csaw2013reversing2
IDA分析写脚本
方法一:写脚本运行得到flag
查看main函数
hHeap = HeapCreate(0x40000u, 0, 0);
lpMem = (CHAR *)HeapAlloc(hHeap, 8u, SourceSize + 1);
memcpy_s(lpMem, SourceSize, &unk_409B10, SourceSize);
//memcpy_s是memory copy safe的缩写,意为安全内存复制,用于内存拷贝。
//memcpy_s(目的内存地址,目的内存最大长度, 源内存地址,要拷贝的长度)
if ( !sub_40102A() && !IsDebuggerPresent() )
{
MessageBoxA(0, lpMem + 1, "Flag", 2u);
//MessageBoxA(0, "第一个C窗体程序", "消息", 3);
//参数1:系统弹出
// 参数2:消息内容
// 参数3:标题
// 参数4:对话框的类型
HeapFree(hHeap, 0, lpMem);
HeapDestroy(hHeap);
ExitProcess(0);
}
__debugbreak();
sub_401000(v3 + 4, lpMem);
ExitProcess(0xFFFFFFFF);
查看sub_401000
:
v2 = dword_409B38;
v3 = a2 + 1 + strlen((const char *)(a2 + 1)) + 1;
v4 = 0;
result = ((v3 - (a2 + 2)) >> 2) + 1;
if ( result )
{
do
*(_DWORD *)(a2 + 4 * v4++) ^= v2;
while ( v4 < result );
}
return result;
找v2:小端序,可以直接转换为字节查看
写脚本:
lpMen=[0xBB,0xCC,0xA0,0xBC,0xDC,0xD1,0xBE,0xB8,0xCD,0xCF,0xBE,0xAE,0xD2,0xC4,0xAB,0x82,
0xD2,0xD9,0x93,0xB3,0xD4,0xDE,0x93,0xA9,0xD3,0xCB,0xB8,0x82,0xD3,0xCB,0xBE,0xB9,
0x9A,0xD7,0xCC,0xDD,0x24,0x00,0x00,0x00,0xBB,0xAA,0xCC,0xDD,0x00,0x00,0x00,0x00]
i=0
v2=[0xBB,0xAA,0xCC,0xDD]
flag=[]
while i<len(lpMen):
str=chr(lpMen[i]^v2[i%4])
flag.append(str)
i=i+1
print(''.join(flag))
flag{reversing_is_not_that_hard!}
OD调试
方法二:OD调试
在IsDebuggerPresent()
段首处下断
在ints
处会跳出乱码,下断点
在两个跳的地方下断,F8运行
IDA分析修改代码
IDA分析修改代码:jnz改jmp
修改步骤:Edit > Patch program > Assemble
int3改nop,否则程序会中断
jmp后面改成loc_4010B9
,就是跳出lpMen的函数
最后保存Edit > Patch program > Apply pathes to input file