小编点评

The code you provided is a program that implements a function called `encode` and a function called `decode` in a 666 ELF file. **`encode` Function:** - Takes a pointer to a string as input. - Checks if the length of the input string matches the length of the key. - If the lengths are not equal, it returns a `Wrong Length` error. - Otherwise, it iterates over the input string and constructs a new string by XOR-ing the key with the corresponding positions in the input string. - It then returns the new string. **`decode` Function:** - Takes a pointer to a string as input. - Checks if the length of the input string matches the length of the key. - If the lengths are not equal, it returns a `Wrong Length` error. - Otherwise, it iterates over the input string and constructs a new string by XOR-ing the key with the corresponding positions in the input string. - It then returns the new string. **Key Points:** - The `encode` function performs XOR operation on the input string and the key to generate the new string. - The `decode` function performs XOR operation on the key and the input string to generate the new string. - The code uses the `ord()` and `chr()` functions to convert characters to their corresponding ASCII or Unicode values. **Output:** When you run the program with a valid input string and a key of length 18, the program will print the following output: ``` Please Input Key: izwhroz\"\"w\"v.K\".Ni flag{This_1s_f4cker_flag} ``` This indicates that the input string "izwhroz\"\"w\"v.K\".Ni" matches the key "flag{This_1s_f4cker_flag}".

正文

下载附件，是一个可执行的ELF文件666，拖进IDA中查看

main 函数反汇编得到

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[240]; // [rsp+0h] [rbp-1E0h] BYREF
  char v5[240]; // [rsp+F0h] [rbp-F0h] BYREF

  memset(s, 0, 0x1EuLL);
  printf("Please Input Key: ");
  __isoc99_scanf("%s", v5);
  encode(v5, (__int64)s);
  if ( strlen(v5) == key )
  {
    if ( !strcmp(s, enflag) )
      puts("You are Right");
    else
      puts("flag{This_1s_f4cker_flag}");
  }
  return 0;
}

从这里可以看出，对于传入的参数会做一个encode的操作，然后回去比较传入参数的长度是否为key所对应的值，同时是否可enflag对应的值一致

看看encode都干了什么,反汇编encode方法

int __fastcall encode(const char *a1, __int64 a2)
{
  char v3[104]; // [rsp+10h] [rbp-70h]
  int v4; // [rsp+78h] [rbp-8h]
  int i; // [rsp+7Ch] [rbp-4h]

  i = 0;
  v4 = 0;
  if ( strlen(a1) != key )
    return puts("Your Length is Wrong");
  for ( i = 0; i < key; i += 3 )
  {
    v3[i + 64] = key ^ (a1[i] + 6);
    v3[i + 33] = (a1[i + 1] - 6) ^ key;
    v3[i + 2] = a1[i + 2] ^ 6 ^ key;
    *(_BYTE *)(a2 + i) = v3[i + 64];
    *(_BYTE *)(a2 + i + 1LL) = v3[i + 33];
    *(_BYTE *)(a2 + i + 2LL) = v3[i + 2];
  }
  return a2;
}

// 单机+回车 查看 key 和 enflag 的值
enflag =  'izwhroz""w"v.K".Ni'

key = 18


  
// 稍微整理一下
int __fastcall encode(const char *src_code, __int64 enflag_s)
{
  char v3[104]; // [rsp+10h] [rbp-70h]
  int v4; // [rsp+78h] [rbp-8h]
  int i; // [rsp+7Ch] [rbp-4h]

  i = 0;
  v4 = 0;
  if ( strlen(src_code) != key )
    return puts("Your Length is Wrong");
  for ( i = 0; i < key; i += 3 )
  {
    v3[i + 64] = key ^ (src_code[i] + 6);
    v3[i + 33] = (src_code[i + 1] - 6) ^ key;
    v3[i + 2] = src_code[i + 2] ^ 6 ^ key;
    *(_BYTE *)(enflag_s + i) = v3[i + 64];
    *(_BYTE *)(enflag_s + i + 1LL) = v3[i + 33];
    *(_BYTE *)(enflag_s + i + 2LL) = v3[i + 2];
  }
  return enflag_s;
}

知识点：

异或运算性质：

交换律，即 a ^ b ^ c = a ^ c ^ b
结合律， 即 (a ^ b) ^ c = a ^ ( b ^c )
对于任何数，都有 a ^ a = 0, a ^ 0 = a
自反性， a ^ b ^ b = a ^ 0 = a


那么根据交换律
y = b^x  那么可以推导出 x= b^y = y^b
例子python：
b = 3
x = 5
y = b^x
# y = 6
print (y)
# t=b^y
t = 3^6
print(t)
# t = 5 = x
# t=y^b
t = 6^3
print(t)
# t = 5 = x

那么要得到正确的传入值即flag，就需要反写出这个encode对应的decode操作

def decode():
    key = 18
    enflag = 'izwhroz""w"v.K".Ni'

    src = []
    for i in range(0, 18, 3):
        src.append((ord((enflag[i])) ^ key) - 6)
        src.append((ord((enflag[i+1])) ^ key)  + 6)
        src.append((ord(enflag[i+2]))^6^key)

    print(src)
    t_str = ""
    for each in src:
        t_str += chr(each)
    print(t_str)

if __name__ == '__main__':
    decode()

知识点

python 函数ord()
ord() 函数是 chr() 函数（对于8位的ASCII字符串）或 unichr() 函数（对于Unicode对象）的配对函数，它以一个字符（长度为1的字符串）作为参数，返回对应的 ASCII 数值或者 Unicode 数值，如果所给的 Unicode 字符超出了你的 Python 定义范围，则会引发一个 TypeError 的异常

>>>ord('a')
97
>>> ord('b')
98
>>> ord('c')
99

------------------------------
python 函数 chr()
chr() 用一个范围在 range（256）内的（就是0～255）整数作参数，返回一个对应的字符。

>>>print chr(0x30), chr(0x31), chr(0x61)   # 十六进制
0 1 a
>>> print chr(48), chr(49), chr(97)         # 十进制
0 1 a

boom 得到flag unctf