很久没来看雪了，逆向水平是越来越不咋的了。言归正传，最近做了一道RCTF2015里面的逆向题Crackme300，至今我还没搞清楚这是逆向题，还是web题，就当娱乐吧！直接上我的垃圾python代码：

import string
import itertools

st=[0x6A,0x32,0x16,0x42,0x3A,0x52,0x4A,0x62,0x5A,0x08,0x46,0x1E,0x66,0x56,0x1A,0x26,\
    0x22,0x2E,0x2A,0x3E,0x36,0x5E,0x4E,0x01,0x58,0x20,0x68,0x0C,0x30,0x28,0x40,0x38,\
    0x50,0x48,0x60,0x0A,0x34,0x10,0x54,0x44,0x64,0x0E,0x5C,0x14,0x12,0x1C,0x18,0x2C,\
    0x24,0x4C,0x3C,0x00,0x61,0x29,0x0D,0x39,0x31,0x49,0x41,0x59,0x51,0x69,0x03,0x3D,\
    0x15,0x5D,0x4D,0x11,0x65,0x1D,0x19,0x25,0x21,0x35,0x2D,0x55,0x45,0x02,0x4F,0x17,\
    0x5F,0x05,0x27,0x1F,0x37,0x2F,0x47,0x3F,0x67,0x57,0x04,0x2B,0x07,0x4B,0x3B,0x6B,\
    0x5B,0x06,0x53,0x0B,0x09,0x13,0x0F,0x23,0x1B,0x43,0x33,0x63]

enc='22722272222227272222727a2222222222272222272222222222cfdceeeebb9fdbcdbbedfdede7ce9bebe0bb1e2ceab9e2bbbdecf9d8'

def getTargetStr(enc,st):
    t=[0]*0x6c
    for i in range(len(enc)):
        t[st[i]]=enc[i]
    return ''.join(t)

global target
target=getTargetStr(enc, st)

'''
int __cdecl sub_401080(int a1, signed int a2)
{
  signed int v2; // esi@1
  char *v3; // edi@2
  int i; // eax@3
  signed int v5; // eax@10
  int *v6; // esi@11
  char v7; // dl@12
  int v9; // [sp+Ch] [bp-200h]@1
  char v10; // [sp+10h] [bp-1FCh]@2
   
  v2 = 1;
  v9 = -1;
  if ( a2 > 1 )
  {
    v3 = &v10;
    do
    {
      for ( i = *((_DWORD *)v3 - 1); i != -1; i = *(&v9 + i) )
      {
        if ( *(_BYTE *)(v2 + a1) == *(_BYTE *)(a1 + i + 1) )
          break;
      }
      if ( *(_BYTE *)(v2 + a1) == *(_BYTE *)(a1 + i + 1) )
        *(_DWORD *)v3 = i + 1;
      else
        *(_DWORD *)v3 = -1;
      ++v2;
      v3 += 4;
    }
    while ( v2 < a2 );
  }
  v5 = 0;
  if ( a2 > 0 )
  {
    v6 = &v9;
    do
    {
      v7 = *v6 + 25;
      ++v6;
      *(_BYTE *)(v5++ + a1) ^= v7;
    }
    while ( v5 < a2 );
  }
  return 0;
}
'''

def encrypt(str_):
    v10=[-1]*54
    a1=str_.encode('hex')
    a2=len(a1)
    j=1
    k=1
    while True:
        i = v10[k-1]
        while i!=-1:
            if a1[j] == a1[i + 1]:
                break
            i = v10[i]
        if  a1[j] == a1[i + 1]:
            v10[k] = i + 1
        else:
            v10[k] = -1
        j +=1
        k += 1
        if j >= a2:
            break
    s=''
    for i in range(len(a1)):
        s+=chr(ord(a1[i]) ^ (0x19+v10[i]))
    return s.encode('hex')

# f='*&*_U_g3t_the_CrackM3_f1@9!'
# print encrypt(f)==target
# f='*6<_U_g3t_the_CsackM3_f1@91'
# print encrypt(f)==target
def checkflag(flag):
    return encrypt(flag)==target

def getOneflag():
    oneflag=''
    t=target.decode('hex')
    for i in range(len(t)):
        oneflag+=chr( ord(t[i]) ^ 0x18)
    flag=oneflag.decode('hex')
    if checkflag(flag):
        return flag
    else:
        print 'error'
        return None
   
flag=getOneflag()
if flag !=None:
    j=0
    L=[]
    for i in range(len(flag)):
        L.append([])
        for c in string.printable:
            f=flag[:i]+c+flag[i+1:]
            if encrypt(f)==target:
                L[j].append(c)
        j+=1
    print L
    m=1
    for ele in L:
        m*=len(ele)
    print 'total: '+ str(m)
   
    '''
    L=[['*'], ['6', '&'], ['*', ',', '<'], ['_'], ['U'], ['_'], ['g'], ['2', '3', '"', '#'], ['t'], ['_'], ['t'], ['h'], ['e'], ['_'], ['B', 'C'], ['r', 's'], ['a'], ['b', 'c'], ['k'], ['M'], ['2', '3', '"', '#'], ['_'], ['f'], ['1', '!'], ['@'], ['9', ')'], ['1', '!']]   
    '''

    FLAGS=[''.join(x) for x in itertools.product(L[0], L[1], L[2], L[3], L[4], L[5], L[6], L[7], L[8], L[9], L[10], L[11], L[12], L[13], L[14], L[15], L[16], L[17], L[18], L[19], L[20], L[21], L[22], L[23], L[24], L[25], L[26])]
    flags= open(r'D:\rctf2015\flags.txt','w')  
    count=0
    for f in FLAGS:
        if checkflag(f):
            count+=1
            s='%d: %s'%(count,f)
            print s
            flags.write(s+'\n')
    flags.close()
   
      实事求是，上面的一段伪C代码改成python花了我不少时间。总之这个题目的答案竟然有6000多种，在没有任何提示的情况下能提交正确答案的概率实在是微乎其微，除非爆破网站（但这是不允许的），所以这到底是逆向题还是web题？吐槽一下，留个纪念！

[注意]看雪招聘，专注安全领域的专业人才平台！