logmein

logmein
拖进IDA看main函数
其中s就是要求的flag

 v9 = 0;
  strcpy(v8, ":"AL_RT^L*.?+6/46");
  v7 = 'ebmarah';  
  v6 = 'a';
  printf("Welcome to the RC3 secure password guesser.n");
  printf("To continue, you must enter the correct password.n");
  printf("Enter your guess: ");
  __isoc99_scanf("%32s");
  v3 = strlen(s);  //flag的长度
  if ( v3 < strlen(v8) )  
    sub_4007C0();
  for ( i = 0; i < strlen(s); ++i )
  {
    if ( i >= strlen(v8) )
      sub_4007C0();
    if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
      sub_4007C0();
  }
  sub_4007F0();

查看sub_4007C0():

void __noreturn sub_4007C0()
{
  printf("Incorrect password!n");
  exit(0);
}

查看sub_4007F0()：

void __noreturn sub_4007F0()
{
  printf("You entered the correct password!nGreat job!n");
  exit(0);
}

写脚本：

v8=":"AL_RT^L*.?+6/46"
v7 = 'harambe'  #小端序，IDA转字符串之后手动逆序
flag=''
for i in range(len(v8)):
    flag+=chr((ord(v7[(i%7)]))^ord(v8[i]))
print(flag)

运行：

RC3-2016-XORISGUD