2017 Dimi CTF Prequal ToHard

디컴파일을 하면 이렇게 나온다. mips로 짠 문제다. 그냥 angr로 슥삭 돌리면 풀린다.

undefined4 main(void)
{
  int iVar1;
  int local_78;
  int local_74;
  byte local_70;
  undefined4 local_6c;
  undefined4 local_68;
  undefined4 local_64;
  undefined4 local_60;
  undefined4 local_5c;
  undefined4 local_58;
  undefined4 local_54;
  undefined4 local_50;
  byte local_4c [30];
  byte local_2e;
  byte abStack45 [37];
  
  local_6c = 0x7e067d4b;
  local_68 = 0x2b74014c;
  local_64 = 0xb3d4113;
  local_60 = 0x52763724;
  local_5c = 0x2c5f7e5e;
  local_58 = 0x41097120;
  local_54 = 0x40246d5b;
  local_50 = 0x334e2e00;
  printf("INPUT: ");
  __isoc99_scanf(&DAT_00400cb8,local_4c);
  strncpy((char *)(abStack45 + 1),(char *)local_4c,0x20);
  local_78 = 1;
  while (local_78 < 0x1f) {
    abStack45[local_78 + 1] = abStack45[local_78 + 1] ^ abStack45[local_78];
    local_78 = local_78 + 1;
  }
  local_78 = 0;
  while (local_78 < (int)(uint)(local_2e % 0x1f)) {
    local_74 = 0x1f;
    while (-1 < local_74) {
      if (local_74 == 0) {
        local_4c[0] = local_70;
      }
      else {
        if (local_74 == 0x1f) {
          local_70 = local_2e;
        }
        else {
          local_4c[local_74] = *(byte *)((int)&local_50 + local_74 + 3);
        }
      }
      local_74 = local_74 + -1;
    }
    local_78 = local_78 + 1;
  }
  local_78 = 0;
  while (local_78 < 0x1f) {
    local_4c[local_78] = local_4c[local_78] ^ abStack45[local_78 + 1];
    local_78 = local_78 + 1;
  }
  local_78 = 0xf;
  while (local_78 < 0x1f) {
    abStack45[local_78 + 1] = local_4c[local_78];
    local_78 = local_78 + 1;
  }
  local_78 = 0;
  while (local_78 < 0x20) {
    abStack45[local_78 + 1] = abStack45[local_78 + 1] ^ *(byte *)((int)&local_6c + local_78);
    local_78 = local_78 + 1;
  }
  iVar1 = strncmp((char *)(abStack45 + 1),"Oh_You_Finally_Match_The_Keys!!",0x1f);
  if (iVar1 == 0) {
    puts("Correct!");
  }
  else {
    puts("Try Again");
  }
  return 0;
}


import angr
p = angr.Project('./ToHard',load_options={"auto_load_libs":True})
ex = p.surveyors.Explorer(find=0x0400ad8, avoid=0x0400aec)
ex.run()
print ex.found[0].state.posix.dumps(0)

FLAG : 1_L0VE_Th1s_A1g0r1thm_AnD_M1pS!