攻防世界--logmein

测试文件：https://adworld.xctf.org.cn/media/task/attachments/a00849bb514c413f8a6526f6bb56c628

1.准备

得到信息

1. 64位文件
2. obj文件

2.IDA打开

将main函数转换为C语言代码

 void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
 {
   size_t v3; // rsi
   int i; // [rsp+3Ch] [rbp-54h]
   char s[]; // [rsp+40h] [rbp-50h]
   int v6; // [rsp+64h] [rbp-2Ch]
   __int64 v7; // [rsp+68h] [rbp-28h]
   char v8[]; // [rsp+70h] [rbp-20h]
   int v9; // [rsp+8Ch] [rbp-4h]

   v9 = ;
   strcpy(v8, ":\"AL_RT^L*.?+6/46");
   v7 = 28537194573619560LL;
   v6 = ;
   printf("Welcome to the RC3 secure password guesser.\n", a2, a3);
   printf("To continue, you must enter the correct password.\n");
   printf("Enter your guess: ");
   __isoc99_scanf("%32s", s);
   v3 = strlen(s);
   if ( v3 < strlen(v8) )
     sub_4007C0(v8);
   for ( i = ; i < strlen(s); ++i )
   {
     if ( i >= strlen(v8) )
       ((void (*)(void))sub_4007C0)();
     if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
       ((void (*)(void))sub_4007C0)();
   }
   sub_4007F0();
 }

2.1 分析代码

进入sub_4007C0)()

void __noreturn sub_4007C0()
{
  printf("Incorrect password!\n");
  exit();
}

进入sub_4007F0();

void __noreturn sub_4007F0()
{
  printf("You entered the correct password!\nGreat job!\n");
  exit();
}

通过第26行代码，我们了解到flag的获取

for(i =; i < strlen(v8); ++i){
    s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i];
}

2.2 算法代码

通过分析，实现算法的代码

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define BYTE unsigned char

int main(int argc, char* argv[]) {
    unsigned int i;
    char v8[] = ":\"AL_RT^L*.?+6/46";
    __int64 v7 = ;
    int v6 = ;

    char s[] = "";
    for (i = ; i < strlen(v8); ++i) {
        s[i] = (char)(*((BYTE*)&v7 + i % v6)^v8[i]);
    }

    printf("%s\n", s);

    system("PAUSE");
    return ;
}

3. get flag！