666
直接看到flag,不过当然是假的,输入的是v5,然后经过encode
int __fastcall encode(const char *a1, __int64 a2)
{
_BYTE v3[104]; // [rsp+10h] [rbp-70h]
int v4; // [rsp+78h] [rbp-8h]
int i; // [rsp+7Ch] [rbp-4h]
i = 0;
v4 = 0;
if ( strlen(a1) != key )
return puts("Your Length is Wrong");
for ( i = 0; i < key; i += 3 )
{
v3[i + 64] = key ^ (a1[i] + 6);
v3[i + 33] = (a1[i + 1] - 6) ^ key;
v3[i + 2] = a1[i + 2] ^ 6 ^ key;
*(_BYTE *)(a2 + i) = v3[i + 64];
*(_BYTE *)(a2 + i + 1LL) = v3[i + 33];
*(_BYTE *)(a2 + i + 2LL) = v3[i + 2];
}
return a2;
}注:这里没有显示的接收返回值是因为传入的是内存位置所以直接修改了
s和enflag的值要一样,那现在是已a2求a1
def encode():
v3=[0]*100
a1=[""]*100
a2='izwhroz""w"v.K".Ni'
for i in range(0,18,3):
v3[i+2]=a2[i+2]
v3[i+33]=a2[i+1]
v3[i+64]=a2[i]
a1[i+2]=chr(18^ord(v3[i+2])^6)
a1[i+1]=chr((ord(v3[i+33])^18)+6)
a1[i]=chr((ord(v3[i+64])^18)-6)
print(''.join(a1))
encode()Code_Talkers