wchar_t *__cdecl decrypt(wchar_t *s, wchar_t *a2)
{
size_t v2; // eax
signed int v4; // [esp+1Ch] [ebp-1Ch]
signed int i; // [esp+20h] [ebp-18h]
signed int len_s; // [esp+24h] [ebp-14h]
signed int len_a2; // [esp+28h] [ebp-10h]
wchar_t *dest; // [esp+2Ch] [ebp-Ch]
len_s = wcslen(s);
len_a2 = wcslen(a2);
v2 = wcslen(s);
dest = (wchar_t *)malloc(v2 + 1);
wcscpy(dest, s);
while ( v4 < len_s )
{
for ( i = 0; i < len_a2 && v4 < len_s; ++i )
dest[v4++] -= a2[i];
}
return dest;
}
重点是decrypt函数,其他可以不用管。
方法一: 动态调试
在decrypt函数下断点:
程序在断点处暂停,按n执行,eax指向的就是答案:
方法二:静态分析
先用脚本得到需要的数据:
import idaapi
addr = 0x08048AA8 # 数组的地址
array = []
for i in range(38):
array.append(idaapi.get_dword(addr + 4 * i))
print(array)
addr = 0x8048a90
array=[]
for i in range(5):
array.append(idaapi.get_dword(addr + 4 * i))
print(array)
然后编写代码得到flag:
s= [5178, 5174, 5175, 5179, 5248, 5242, 5233, 5240, 5219, 5222, 5235, 5223, 5218, 5221, 5235, 5216, 5227, 5233, 5240, 5226, 5235, 5232, 5220, 5240, 5230, 5232, 5232, 5220, 5232, 5220, 5230, 5243, 5238, 5240, 5226, 5235, 5243, 5248]
a2=[5121, 5122, 5123, 5124, 5125]
len_s = len(s)
len_a2 = len(a2)
v4=0
flag = ''
while v4<len_s:
for i in range(len_a2):
if v4 >= len_s:
break
flag += chr(s[v4] - a2[i])
v4+=1
print(flag)