64位
直接看main函数
输入d/D执行Decry()函数,输入q/Q退出
重点看Decry()函数
unsigned __int64 Decry()
{
char v1; // [rsp+Fh] [rbp-51h]
int v2; // [rsp+10h] [rbp-50h]
int v3; // [rsp+14h] [rbp-4Ch]
int i; // [rsp+18h] [rbp-48h]
int v5; // [rsp+1Ch] [rbp-44h]
char src[8]; // [rsp+20h] [rbp-40h]
__int64 v7; // [rsp+28h] [rbp-38h]
int v8; // [rsp+30h] [rbp-30h]
__int64 v9; // [rsp+40h] [rbp-20h]
__int64 v10; // [rsp+48h] [rbp-18h]
int v11; // [rsp+50h] [rbp-10h]
unsigned __int64 v12; // [rsp+58h] [rbp-8h]
v12 = __readfsqword(0x28u);
*(_QWORD *)src = 'SLCDN';
v7 = 0LL;
v8 = 0;
v9 = 'wodah';
v10 = '\0';
v11 = 0;
text = (char *)join(key3, &v9);
//key3='kills'
//text='killshadow'
strcpy(key, key1);
//key1='ADSFK'
strcat(key, src);
//key='ADSFKNDCLS'
v2 = 0;
v3 = 0;
getchar();
v5 = strlen(key);
//v5=10
for ( i = 0; i < v5; ++i )
{
if ( key[v3 % v5] > 64 && key[v3 % v5] <= 90 )
key[i] = key[v3 % v5] + 32;
++v3;
}
//遍历key,大写转小写
//key='adsfkndcls'
printf("Please input your flag:", src);
while ( 1 )
{
v1 = getchar();
if ( v1 == 10 )
break;
if ( v1 == 32 )
{
++v2;
}
else
{
if ( v1 <= 96 || v1 > 122 )
{
if ( v1 > 64 && v1 <= 90 )
str2[v2] = (v1 - 39 - key[v3++ % v5] + 97) % 26 + 97;
}
//除去了'[\]^_'五个字符
else
{
str2[v2] = (v1 - 39 - key[v3++ % v5] + 97) % 26 + 97;
}
if ( !(v3 % v5) )
putchar(32);
++v2;
}
}
if ( !strcmp(text, str2) )
//比较str2和text
puts("Congratulation!\n");
else
puts("Try again!\n");
return __readfsqword(0x28u) ^ v12;
}
查看v9的地址发现上大下小
数据在内存中是小端顺序,高位在高地址处,低位在低地址处
(暂定此种方式判断)
事实上正确的scr和v9是转换之后字符串的倒序,即’NDCLS’和’hadow’
text则为’killshadow’
key为’ADSFKNDCLS’
加密函数重点就这一句
str2[v2] = (v1 - 39 - key[v3++ % v5] + 97) % 26 + 97;
逆推一下
(str2[v2]-97)+n26+key[v3++ % v5]-58 = v1
用循环的n26来代替%26
v1=(ord(text[j])-97)+26*i+ord(key[v3%v5])-58
str2 = 'killshadow'
key = 'adsfkndcls'
v3=0
v5=len(key)
flag=[0,0,0,0,0,0,0,0,0,0]
for i in range(0,4):
for j in range(0,10):
v1=(ord(str2[j])-97)+26*i+ord(key[v3%v5])-58
if(v1>65 and v1<=90):
flag[j]=chr(v1)
v3=v3+1
for i in flag:
print(i,end="")
结果即是flag
