【攻防世界】Reverse—— IgniteMe writeup

main函数：首先检查前4个字符是否“EIS{”，如果是，则会进入check函数。如果check返回true，则会显示“Congratulations”

int __cdecl main(int argc, const char **argv, const char **envp)
{int result; // eaxsize_t i; // [esp+4Ch] [ebp-8Ch]char v5[8]; // [esp+50h] [ebp-88h] BYREFchar Str[128]; // [esp+58h] [ebp-80h] BYREFprintf(&unk_446360, "Give me your flag:");notImportant(sub_403670);sub_401440(Str, 127);if ( strlen(Str) < 0x1E && strlen(Str) > 4 ){strcpy(v5, "EIS{");for ( i = 0; i < strlen(v5); ++i ){if ( Str[i] != v5[i] )goto Fail;}if ( Str[28] != 125 ){
Fail:printf(&unk_446360, "Sorry, keep trying! ");notImportant(sub_403670);return 0;}if ( (unsigned __int8)check(Str) )printf(&unk_446360, "Congratulations! ");elseprintf(&unk_446360, "Sorry, keep trying! ");notImportant(sub_403670);result = 0;}else{printf(&unk_446360, "Sorry, keep trying!");notImportant(sub_403670);result = 0;}return result;
}

该函数的主要目的是检查输入字符串是否满足某种特定格式和加密规则，并返回布尔值表示结果。

1. 使用循环遍历v8中的每个字符：
   • 若字符是小写字母（ASCII码97-122），则将其转换为大写并设置标志v3为1。
   • 若字符是大写字母（ASCII码65-90），且v3未被设置，则将其转换为小写。
   • 对当前字符执行某种基于固定字节(byte_4420B0[i])的异或运算(sub_4013C0(v8[i]))，并将结果存入Str2。
2. 循环结束后，比较经过处理后的字符串Str2与硬编码的字符串"GONDPHyGjPEKruv{{pj]X@rF"是否相等。如果相等，则返回true，否则返回false。

bool __cdecl check(char *Str)
{size_t v2; // eaxint v3; // [esp+50h] [ebp-B0h]char Str2[32]; // [esp+54h] [ebp-ACh] BYREFint v5; // [esp+74h] [ebp-8Ch]int v6; // [esp+78h] [ebp-88h]size_t i; // [esp+7Ch] [ebp-84h]char v8[128]; // [esp+80h] [ebp-80h] BYREFif ( strlen(Str) <= 4 )return 0;i = 4;v6 = 0;while ( i < strlen(Str) - 1 )v8[v6++] = Str[i++];v8[v6] = 0;v5 = 0;v3 = 0;memset(Str2, 0, sizeof(Str2));for ( i = 0; ; ++i ){v2 = strlen(v8);if ( i >= v2 )break;if ( v8[i] >= 97 && v8[i] <= 122 ){v8[i] -= 32;v3 = 1;}if ( !v3 && v8[i] >= 65 && v8[i] <= 90 )v8[i] += 32;Str2[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]);v3 = 0;}return strcmp("GONDPHyGjPEKruv{{pj]X@rF", Str2) == 0;
}int __cdecl sub_4013C0(int a1)
{return (a1 ^ 0x55) + 72;
}

用下面的代码输出flag：

byte_4420b0 = [13,  19,  23,  17,   2,   1,  32,  29,  12,   2, 25,  47,  23,  43,  36,  31,  30,  22,   9,  15, 21,  39,  19,  38,  10,  47,  30,  26,  45,  12, 34,   4
]
enc="GONDPHyGjPEKruv{{pj]X@rF"
length = len(enc)
ori = []
v3 = 0for i in range(length):tmp = ord(enc[i])^byte_4420b0[i]tmp = (tmp-72) ^ 0x55ori.append(tmp)if ori[i] >= 97 and ori[i] <= 122:ori[i] -= 32v3 = 1if v3==0 and ori[i] >= 65 and ori[i] <= 90:ori[i] += 32v3 = 0print(ori)
flag = 'EIS{' + ''.join(chr(i) for i in ori)+'}'
print(flag)