main
int __fastcall main(int argc, const char **argv, const char **envp)
{
char Str[44]; // [rsp+20h] [rbp-30h] BYREF
int i; // [rsp+4Ch] [rbp-4h]
_main();
puts_0("please input your flag!");
scanf("%s", Str);
if ( strlen(Str) != 22 )
{
printf_0("strlen error!");
exit(0);
}
for ( i = 0; i <= 21; ++i )
{
if ( arr[i] != (Str[i] ^ 0x34) + 900 )
{
printf_0("flag error!");
exit(0);
}
}
printf_0("you are right!");
return 0;
}
1、提示输入
2、校验输入长度,长度不符直接排除。
3、逐字符校验 Flag,arr[i] 必须等于 (Str[i] ^ 0x34) + 900
4、跟进arr
.data:0000000000403040 arr dd 3FEh, 2 dup(3EBh), 3FBh, 3E4h, 3F6h, 3D3h, 3D0h, 388h .data:0000000000403040 ; DATA XREF: main+6A↑o .data:0000000000403064 dd 3CAh, 3EFh, 389h, 3CBh, 3EFh, 3CBh, 388h, 3EFh, 3D5h .data:0000000000403088 dd 3D9h, 3CBh, 3D1h, 3CDh, 0Ah dup(0)
已知arr[i]是预设值,先异或(^),后加法(+)
脚本
arr = [
0x3FE, 0x3EB, 0x3EB, 0x3FB, 0x3E4, 0x3F6, 0x3D3, 0x3D0, 0x388,
0x3CA, 0x3EF, 0x389, 0x3CB, 0x3EF, 0x3CB, 0x388, 0x3EF, 0x3D5,
0x3D9, 0x3CB, 0x3D1, 0x3CD
flag = ""
for i in range(22):
sub_result = arr[i] - 900
xor_result = sub_result ^ 0x34
flag_char = chr(xor_result)
flag += flag_char
print("Flag:", flag)
flag为 NSSCTF{x0r_1s_s0_easy}