梅津美治郎
拖进ida,分析main函数
strcpy(Str2, "r0b0RUlez!");
dword_40AD94 = (int)&v9;
dword_40ADA0 = (int)&v20;
dword_40AD8C = (char *)v18;
dword_40AD90 = (char *)v16;
dword_40AD98 = (int)v14;
lpProcName = (LPCSTR)v12;
lpModuleName = (LPCSTR)v13;
Buffer = (char *)v10;
sub_401500(0);
v3 = lpProcName;
v4 = GetModuleHandleA(lpModuleName);
v5 = (void (__stdcall *)(HMODULE, LPCSTR))GetProcAddress(v4, v3);
v5((HMODULE)1, (LPCSTR)sub_40157F);
puts(dword_40AD8C);
scanf("%20s", Str1);
if ( !strcmp(Str1, Str2) )
{
puts("You passed level1!");
sub_4015EA(0);
}
return 0;
}
最后一个if语句是将Str1和Str2进行对比,str1是用户输入的字符串,str2是r0b0RUlez!可以得出level1的password是r0b0RUlez!
拖进od调试
输入假码,在寄存器可以看到假码,F8单步走
数据窗口中跟随数值
得到 75 31 6E 6E 66 32 6C 67
根据函数sub_401547写脚本
int __cdecl sub_401547(_BYTE *a1, _BYTE *a2)
{
while ( *a2 != 2 )
{
if ( *a1 != (*a2 ^ 2) )
return 1;
++a1;
++a2;
}
return 0;
}
a=[0x75,0x31,0x6E,0x6E,0x66,0x32,0x6C,0x67]
flag=''
for i in a:
flag+=chr(i^2)
print(flag)
运行得`
w3lld0ne
最终flag{r0b0RUlez!_w3lld0ne}