红帽杯easyre

step1，通过字符串查找突破口，发现疑似base64加密的字符串，进入交叉引用查看主函数。

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int result; // eax
  __int64 v4; // rax
  __int64 v5; // rax
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // rax
  __int64 v11; // rax
  __int64 v12; // rax
  __int64 v13; // rax
  int i; // [rsp+Ch] [rbp-114h]
  char v15[13]; // [rsp+60h] [rbp-C0h] BYREF
  char v16[4]; // [rsp+6Dh] [rbp-B3h] BYREF
  char v17[19]; // [rsp+71h] [rbp-AFh] BYREF
  char v18[32]; // [rsp+90h] [rbp-90h] BYREF
  int v19; // [rsp+B0h] [rbp-70h]
  char v20; // [rsp+B4h] [rbp-6Ch]
  __int64 v21[8]; // [rsp+C0h] [rbp-60h] BYREF
  char v22; // [rsp+100h] [rbp-20h]
  unsigned __int64 v23; // [rsp+108h] [rbp-18h]

  v23 = __readfsqword(0x28u);
  qmemcpy(v15, "Iodl>Qnb(ocy", 12);
  v15[12] = 127;
  qmemcpy(v16, "y.i", 3);
  v16[3] = 127;
  qmemcpy(v17, "d`3w}wek9{iy=~yL@EC", sizeof(v17));
  memset(v18, 0, sizeof(v18));
  v19 = 0;
  v20 = 0;
  read(0, v18, 0x25uLL);
  v20 = 0;
  if ( strlen(v18) == 36 )
  {
    for ( i = 0; i < (unsigned __int64)strlen(v18); ++i )
    {
      if ( (unsigned __int8)(v18[i] ^ i) != v15[i] )
      {
        result = 4294967294;
        goto LABEL_13;
      }
    }
    printf("continue!");
    memset(v21, 0, sizeof(v21));
    v22 = 0;
    read(0, (char *)v21, 0x40uLL);
    HIBYTE(v21[4]) = 0;
    if ( strlen(v21) == 39 )
    {
      base64((__int64)v21);
      base64(v4);
      base64(v5);
      base64(v6);
      base64(v7);
      base64(v8);
      base64(v9);
      base64(v10);
      base64(v11);
      base64(v12);
      if ( !(unsigned int)strcmp(v13, off_6CC090) )
      {
        printf("You found me!!!");
        printf("bye bye~");
      }
      result = 0;
    }
    else
    {
      result = -3;
    }
  }
  else
  {
    result = -1;
  }
LABEL_13:
  if ( __readfsqword(0x28u) != v23 )
    sub_444020();
  return result;
}

将未知的函数进行重命名，发现对字符串进行了异或处理，写个脚本运行，是个提示，flag前四个字符为flag，这不废话吗（bushi），但是后面会用到这个。

str='Iodl>Qnb(ocy'+chr(127)+'y.i'+chr(127)+'d`3w}wek9{iy=~yL@EC'
flag=''
for i in range(36):
    for key in range(32,127):
            if key^i==ord(str[i]):
                print(chr(key),end='')
print()

我们接着对base64字符串进行解密，n次后发现是个网址，网址内并没有flag（悲）:(

接着继续从字符串入手，发现了奇怪的一串，查看交叉引用

unsigned __int64 sub_400D35()
{
  unsigned __int64 result; // rax
  unsigned int v1; // [rsp+Ch] [rbp-24h]
  int i; // [rsp+10h] [rbp-20h]
  int j; // [rsp+14h] [rbp-1Ch]
  unsigned int v4; // [rsp+24h] [rbp-Ch]
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  v1 = sub_43FD20(0LL) - qword_6CEE38;
  for ( i = 0; i <= 1233; ++i )
  {
    sub_40F790(v1);
    sub_40FE60();
    sub_40FE60();
    v1 = sub_40FE60() ^ 0x98765432;
  }
  v4 = v1;
  if ( ((unsigned __int8)v1 ^ key[0]) == 'f' && (HIBYTE(v4) ^ (unsigned __int8)byte_6CC0A3) == 'g' )
  {
    for ( j = 0; j <= 24; ++j )
      sub_410E90((unsigned __int8)(key[j] ^ *((_BYTE *)&v4 + j % 4)));
  }
  result = __readfsqword(0x28u) ^ v5;
  if ( result )
    sub_444020();
  return result;
}

if ( ((unsigned int8)v1 ^ key[0]) == ‘f’ && (HIBYTE(v4) ^ (unsigned int8)byte_6CC0A3) == ‘g’ )，这不就是flag的首尾吗，可以看到循环是对v4与key[i]进行循环异或，exp如下：

str='Iodl>Qnb(ocy'+chr(127)+'y.i'+chr(127)+'d`3w}wek9{iy=~yL@EC'
flag=''
for i in range(36):
    for key in range(32,127):
            if key^i==ord(str[i]):
                print(chr(key),end='')
print()
key= [0x40,0x35, 0x20, 0x56, 0x5D, 0x18, 0x22, 0x45, 0x17, 0x2F, 0x24, 
  0x6E, 0x62, 0x3C, 0x27, 0x54, 0x48, 0x6C, 0x24, 0x6E, 0x72, 
  0x3C, 0x32, 0x45, 0x5B, 0x00, 0x00, 0x00]
key2='flag'
enc=''
for i in range(4):
     enc+=chr(key[i]^ord(key2[i]))

print(enc)
#enc=&YA1

for i in range(25):
     flag+=chr(key[i]^ord(enc[i%4]))
print(flag)