直接看ida和代码
str_list = [0x78,0x49,0x72,0x43,0x6A,0x7E,0x3C,0x72,0x7C,0x32,0x74,0x57,0x73,0x76,0x33, 0x50,0x74,0x49,0x7F,0x7A,0x6E,0x64,0x6B,0x61]flag_list = []# print(len(str_list))"""正向:1.判断长度是否为24 2.对输入的每个字符串从最后一位开始往前进行+1,^0x6 3.与上边的字符串比较逆向:用上边的字符串 ^0x6 后 -1 得出正确的原始输入"""for i in range(len(str_list)): flag = (str_list[-i-1] ^ 0x6) - 1 # -i-1 调整的是每个字符的位置 (i初始为0,但倒序是从-1开始才对的) flag_list.append(chr(flag))print("".join(flag_list))# flag{xNqU4otPq3ys9wkDsN}点
放个假的flag,在靠近真实内容的地方,混淆F5查看时眼花了,因为他用了[v4]又+1,容易误认为是取下一位这样的循环,实际是+1可爆破,没爆破的必要。00A91100 |> /8A06 /mov al,byte ptr ds:[esi] ; 指向最后一个00A91102 |. |8D76 FF |lea esi,dword ptr ds:[esi-0x1] ; 往前00A91105 |. |8882 6C33A900 |mov byte ptr ds:[edx+0xA9336C],al00A9110B |. |42 |inc edx00A9110C |. |3BD1 |cmp edx,ecx00A9110E |.^7C F0 jl short 210f1e18.00A91100从最后一位开始取的汇编代码整一下两条命令的含义
00A910F6 |. 66 datasize:
00A910F7 |. 66:0f1f8400 0>nop word ptr ds:[eax+eax]