IgniteMe -高校网络信息安全运维挑战赛

 1 int __cdecl main(int argc, const char **argv, const char **envp)
 2 {
 3   void *v3; // eax
 4   int v4; // edx
 5   void *v5; // eax
 6   int result; // eax
 7   void *v7; // eax
 8   void *v8; // eax
 9   void *v9; // eax
10   size_t i; // [esp+4Ch] [ebp-8Ch]
11   char s[4]; // [esp+50h] [ebp-88h]
12   char input[28]; // [esp+58h] [ebp-80h]
13   char v13; // [esp+74h] [ebp-64h]
14 
15   v3 = (void *)print_402B30(&unk_446360, "Give me your flag:");
16   sub_4013F0(v3, (int (__cdecl *)(void *))sub_403670);
17   scanf_401440((int)&dword_4463F0, v4, (int)input, 127);
18   if ( strlen(input) < 30 && strlen(input) > 4 )
19   {
20     strcpy(s, "EIS{");
21     for ( i = 0; i < strlen(s); ++i )
22     {
23       if ( input[i] != s[i] )                   // 输入前四位为：EIS{
24       {
25         v7 = (void *)print_402B30(&unk_446360, "Sorry, keep trying! ");
26         sub_4013F0(v7, (int (__cdecl *)(void *))sub_403670);
27         return 0;
28       }
29     }
30     if ( v13 == '}' )                           // 输入的最后一位
31     {
32       if ( sub_4011C0(input) )                  // 关键函数
33         v9 = (void *)print_402B30(&unk_446360, "Congratulations! ");
34       else
35         v9 = (void *)print_402B30(&unk_446360, "Sorry, keep trying! ");
36       sub_4013F0(v9, (int (__cdecl *)(void *))sub_403670);
37       result = 0;
38     }
39     else
40     {
41       v8 = (void *)print_402B30(&unk_446360, "Sorry, keep trying! ");
42       sub_4013F0(v8, (int (__cdecl *)(void *))sub_403670);
43       result = 0;
44     }
45   }
46   else
47   {
48     v5 = (void *)print_402B30(&unk_446360, "Sorry, keep trying!");
49     sub_4013F0(v5, (int (__cdecl *)(void *))sub_403670);
50     result = 0;
51   }
52   return result;
53 }

查看关键函数

 1 bool __cdecl sub_4011C0(char *a1)
 2 {
 3   size_t v2; // eax
 4   signed int v3; // [esp+50h] [ebp-B0h]
 5   char str[32]; // [esp+54h] [ebp-ACh]
 6   int v5; // [esp+74h] [ebp-8Ch]
 7   int j; // [esp+78h] [ebp-88h]
 8   size_t i; // [esp+7Ch] [ebp-84h]
 9   char s_mid[128]; // [esp+80h] [ebp-80h]
10 
11   if ( strlen(a1) <= 4 )
12     return 0;
13   i = 4;
14   j = 0;
15   while ( i < strlen(a1) - 1 )
16     s_mid[j++] = a1[i++];
17   s_mid[j] = 0;
18   v5 = 0;
19   v3 = 0;
20   memset(str, 0, 0x20u);
21   for ( i = 0; ; ++i )
22   {
23     v2 = strlen(s_mid);
24     if ( i >= v2 )
25       break;
26     if ( s_mid[i] >= 'a' && s_mid[i] <= 'z' )
27     {
28       s_mid[i] -= 32;                           // 小写转大写
29       v3 = 1;
30     }
31     if ( !v3 && s_mid[i] >= 'A' && s_mid[i] <= 'Z' )
32       s_mid[i] += 32;                           // 大写转小写
33     str[i] = byte_4420B0[i] ^ sub_4013C0(s_mid[i]);// 异或
34     v3 = 0;
35   }
36   return strcmp("GONDPHyGjPEKruv{{pj]X@rF", str) == 0;
37 }

wp:

 1 date1=[ 0x0D, 0x13, 0x17, 0x11, 0x02, 0x01, 0x20, 0x1D, 0x0C, 0x02,
 2   0x19, 0x2F, 0x17, 0x2B, 0x24, 0x1F, 0x1E, 0x16, 0x09, 0x0F,
 3   0x15, 0x27, 0x13, 0x26, 0x0A, 0x2F, 0x1E, 0x1A, 0x2D, 0x0C,
 4   0x22, 0x04]
 5 # s=inpt(a1 ^ 0x55) + 72
 6 s='GONDPHyGjPEKruv{{pj]X@rF'
 7 s=list(s)
 8 t=''
 9 for x in range(len(s)):
10     c=chr(((ord(s[x])^date1[x])-72)^0x55)
11     if c.islower():
12         t+=c.upper()
13     else:
14         t+=c.lower()
15 
16 print('EIS{'+t+'}')

EIS{wadx_tdgk_aihc_ihkn_pjlm}