HugeH4rD

xor

0x01

---

Exeinfo PE Check

64位 未加壳

0x02

---

IDA

分析主函数 main()

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+2Ch] [rbp-124h]
  char __b[264]; // [rsp+40h] [rbp-110h] BYREF

  memset(__b, 0, 0x100uLL);
  printf("Input your flag:\n");
  get_line(__b, 256LL);
  if ( strlen(__b) != 33 ) /* 此处确定 flag 长度为33*/
    goto LABEL_7;
  for ( i = 1; i < 33; ++i ) /* 此处遍历 _b 进行 xor*/
    __b[i] ^= __b[i - 1];
  if ( !strncmp(__b, global, 0x21uLL) ) /* global 即为处理过的 flag */
    printf("Success");
  else
LABEL_7:
    printf("Failed");
  return 0;
}

追踪 global

__data:0000000100001050 _global         dq offset aFKWOXZUPFVMDGH
__data:0000000100001050                                         ; DATA XREF: _main+10D↑r
__data:0000000100001050 __data          ends                    ; "f\nk\fw&O.@\x11x\rZ;U\x11p\x19F\x1Fv\"M"...

__cstring:0000000100000F6E aFKWOXZUPFVMDGH db 'f',0Ah              ; DATA XREF: __data:_global↓o
__cstring:0000000100000F6E                 db 'k',0Ch,'w&O.@',11h,'x',0Dh,'Z;U',11h,'p',19h,'F',1Fh,'v"M#D',0Eh,'g'
__cstring:0000000100000F6E                 db 6,'h',0Fh,'G2O',0

按下 Shift + E 导出为 C unsigned char array(hex)

unsigned char aFKWOXZUPFVMDGH[] =
{
  0x66, 0x0A, 0x6B, 0x0C, 0x77, 0x26, 0x4F, 0x2E, 0x40, 0x11, 
  0x78, 0x0D, 0x5A, 0x3B, 0x55, 0x11, 0x70, 0x19, 0x46, 0x1F, 
  0x76, 0x22, 0x4D, 0x23, 0x44, 0x0E, 0x67, 0x06, 0x68, 0x0F, 
  0x47, 0x32, 0x4F, 0x00
};

0x03

---

编写 xor EXP

str= [
  0x66, 0x0A, 0x6B, 0x0C, 0x77, 0x26, 0x4F, 0x2E, 0x40, 0x11,
  0x78, 0x0D, 0x5A, 0x3B, 0x55, 0x11, 0x70, 0x19, 0x46, 0x1F,
  0x76, 0x22, 0x4D, 0x23, 0x44, 0x0E, 0x67, 0x06, 0x68, 0x0F,
  0x47, 0x32, 0x4F, 0x00
]
flag = ''
for i in range(33,0,-1):
    str[i] ^= str[i-1]

for i in range(0,33):
    str1 += (chr(str[i]))

print(str1)

flag为 flag{QianQiuWanDai_YiTongJiangHu}