# [EN] Rev C 3 ###### tags: `Writeup` `Reverse` `English` > [name=FlyDragon] ## Step 1 Using IDA to examine `main()`, we can see that it first processes `check_access()`. ```c= // main() printf("Please enter your name: "); scanf("%s", name); if (check_access(name) == 1) { printf("Permission accepted.\nPlease enter your password: "); scanf("%s", password); verify(password); for (i = 0; i <= 9; ++i) putchar(flag[i]); } else { printf("Permission denied."); } ``` ## Step 2 Examining`check_access()`, we can see that it is a simple string comparison. ```c= // check_access strcpy(secret, "OrWt[~{[{3rRQqQ"); while (i <= 14) { if (((unsigned __int8)(str[i] + 1) ^ 2) != secret[i]) return 0; ++i; } ``` Writing a program to find a matching string based on the comparison: ```python= enc = "OrWt[~{[{3rRQqQ" dec = "" for c in enc: num = ord(c) ^ 2 dec += chr(num - 1) print(dec) ``` ## Step.3 Examining `verify()` , we find the password and after entering the password, multiple processes are executed. ```c= strcpy(password, "super_secret_pw"); if (!strcmp(str, password)) process_01(); else printf("Permission denied."); ``` ## Step.4 Examining each process, we find that they modify the flag, but `sleep()` prevents the flag from being output. Replace all instances of `sleep()` with `sleep(0)`.  ## Step.5 ``` Please enter your name : <flag_1> Permission accept. Please enter your password : super_secret_pw <flag_2> ``` {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}