void *v9; // eax 10 size_t i; // [esp+4Ch] [ebp-8Ch] 11 char s[4]; // [esp+50h] [ebp-88h] 12 char input[28]; // [esp+58h] [ebp-80h] 13 char v13; // [esp+74h] [ebp-64h] 14 15 v3 = (void *)print_402B30(&unk_446360, "Give me your flag:"); 16 sub_4013F0(v3, (int (__cdecl *)(void *))sub_403670); 17 scanf_401440((int)&dword_4463F0, v4, (int)input, 127); 18 if ( strlen(input) < 30 && strlen(input) > 4 ) 19 { 20 strcpy(s, "EIS{"); 21 for ( i = 0; i < strlen(s); ++i ) 22 { 23 if ( input[i] != s[i] ) // 输入前四位为:EIS{ 24 { 25 v7 = (void *)print_402B30(&unk_446360, "Sorry, keep trying! "); 26 sub_4013F0(v7, (int (__cdecl *)(void *))sub_403670); 27 return 0; 28 } 29 } 30 if ( v13 == '}' ) // 输入的最后一位 31 { 32 if ( sub_4011C0(input) ) // 关键函数 33 v9 = (void *)print_402B30(&unk_446360, "Congratulations! "); 34 else 35 v9 = (void *)print_402B30(&unk_446360, "Sorry, keep trying! "); 36 sub_4013F0(v9, (int (__cdecl *)(void *))sub_403670); 37 result = 0; 38 } 39 else 40 { 41 v8 = (void *)print_402B30(&unk_446360, "Sorry, keep trying! "); 42 sub_4013F0(v8, (int (__cdecl *)(void *))sub_403670); 43 result = 0; 44 } 45 } 46 else 47 { 48 v5 = (void *)print_402B30(&unk_446360, "Sorry, keep trying!"); 49 sub_4013F0(v5, (int (__cdecl *)(void *))sub_403670); 50 result = 0; 51 } 52 return result; 53 }
查看关键函数
1 bool __cdecl sub_4011C0(char *a1) 2 { 3 size_t v2; // eax 4 signed int v3; // [esp+50h] [ebp-B0h] 5 char str[32]; // [esp+54h] [ebp-ACh] 6 int v5; // [esp+74h] [ebp-8Ch] 7 int j; // [esp+78h] [ebp-88h] 8 size_t i; // [esp+7Ch] [ebp-84h] 9 char s_mid[128]; // [esp+80h] [ebp-80h] 10 11 if ( strlen(a1) <= 4 ) 12 return 0; 13 i = 4; 14 j = 0; 15 while ( i < strlen(a1) - 1 ) 16 s_mid[j++] = a1[i++]; 17 s_mid[j] = 0; 18 v5 = 0; 19 v3 = 0; 20 memset(str, 0, 0x20u); 21 for ( i = 0; ; ++i ) 22 { 23 v2 = strlen(s_mid); 24 if ( i >= v2 ) 25 break; 26 if ( s_mid[i] >= 'a' && s_mid[i] <= 'z' ) 27 { 28 s_mid[i] -= 32; // 小写转大写 29 v3 = 1; 30 } 31 if ( !v3 && s_mid[i] >= 'A' && s_mid[i] <= 'Z' ) 32 s_mid[i] += 32; // 大写转小写 33 str[i] = byte_4420B0[i] ^ sub_4013C0(s_mid[i]);// 异或 34 v3 = 0; 35 } 36 return strcmp("GONDPHyGjPEKruv{{pj]X@rF", str) == 0; 37 }
wp:
1 date1=[ 0x0D, 0x13, 0x17, 0x11, 0x02, 0x01, 0x20, 0x1D, 0x0C, 0x02, 2 0x19, 0x2F, 0x17, 0x2B, 0x24, 0x1F, 0x1E, 0x16, 0x09, 0x0F, 3 0x15, 0x27, 0x13, 0x26, 0x0A, 0x2F, 0x1E, 0x1A, 0x2D, 0x0C, 4 0x22, 0x04] 5 # s=inpt(a1 ^ 0x55) + 72 6 s='GONDPHyGjPEKruv{{pj]X@rF' 7 s=list(s) 8 t='' 9 for x in range(len(s)): 10 c=chr(((ord(s[x])^date1[x])-72)^0x55) 11 if c.islower(): 12 t+=c.upper() 13 else: 14 t+=c.lower() 15 16 print('EIS{'+t+'}')
EIS{wadx_tdgk_aihc_ihkn_pjlm}
