![BUUCTF [FlareOn4]IgniteMe](http://pic.xiahunao.cn/yaotu/BUUCTF [FlareOn4]IgniteMe)
查壳然后进入idaNumberOfBytesWritten 0;把输出字符数清零hFile GetStdHandle(0xFFFFFFF6); // 标准输入键盘 dword_403074 GetStdHandle(0xFFFFFFF5); // 标准输出屏幕0xFFFFFFF6 (DWORD)-10→STD_INPUT_HANDLE0xFFFFFFF5 (DWORD)-11→STD_OUTPUT_HANDLE作用hFile 读键盘输入dword_403074 往屏幕打印文字WriteFile( dword_403074, // 输出到屏幕 aG1v3M3T3hFl4g, // 字符串内容Give me the flag 0x13u, // 长度19 个字符 NumberOfBytesWritten, 0 );屏幕打印G1v3 M3 T3h Fl4g((void (__cdecl *)(DWORD))sub_4010F0)(NumberOfBytesWritten);调用sub_4010F0作用读取用户输入的 flag重点关注sub_4010F0、sub_401050sub_4010F0sub_4010F0作用就是读取输入的flag到byte_403078[]sub_401050sub_401000__ROL4__循环左移 4 位Rotate Left 4 bits→0x00700008 1逻辑右移 1 位→0x0004所以sub_401000等价于return 4 这个函数始终返回4因此v44for ( j 0; j 39; j ) { if ( byte_403180[j] ! byte_403000[j] )可知byte_403180unk_403000flag是39位for ( i v1 - 1; i 0; --i ) { byte_403180[i] v4 ^ byte_403078[i]; v4 byte_403078[i]; }异或加密byte_403078flag解密#include stdio.h int main(){ unsigned char byte_403180[] { 0x0D, 0x26, 0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C, 0x5D, 0x5E, 0x45, 0x12, 0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E, 0x56, 0x09, 0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A, 0x0D, 0x13, 0x17, 0x48, 0x42, 0x01, 0x40, 0x4D, 0x0C, 0x02, 0x69 }; int v44; int byte_403078[40]; for(int i38;i0;i--) { byte_403078[i]byte_403180[i]^v4; v4byte_403078[i]; } for (int j 0; j 39; j ){ printf(%c,byte_403078[j]); } return 0; }flag{R_y0u_H0t_3n0ugH_t0_1gn1t3flare-on.com}