Snake

程序有upx壳

$ mv snake_finall.exe snake
$ upx -d snake
ida打开,main函数发现控制逻辑,不管 title 找字符串,找到Mission Complete,定位到函数处 title title 没看到flag,往上翻,找到sub_8092E0,查看函数调用,选择最后一个 title 定位到这 title 往下翻,找到三处printw,应该是输出flag,一个一个来 title title 第一处找到lea esi,算法为将0x2a分别和[ebp-4c][ebp-24]异或 title python算一下:
 a=[0x7f,0x1a,0x64,0x7f,0x78,0x44,0x5e,0x50,0x67,0x7d,0x4e,0x5f]
 print ''.join(map(chr,map(lambda x:x^0x2a,a)))
结果是 U0NURntzMWdu

再看第二处,同样找lea esi,Alt+T搜索[ebp-84h] title 找到这一串,同样算法 title

a=[0x64,0x6d,0x52,0x4c,0x67,0x72,0x64,0x4c,0x70,0x44,0x7c,0x5f,0x2a]
print ''.join(map(chr,map(lambda x:x^0x2a,a)))
结果是 NGxfMXNfZnVu

最后一处找到804C0C0,双击查看 title 又是一串神秘数字,同样算法 title

a=[0x48,0x44,0x41,0x1c,0x61,0x72,0x1a,0x17,0x0a,0x0a,0x0a,0x0a]
print ''.join(map(chr,map(lambda x:x^0x2a,a)))
结果是 bnk6KX0=

完整脚本:

import base64
a=[0x7f,0x1a,0x64,0x7f,0x78,0x44,0x5e,0x50,0x67,0x7d,0x4e,0x5f]
x=''.join(map(chr,map(lambda x:x^0x2a,a)))
a=[0x64,0x6d,0x52,0x4c,0x67,0x72,0x64,0x4c,0x70,0x44,0x7c,0x5f,0x2a]
y=''.join(map(chr,map(lambda x:x^0x2a,a)))
a=[0x48,0x44,0x41,0x1c,0x61,0x72,0x1a,0x17,0x0a,0x0a,0x0a,0x0a]
z=''.join(map(chr,map(lambda x:x^0x2a,a)))
print base64.b64decode('U0NURntzMWduNGxfMXNfZnVubnk6KX0=')
结果是SCTF{s1gn4l_1s_funny:)}