HWS2021 RE_decription

直接暴力的簽到題。

解題步驟：

先F5找主函數

 

 

 

​x

 

 

 

 

int __cdecl main(int argc, const char **argv, const char **envp)

{

  int v4; // [esp+18h] [ebp-CCh]

  int v5; // [esp+1Ch] [ebp-C8h]

  int v6; // [esp+7Ch] [ebp-68h]

  int v7; // [esp+80h] [ebp-64h]

​

  __main();

  v6 = 0;

  memset(&v7, 0, 0x60u);

  printf("Please input your flag:");

  scanf("%s", &v6);

  if ( strlen((const char *)&v6) != 32 )//flag 長度爲32

  {

    puts("Wrong!");

    system("pause");

    exit(0);

  }

  v4 = 0;

  memset(&v5, 0, 0x60u);

  encrypt((unsigned __int8 *)&v4, (char *)&v6);//顯然這裏應該是一個解密運算，將v6的數據轉移到v4上

  if ( !memcmp(&v4, &buf, 0x20u) )//cmp

  {

    puts("Orz!666!");

    printf("Here is your flag: flag{%s}\n", &v6);

  }

  else

  {

    puts("Sorry, try again~");

  }

  system("pause");

  return 0;

}

 

 

再看看解密函數encrypt()裏面：

 

 

 

xxxxxxxxxx

 

 

 

 

unsigned __int8 *__cdecl encrypt(unsigned __int8 *a1, char *a2)

{

  char a; // ST09_1

  char v3; // ST08_1

  char c; // ST08_1

  unsigned __int8 *result; // eax

  char t; // [esp+Ah] [ebp-6h]

  char b; // [esp+Bh] [ebp-5h]

  signed int i; // [esp+Ch] [ebp-4h]

​

  for ( i = 0; i <= 31; ++i )

  {

    a = i ^ a2[i];//無用

    v3 = i & a2[i];                             // 無用語句

    b = a2[i];

    t = i;

    do

    {

      c = 2 * (t & b);

      b ^= t;

      t = c;

    }

    while ( c );

    result = &a1[i];

    a1[i] = b ^ 0x23;c

  }

  return result;

}

 

 

這裏我們選擇枚舉每一位把flag試出來，枚舉的範圍應該試可見字符，即32~127。

解題腳本：

python:

 

 

 

xxxxxxxxxx

 

 

 

 

# HWS_RE_decryption

s1 = ""

s2 = [18, 69, 16, 71, 25, 73, 73, 73, 26, 79, 28, 30, 82, 102, 29, 82, 102, 103, 104, 103, 101, 111, 95, 89, 88, 94,

      109, 112, 161, 110, 112, 163]

for i in range(32):

    for j in range(32, 127):

        b = j

        t = i

        while(True):

            c = 2 * (t & b)

            b ^= t

            t = c

            if(c == 0):

                break

        if (b ^ 0x23 == s2[i]):

            s1 += chr(j)

            break

print(s1)

​

 

 

c++:

 

 

 

xxxxxxxxxx

 

 

 

 

#include<cstdio>

#include<iostream>

#include<cmath>

#include<algorithm>

using namespace std;

char a[32];//33-126可見字符 

char s2[32] = {18, 69, 16, 71, 25,73,73,73, 26, 79, 28, 30, 82,102, 29, 82,102,103,104,103,101,111, 95, 89, 88, 94,109,112,161,110,112,163};

bool check(int i)

{

unsigned int c,b,t;

for(unsigned int j = 33;j<=126;j++){

b = j;

t = i;

do{

c = 2 *(t & b);

b ^= t;

t = c;

}while(c); 

char chr = b ^ 0x23;

if(chr == s2[i]){

a[i] = j;

break;

}

}

}

int main()

{

for(int i = 0;i <= 31;i++)

check(i);

for(int i = 0;i < 32;i++){

printf("%c",a[i]);

}

return 0;

}