逆向攻防世界CTF系列31-elrond32

逆向攻防世界CTF系列31-elrond32

追踪

跟进sub_8048538

这是输出

回头看sub_8048414

可以发现是个递归，模拟一下得到字符串a2(main中的是a2，这里代表a1)是isengard

取出密文，idapython代码

start_addr = 0x08048760
end_addr = 0x080487E3list = []for i in range(start_addr,end_addr,4):list.append(idaapi.get_dword(i))print(list)# [15, 31, 4, 9, 28, 18, 66, 9, 12, 68, 13, 7, 9, 6, 45, 55, 89, 30, 0, 89, 15, 8, 28, 35, 54, 7, 85, 2, 12, 8, 65, 10, 20]

解密代码：

enc = [15, 31, 4, 9, 28, 18, 66, 9, 12, 68, 13, 7, 9, 6, 45, 55, 89, 30, 0, 89, 15, 8, 28, 35, 54, 7, 85, 2, 12, 8, 65, 10, 20]key = 'isengard'for j in range(33):print(chr(enc[j] ^ ord(key[j % 8])),end='')

t(chr(enc[j] ^ ord(key[j % 8])),end=‘’)

flag{s0me7hing_S0me7hinG_t0lki3n}