replace ---- 2017湖湘杯Re

首先用upxshell脱壳，再用IDA打开，F5查看主函伪代码。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // kr00_4
  char Buf; // [esp+4h] [ebp-2Ch]
  char Dst; // [esp+5h] [ebp-2Bh]

  Buf = 0;
  memset(&Dst, 0, 0x27u);
  printf("Welcome The System\nPlease Input Key:");
  gets_s(&Buf, 0x28u);
  v3 = strlen(&Buf);
  if ( (unsigned int)(v3 - 35) <= 2 )
  {
    if ( sub_401090((int)&Buf, v3) == 1 )      //  关键点
      printf("Well Done!\n");
    else
      printf("Your Wrong!\n");
  }
  return 0;
}

发现sub_401090为关键判断，继续跟进它。

v2 = a1;
  if ( a2 != 35 )
    return -1;
  v4 = 0;
  while ( 1 )
  {
    v5 = *(_BYTE *)(v4 + v2);
    v6 = (v5 >> 4) % 16;
    v7 = (16 * v5 >> 4) % 16;
    v8 = byte_402150[2 * v4];
    if ( v8 < 48 || v8 > 57 )
      v9 = v8 - 87;
    else
      v9 = v8 - 48;
    v10 = byte_402151[2 * v4];
    v11 = 16 * v9;
    if ( v10 < 48 || v10 > 57 )
      v12 = v10 - 87;
    else
      v12 = v10 - 48;
    if ( (unsigned __int8)byte_4021A0[16 * v6 + v7] != ((v11 + v12) ^ 0x19) )   //关键判断
      break;
    if ( ++v4 >= 35 )
      return 1;
  }
  return -1;
}

这里我们知道要返回1，那么flag长度为35，并且flag中每个字符满足while循环里的一系列运算。写个脚本爆破。

a="2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6"
b=[0x63 ,0x7c ,0x77 ,0x7b ,0xf2 ,0x6b ,0x6f ,0xc5 ,0x30 ,0x1  ,
   0x67 ,0x2b ,0xfe ,0xd7 ,0xab ,0x76 ,0xca ,0x82 ,0xc9 ,0x7d ,
   0xfa ,0x59 ,0x47 ,0xf0 ,0xad ,0xd4 ,0xa2 ,0xaf ,0x9c ,0xa4 ,
   0x72 ,0xc0 ,0xb7 ,0xfd ,0x93 ,0x26 ,0x36 ,0x3f ,0xf7 ,0xcc ,
   0x34 ,0xa5 ,0xe5 ,0xf1 ,0x71 ,0xd8 ,0x31 ,0x15 ,0x4  ,0xc7 ,
   0x23 ,0xc3 ,0x18 ,0x96 ,0x5  ,0x9a ,0x7  ,0x12 ,0x80 ,0xe2 ,
   0xeb ,0x27 ,0xb2 ,0x75 ,0x9  ,0x83 ,0x2c ,0x1a ,0x1b ,0x6e ,
   0x5a ,0xa0 ,0x52 ,0x3b ,0xd6 ,0xb3 ,0x29 ,0xe3 ,0x2f ,0x84 ,
   0x53 ,0xd1 ,0x0  ,0xed ,0x20 ,0xfc ,0xb1 ,0x5b ,0x6a ,0xcb ,
   0xbe ,0x39 ,0x4a ,0x4c ,0x58 ,0xcf ,0xd0 ,0xef ,0xaa ,0xfb ,
   0x43 ,0x4d ,0x33 ,0x85 ,0x45 ,0xf9 ,0x2  ,0x7f ,0x50 ,0x3c ,
   0x9f ,0xa8 ,0x51 ,0xa3 ,0x40 ,0x8f ,0x92 ,0x9d ,0x38 ,0xf5 ,
   0xbc ,0xb6 ,0xda ,0x21 ,0x10 ,0xff ,0xf3 ,0xd2 ,0xcd ,0xc  ,
   0x13 ,0xec ,0x5f ,0x97 ,0x44 ,0x17 ,0xc4 ,0xa7 ,0x7e ,0x3d ,
   0x64 ,0x5d ,0x19 ,0x73 ,0x60 ,0x81 ,0x4f ,0xdc ,0x22 ,0x2a ,
   0x90 ,0x88 ,0x46 ,0xee ,0xb8 ,0x14 ,0xde ,0x5e ,0xb  ,0xdb ,
   0xe0 ,0x32 ,0x3a ,0xa  ,0x49 ,0x6  ,0x24 ,0x5c ,0xc2 ,0xd3 ,
   0xac ,0x62 ,0x91 ,0x95 ,0xe4 ,0x79 ,0xe7 ,0xc8 ,0x37 ,0x6d ,
   0x8d ,0xd5 ,0x4e ,0xa9 ,0x6c ,0x56 ,0xf4 ,0xea ,0x65 ,0x7a ,
   0xae ,0x8  ,0xba ,0x78 ,0x25 ,0x2e ,0x1c ,0xa6 ,0xb4 ,0xc6 ,
   0xe8 ,0xdd ,0x74 ,0x1f ,0x4b ,0xbd ,0x8b ,0x8a ,0x70 ,0x3e ,
   0xb5 ,0x66 ,0x48 ,0x3  ,0xf6 ,0xe  ,0x61 ,0x35 ,0x57 ,0xb9 ,
   0x86 ,0xc1 ,0x1d ,0x9e ,0xe1 ,0xf8 ,0x98 ,0x11 ,0x69 ,0xd9 ,
   0x8e ,0x94 ,0x9b ,0x1e ,0x87 ,0xe9 ,0xce ,0x55 ,0x28 ,0xdf ,
   0x8c ,0xa1 ,0x89 ,0xd  ,0xbf ,0xe6 ,0x42 ,0x68 ,0x41 ,0x99 ,
   0x2d ,0xf  ,0xb0 ,0x54 ,0xbb ,0x16]

for i in range(35):
    for j in range(ord('0'),ord('}')+1):
        v6 = (j >> 4) % 16
        v7 = (16 * j >> 4) % 16
        v8 = ord(a[2*i])
        if v8 < ord('0') or v8 > ord('9') :
            v9 = v8 - ord('W')
        else:
            v9 = v8 - ord('0')
        v10 = ord(a[2*i+1])
        v11 = 16 * v9
        if v10 < ord('0') or v10 > ord('9') :
            v12 = v10 - ord('W')
        else:
            v12 = v10 - ord('0')
       if b[16 * v6 + v7] == (v11 + v12) ^ 0x19:
            print(chr(j),end="")

结果：flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}