攻防世界----＞埃尔隆德32

做题笔记。

下载 查壳。

32ida 打开。

发现就一个判断。

跟进看看。

// 首次a2=0
int __cdecl sub_8048414(_BYTE *a1, int a2)
{int result; // eaxswitch ( a2 ){case 0:if ( *a1 == 105 )goto LABEL_19;result = 0;break;case 1:if ( *a1 == 101 )                         // egoto LABEL_19;result = 0;break;case 3:if ( *a1 == 110 )                         // ngoto LABEL_19;result = 0;break;case 4:if ( *a1 == 100 )                         // dgoto LABEL_19;result = 0;break;case 5:if ( *a1 == 97 )                          // agoto LABEL_19;result = 0;break;case 6:if ( *a1 == 103 )                         // ggoto LABEL_19;result = 0;break;case 7:if ( *a1 == 115 )                         // sgoto LABEL_19;result = 0;break;case 9:if ( *a1 == 114 )                         // r
LABEL_19:result = sub_8048414(a1 + 1, 7 * (a2 + 1) % 11);elseresult = 0;break;default:result = 1;break;}return result;
}

因为首次值a2=0，已知，所以我们可以手动计算也可以用代码去获取a1打印的值。

这是大佬的代码：

#include <stdio.h>
#include <string.h>int main()
{int a1[20] = { 105,101,0,110,100,97,103,115,0,114,0,0 };int a2[20];int k = 0;for (int i = 0;; i = 7 * (i + 1) % 11, k++){a2[k] = a1[i];printf("*%d\n", i);if (i == 2 || i == 8 || i>9)break;}//a2={105,115,101,110,103,97,114,100,0}return 0;
}

这里我选择动态查看其值。

最终脚本：

#include <stdio.h>
#include <string.h>int main()
{int a[] = { 0x0f,0x1f,0x04,0x09,0x1c,0x12,0x42,0x09,0x0c,0x44,0x0d,0x07,0x09,0x06,0x2d,0x37,0x59,0x1e,0x00,0x59,0x0f,0x08,0x1c,0x23,0x36,0x07,0x55,0x02,0x0c,0x08,0x41,0x0a,0x14 };int b[8] = { 105,115,101,110,103,97,114,100}; //难点。int len_a = sizeof(a) / sizeof(a[0]);char flag[50] = " ";for (int i = 0; i < len_a; i++){flag[i] = a[i] ^ b[i % 8];printf("%c", flag[i]);}return 0;
}

flag{s0me7hing_S0me7hinG_t0lki3n}