logmein
拖进IDA看main函数
其中s就是要求的flag
v9 = 0;
strcpy(v8, ":"AL_RT^L*.?+6/46");
v7 = 'ebmarah';
v6 = 'a';
printf("Welcome to the RC3 secure password guesser.n");
printf("To continue, you must enter the correct password.n");
printf("Enter your guess: ");
__isoc99_scanf("%32s");
v3 = strlen(s); //flag的长度
if ( v3 < strlen(v8) )
sub_4007C0();
for ( i = 0; i < strlen(s); ++i )
{
if ( i >= strlen(v8) )
sub_4007C0();
if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
sub_4007C0();
}
sub_4007F0();
查看sub_4007C0():
void __noreturn sub_4007C0()
{
printf("Incorrect password!n");
exit(0);
}
查看sub_4007F0():
void __noreturn sub_4007F0()
{
printf("You entered the correct password!nGreat job!n");
exit(0);
}
写脚本:
v8=":"AL_RT^L*.?+6/46"
v7 = 'harambe' #小端序,IDA转字符串之后手动逆序
flag=''
for i in range(len(v8)):
flag+=chr((ord(v7[(i%7)]))^ord(v8[i]))
print(flag)
运行:
RC3-2016-XORISGUD
