关键的judge居然是数据不是函数,应该是SMC加密,自己取自己地址的数据进行加密,加密之后无法反汇编
第一次做题用IDApython,复现了两天
if ( v5 == 14 && (*(unsigned int (__fastcall **)(char *))judge)(s) )
点进去judge,点着judge,shift+f2
from idc_bc695 import * addr = 0x600b00 for i in range(182): PatchByte(addr+i,Byte(addr+i)^0xc)
按 C 生成新汇编
选中600B00到600BB5,按P生成judge函数 
再查看judge函数反编译代码
__int64 __fastcall judge(__int64 a1) { char v2[5]; // [rsp+8h] [rbp-20h] BYREF char v3[9]; // [rsp+Dh] [rbp-1Bh] BYREF int i; // [rsp+24h] [rbp-4h] qmemcpy(v2, "fmcd", 4); v2[4] = 127; qmemcpy(v3, "k7d;V`;np", sizeof(v3)); for ( i = 0; i <= 13; ++i ) *(_BYTE *)(i + a1) ^= i; for ( i = 0; i <= 13; ++i ) { if ( *(_BYTE *)(i + a1) != v2[i] ) return 0LL; } return 1LL; }
分析逆向得出脚本。
s = 'fmcd\x7Fk7d;V`;np' flag = '' for i in range(14): flag += chr(ord(s[i]) ^ i) print(flag)
flag{n1c3_j0b}
