运行程序 flag显示乱码
IDA打开查看程序逻辑
1 int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
2 {
3 int v3; // ecx
4 CHAR *lpMem; // [esp+8h] [ebp-Ch]
5 HANDLE hHeap; // [esp+10h] [ebp-4h]
6
7 hHeap = HeapCreate(0x40000u, 0, 0);
8 lpMem = (CHAR *)HeapAlloc(hHeap, 8u, unk_409B34 + 1);
9 memcpy_s(lpMem, unk_409B34, dword_409B10, unk_409B34);
10 if ( sub_40102A() || IsDebuggerPresent() )
11 {
12 __debugbreak();
13 sub_401000(v3 + 4, lpMem); 14
1 unsigned int __fastcall sub_401000(int a1, char *a2)
2 {
3 int v2; // esi
4 char *v3; // eax
5 unsigned int v4; // ecx
6 unsigned int result; // eax
7
8 v2 = dword_409B38;
9 v3 = &a2[strlen(a2 + 1) + 2];
10 v4 = 0;
11 result = ((unsigned int)(v3 - (a2 + 2)) >> 2) + 1;
12 if ( result )
13 {
14 do
15 *(_DWORD *)&a2[4 * v4++] ^= v2;
16 while ( v4 < result );
17 }
18 return result;
19 }15 ExitProcess(0xFFFFFFFF);
16 }
17 MessageBoxA(0, lpMem + 1, "Flag", 2u);
18 HeapFree(hHeap, 0, lpMem);
19 HeapDestroy(hHeap);
20 ExitProcess(0);
21 }可发现:
1.存在反调试IsDebuggerPresent()
2.lpMem还出现在sub_401000(v3 + 4, lpMem)函数中,但该函数未被调用
动态调试:
跳过反调试,跳转到sub_401000 函数 (调试用基地址会变,但偏移不变 0x1000)
解码后调用原弹窗(程序中有两个MessageBoxA函数,陷阱,第一个输出lpMem,第二个输出(lpMem+1)),这里需要跳转到第二个弹窗处,即原弹窗处
运行
flag{reversing_is_not_that_hard!}
解码脚本:
1 x=[0xbb,0xaa,0xcc,0xdd]
2 y=bytes.fromhex('BBCCA0BCDCD1BEB8CDCFBEAED2C4AB82D2D993B3D4DE93A9D3CBB882D3CBBEB99AD7CCDD')
3 z=[]
4 i=0
5 while i<len(y):
6 t=chr(y[i]^x[i%4])
7 z.append(t)
8 i+=1
9 print(z)
10 print(''.join(z))['\x00', 'f', 'l', 'a', 'g', '{', 'r', 'e', 'v', 'e', 'r', 's', 'i', 'n', 'g', '_', 'i', 's', '_', 'n', 'o', 't', '_', 't', 'h', 'a', 't', '_', 'h', 'a', 'r', 'd', '!', '}', '\x00', '\x00']
flag{reversing_is_not_that_hard!}
这里就可以知道为什么调用第一个弹窗会失败了,因为第一个字符解码后为'\0',直接截断,所以会输出空白
来源:oschina
链接:https://my.oschina.net/u/4380330/blog/3413616