查看操作文件。 一个小游戏,必须让几盏灯亮起来。 拖入IDA查看返汇编码。
int __cdecl main_0(int argc, const char **argv, const char **envp) {
char v4; // [esp 0h] [ebp-FCh] char v5; // [esp 0h] [ebp-FCh] char v6; // [esp 0h] [ebp-FCh] char v7; // [esp 0h] [ebp-FCh] char v8; // [esp 0h] [ebp-FCh] char v9; // [esp 0h] [ebp-FCh] char v10; // [esp 0h] [ebp-FCh] char v11; // [esp 0h] [ebp-FCh] char v12; // [esp 0h] [ebp-FCh] char v13; // [esp 0h] [ebp-FCh] char v14; // [esp 0h] [ebp-FCh] char v15; // [esp 0h] [ebp-FCh] char v16; // [esp 0h] [ebp-FCh] char v17; // [esp 0h] [ebp-FCh] char v18; // [esp 0h] [ebp-FCh] char v19; // [esp 0h] [ebp-FCh] char v20; // [esp 0h] [ebp-FCh] char v21; // [esp 0h] [ebp-FCh] char v22; // [esp 0h] [ebp-FCh] char v23; // [esp 0h] [ebp-FCh] int i; // [esp DCh] [ebp-20h] int v25; // [esp F4h] [ebp-8h] BYREF printf((int)&unk_50B110, v4); printf((int)&/span>unk_50B158, v5); printf((int)&unk_50B1A0, v6); printf((int)&unk_50B1E8, v7); printf((int)&unk_50B230, v8); printf((int)&unk_50B278, v9); printf((int)&unk_50B2C0, v10); printf((int)&unk_50B308, v11); printf((int)&unk_50AFD0, v12); printf((int)"| by 0x61 |\n", v13); printf((int)"| |\n", v14); printf((int)"|------------------------------------------------------|\n", v15); printf( (int)"Play a game\n" "The n is the serial number of the lamp,and m is the state of the lamp\n" "If m of the Nth lamp is 1,it's on ,if not it's off\n" "At first all the lights were closed\n", v16); printf((int)"Now you can input n to change its state\n", v17); printf( (int)"But you should pay attention to one thing,if you change the state of the Nth lamp,the state of (N-1)th and (N+1" ")th will be changed too\n", v18); printf((int)"When all lamps are on,flag will appear\n", v19); printf((int)"Now,input n \n", v20); while ( 1 ) {
while ( 1 ) {
printf((int)"input n,n(1-8)\n", v21); sub_459418(); printf((int)"n=", v22); sub_4596D4("%d", &v25); printf((int)"\n", v23); if ( v25 >= 0 && v25 <= 8 ) break; printf((int)"sorry,n error,try again\n", v21); } if ( v25 ) {
sub_4576D6(v25 - 1); } else {
for ( i = 0; i < 8; ++i ) {
if ( (unsigned int)i >= 9 ) j____report_rangecheckfailure(); byte_532E28[i] = 0; } } j__system("CLS"); sub_458054(); if ( byte_532E28[0] == 1 && byte_532E28[1] == 1 && byte_532E28[2] == 1 && byte_532E28[3] == 1 && byte_532E28[4] == 1 && byte_532E28[5] == 1 && byte_532E28[6] == 1 && byte_532E28[7] == 1 ) {
sub_457AB4(); } } } 不难看出sub_457AB4()就是含有flag的函数,进入。 此函数的结果即为Flag,修改程序:
#include <stdio.h>
#include <string.h>
int main()
{
int i; // [esp+D0h] [ebp-94h]
char v3[57]; // [esp+DCh] [ebp-88h] BYREF
char v4[57]; // [esp+120h] [ebp-44h]
printf((int)"done!!! the flag is ");
v4[0] = 18;
v4[1] = 64;
v4[2] = 98;
v4[3] = 5;
v4[4] = 2;
v4[5] = 4;
v4[6] = 6;
v4[7] = 3;
v4[8] = 6;
v4[9] = 48;
v4[10] = 49;
v4[11] = 65;
v4[12] = 32;
v4[13] = 12;
v4[14] = 48;
v4[15] = 65;
v4[16] = 31;
v4[17] = 78;
v4[18] = 62;
v4[19] = 32;
v4[20] = 49;
v4[21] = 32;
v4[22] = 1;
v4[23] = 57;
v4[24] = 96;
v4[25] = 3;
v4[26] = 21;
v4[27] = 9;
v4[28] = 4;
v4[29] = 62;
v4[30] = 3;
v4[31] = 5;
v4[32] = 4;
v4[33] = 1;
v4[34] = 2;
v4[35] = 3;
v4[36] = 44;
v4[37] = 65;
v4[38] = 78;
v4[39] = 32;
v4[40] = 16;
v4[41] = 97;
v4[42] = 54;
v4[43] = 16;
v4[44] = 44;
v4[45] = 52;
v4[46] = 32;
v4[47] = 64;
v4[48] = 89;
v4[49] = 45;
v4[50] = 32;
v4[51] = 65;
v4[52] = 15;
v4[53] = 34;
v4[54] = 18;
v4[55] = 16;
v4[56] = 0;
memcpy(v3, "{ ", 2);
v3[2] = 18;
v3[3] = 98;
v3[4] = 119;
v3[5] = 108;
v3[6] = 65;
v3[7] = 41;
v3[8] = 124;
v3[9] = 80;
v3[10] = 125;
v3[11] = 38;
v3[12] = 124;
v3[13] = 111;
v3[14] = 74;
v3[15] = 49;
v3[16] = 83;
v3[17] = 108;
v3[18] = 94;
v3[19] = 108;
v3[20] = 84;
v3[21] = 6;
memcpy(&v3[22], "`S,yhn _uec{", 12);
v3[34] = 127;
v3[35] = 119;
v3[36] = 96;
v3[37] = 48;
v3[38] = 107;
v3[39] = 71;
v3[40] = 92;
v3[41] = 29;
v3[42] = 81;
v3[43] = 107;
v3[44] = 90;
v3[45] = 85;
v3[46] = 64;
v3[47] = 12;
v3[48] = 43;
v3[49] = 76;
v3[50] = 86;
v3[51] = 13;
v3[52] = 114;
v3[53] = 1;
strcpy(&v3[54], "u~");
for (i = 0; i < 56; ++i)
{
v3[i] ^= v4[i];
v3[i] ^= 0x13u;
}
printf("%s\n", v3);
return 0;
}
得到Flag。