逆向攻防世界CTF系列31-elrond32

image-20241114212154728

追踪

image-20241114212231126

跟进sub_8048538

image-20241114212311867

这是输出

回头看sub_8048414

image-20241114212345162

可以发现是个递归,模拟一下得到字符串a2(main中的是a2,这里代表a1)是isengard

取出密文,idapython代码

start_addr = 0x08048760
end_addr = 0x080487E3

list = []

for i in range(start_addr,end_addr,4):
    list.append(idaapi.get_dword(i))

print(list)

# [15, 31, 4, 9, 28, 18, 66, 9, 12, 68, 13, 7, 9, 6, 45, 55, 89, 30, 0, 89, 15, 8, 28, 35, 54, 7, 85, 2, 12, 8, 65, 10, 20]

解密代码:

enc = [15, 31, 4, 9, 28, 18, 66, 9, 12, 68, 13, 7, 9, 6, 45, 55, 89, 30, 0, 89, 15, 8, 28, 35, 54, 7, 85, 2, 12, 8, 65, 10, 20]

key = 'isengard'

for j in range(33):
    print(chr(enc[j] ^ ord(key[j % 8])),end='')

flag{s0me7hing_S0me7hinG_t0lki3n}