去年9月份为了提高逆向能力刷了一段时间reversing.kr,今天看到笔记的时候挺有成就感的,以后也要继续多多做题整理笔记呀!
(内容比较多,可以结合左下角的目录来看)
Easy Unpack
Flag:00401150
通过不断跳jmp循环,最终运行到这个位置,开头55 8B 明显是函数开头
定位到OEP 00401150
查栈知道跳转到函数头的代码如下:
Replace
Flag: 2687109798
这个题目很有意思,开始以为做不了,跳来跳去的以为要改代码,后来发现就是利用跳来跳去的机制混淆,最后利用两次call,给一个地址的连续两个字节赋nop,刚好可以把Correct前面的jmp指令nop掉,所以关键在于计算偏移。(动态跟踪比较能看出在干嘛)
(input_num+2+0x601605C7+3)&0xffffffff== 0x401071
Position
Flag:bump
根据Correct!定位到check函数,然后分析到很多bit相加的组合,得到
bit_0_0 + bit_1_2 = 1
bit_0_3 + bit_1_3 = 0
bit_0_1 + bit_1_4 = 2
bit_0_2 + bit_1_0 = 1
bit_0_4 + bit_1_1 = 0
bit_2_0 + bit_3_2 = 1
bit_2_3 + bit_3_3 = 1
bit_2_1 + bit_3_4 = 1
bit_2_2 + bit_3_0 = 1
bit_2_4 + bit_3_1 = 0
根据提示Password is ***p
,得到flag,有多解。(4字节,a~z,或许可以编程爆破)
Ransomware
Flag: Colle System
UPX1加壳,首先UPX工具脱壳
import ida_bytes
start = 0x4135E9
end = 0x44A775
for ea in xrange(start, end, 1):
ida_bytes.put_byte(ea, 0x90)
start = 0x401006
end = 0x4135CE
for ea in xrange(start, end, 1):
ida_bytes.put_byte(ea, 0x90)
start = 0x4135E9
end = 0x44A989
ea = start
while ea<end:
if (ida_bytes.get_byte(ea)==0xE8) and ((ida_bytes.get_byte(ea+2)==0x66) or (ida_bytes.get_byte(ea+2)==0x67) or (ida_bytes.get_byte(ea+2)==0x68)) and (ida_bytes.get_byte(ea+3)==0xFB) and (ida_bytes.get_byte(ea+4)==0xFF):
ida_bytes.put_byte(ea, 0x90)
ida_bytes.put_byte(ea+1, 0x90)
ida_bytes.put_byte(ea+2, 0x90)
ida_bytes.put_byte(ea+3, 0x90)
ida_bytes.put_byte(ea+4, 0x90)
ea+=5
else:
ea+=1
先文件按字节取反,然后循环异或输入