GFSJ0487-【game】
签到 xor
main函数
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
char v4; // [esp+0h] [ebp-FCh]
char v5; // [esp+0h] [ebp-FCh]
char v6; // [esp+0h] [ebp-FCh]
char v7; // [esp+0h] [ebp-FCh]
char v8; // [esp+0h] [ebp-FCh]
char v9; // [esp+0h] [ebp-FCh]
char v10; // [esp+0h] [ebp-FCh]
char v11; // [esp+0h] [ebp-FCh]
char v12; // [esp+0h] [ebp-FCh]
char v13; // [esp+0h] [ebp-FCh]
char v14; // [esp+0h] [ebp-FCh]
char v15; // [esp+0h] [ebp-FCh]
char v16; // [esp+0h] [ebp-FCh]
char v17; // [esp+0h] [ebp-FCh]
char v18; // [esp+0h] [ebp-FCh]
char v19; // [esp+0h] [ebp-FCh]
char v20; // [esp+0h] [ebp-FCh]
char v21; // [esp+0h] [ebp-FCh]
char v22; // [esp+0h] [ebp-FCh]
char v23; // [esp+0h] [ebp-FCh]
int i; // [esp+DCh] [ebp-20h]
unsigned int v25; // [esp+F4h] [ebp-8h] BYREF
sub_45A7BE((int)&unk_50B110, v4);
sub_45A7BE((int)&unk_50B158, v5);
sub_45A7BE((int)&unk_50B1A0, v6);
sub_45A7BE((int)&unk_50B1E8, v7);
sub_45A7BE((int)&unk_50B230, v8);
sub_45A7BE((int)&unk_50B278, v9);
sub_45A7BE((int)&unk_50B2C0, v10);
sub_45A7BE((int)&unk_50B308, v11);
sub_45A7BE((int)&unk_50AFD0, v12);
sub_45A7BE((int)"| by 0x61 |\n", v13);
sub_45A7BE((int)"| |\n", v14);
sub_45A7BE((int)"|------------------------------------------------------|\n", v15);
sub_45A7BE(
(int)"Play a game\n"
"The n is the serial number of the lamp,and m is the state of the lamp\n"
"If m of the Nth lamp is 1,it's on ,if not it's off\n"
"At first all the lights were closed\n",
v16);
sub_45A7BE((int)"Now you can input n to change its state\n", v17);
sub_45A7BE(
(int)"But you should pay attention to one thing,if you change the state of the Nth lamp,the state of (N-1)th and (N+1"
")th will be changed too\n",
v18);
sub_45A7BE((int)"When all lamps are on,flag will appear\n", v19);
sub_45A7BE((int)"Now,input n \n", v20);
while ( 1 )
{
do
{
while ( 1 )
{
sub_45A7BE((int)"input n,n(1-8)\n", v21);
sub_459418();
sub_45A7BE((int)"n=", v22);
sub_4596D4("%d", &v25);
sub_45A7BE((int)"\n", v23);
if ( v25 <= 8 )
break;
sub_45A7BE((int)"sorry,n error,try again\n", v21);
}
if ( v25 )
{
sub_4576D6(v25 - 1);
}
else
{
for ( i = 0; i < 8; ++i )
{
if ( (unsigned int)i >= 9 )
j____report_rangecheckfailure();
byte_532E28[i] = 0;
}
}
j__system("CLS");
sub_458054();
}
while ( byte_532E28[0] != 1
|| byte_532E29 != 1
|| unk_532E2A != 1
|| unk_532E2B != 1
|| unk_532E2C != 1
|| unk_532E2D != 1
|| unk_532E2E != 1
|| unk_532E2F != 1 );
sub_457AB4();
}
}
能看出来啥都没有 只有游戏框架 我们搜索字符串来定位 flag
定位到
int sub_45E940()
{
int i; // [esp+D0h] [ebp-94h]
_BYTE v2[3]; // [esp+DCh] [ebp-88h] BYREF
_BYTE v3[19]; // [esp+DFh] [ebp-85h] BYREF
_BYTE v4[32]; // [esp+F2h] [ebp-72h] BYREF
char v5[14]; // [esp+112h] [ebp-52h] BYREF
_BYTE v6[64]; // [esp+120h] [ebp-44h]
sub_45A7BE("done!!! the flag is ");
v6[0] = 18;
v6[1] = 64;
v6[2] = 98;
v6[3] = 5;
v6[4] = 2;
v6[5] = 4;
v6[6] = 6;
v6[7] = 3;
v6[8] = 6;
v6[9] = 48;
v6[10] = 49;
v6[11] = 65;
v6[12] = 32;
v6[13] = 12;
v6[14] = 48;
v6[15] = 65;
v6[16] = 31;
v6[17] = 78;
v6[18] = 62;
v6[19] = 32;
v6[20] = 49;
v6[21] = 32;
v6[22] = 1;
v6[23] = 57;
v6[24] = 96;
v6[25] = 3;
v6[26] = 21;
v6[27] = 9;
v6[28] = 4;
v6[29] = 62;
v6[30] = 3;
v6[31] = 5;
v6[32] = 4;
v6[33] = 1;
v6[34] = 2;
v6[35] = 3;
v6[36] = 44;
v6[37] = 65;
v6[38] = 78;
v6[39] = 32;
v6[40] = 16;
v6[41] = 97;
v6[42] = 54;
v6[43] = 16;
v6[44] = 44;
v6[45] = 52;
v6[46] = 32;
v6[47] = 64;
v6[48] = 89;
v6[49] = 45;
v6[50] = 32;
v6[51] = 65;
v6[52] = 15;
v6[53] = 34;
v6[54] = 18;
v6[55] = 16;
v6[56] = 0;
qmemcpy(v2, "{ ", 2);
v2[2] = 18;
qmemcpy(v3, "bwlA)|P}&|oJ1Sl^lT", 18);
v3[18] = 6;
qmemcpy(v4, "`S,yhn _uec{", 12);
v4[12] = 127;
v4[13] = 119;
v4[14] = 96;
v4[15] = 48;
v4[16] = 107;
v4[17] = 71;
v4[18] = 92;
v4[19] = 29;
v4[20] = 81;
v4[21] = 107;
v4[22] = 90;
v4[23] = 85;
v4[24] = 64;
v4[25] = 12;
v4[26] = 43;
v4[27] = 76;
v4[28] = 86;
v4[29] = 13;
v4[30] = 114;
v4[31] = 1;
strcpy(v5, "u~");
for ( i = 0; i < 56; ++i )
{
v2[i] ^= v6[i];
v2[i] ^= 0x13u;
}
return sub_45A7BE("%s\n");
}
能看到只有一个简单的xor和拼接
exp
key = [
18, 64, 98, 5, 2, 4, 6, 3, 6, 48, 49, 65, 32, 12,
48, 65, 31, 78, 62, 32, 49, 32, 1, 57, 96, 3, 21, 9,
4, 62, 3, 5, 4, 1, 2, 3, 44, 65, 78, 32, 16, 97, 54,
16, 44, 52, 32, 64, 89, 45, 32, 65, 15, 34, 18, 16
]
encrypted = (
b"{ " + bytes([18]) +
b"bwlA)|P}&|oJ1Sl^lT" + bytes([6]) +
b"`S,yhn _uec{" +
bytes([
127, 119, 96, 48, 107, 71, 92, 29, 81, 107,
90, 85, 64, 12, 43, 76, 86, 13, 114, 1
]) +
b"u~"
)
flag = bytes(c ^ k ^ 0x13 for c, k in zip(encrypted, key))
print(flag.decode())
flag
zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}
一把梭
评论