运行程序
游戏玩法就是出现s
x
m
分别要摁空格
x
m
,通关flag就会出现。
逆向分析
查看反编译函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // edi
unsigned int v4; // eax
void (__stdcall *v5)(DWORD); // ebx
signed int v6; // esi
signed int v7; // esi
signed int v8; // esi
signed int v9; // esi
signed int v10; // esi
signed int v11; // edi
int v12; // esi
int *v13; // esi
signed int v14; // ebx
DWORD dwMilliseconds; // ST3C_4
int v16; // esi
int v17; // eax
int v18; // esi
int v19; // eax
char v20; // cl
int v21; // eax
int v23; // [esp+10h] [ebp-20h]
int v24; // [esp+14h] [ebp-1Ch]
char v25; // [esp+1Bh] [ebp-15h]
int v26; // [esp+1Ch] [ebp-14h]
int v27; // [esp+22h] [ebp-Eh]
int v28; // [esp+26h] [ebp-Ah]
__int16 v29; // [esp+2Ah] [ebp-6h]
LOWORD(v26) = 32;
v24 = 7630702;
*(int *)((char *)&v26 + 2) = 0;
v27 = 0;
v28 = 0;
v29 = 0;
v3 = 0;
v23 = 0;
sub_401A73("\r\tZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMG\n");
sub_401A73("\tkey is %s (%s)");
sub_401423();
sub_401A73("\r\tZOMGZOMG ZOMGZOMG\n");
sub_401A73("\tkey is %s (%s)");
sub_401423();
sub_401A73("\r\tZOMGZOMG TAP TAP REVOLUTION!!!!!!! ZOMGZOMG\n");
sub_401A73("\tkey is %s (%s)");
sub_401423();
sub_401A73("\r\tZOMGZOMG ZOMGZOMG\n");
sub_401A73("\tkey is %s (%s)");
sub_401423();
sub_401A73("\r\tZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMG\n\n\n");
sub_401A73("\tkey is %s (%s)");
sub_401423();
sub_401A73("\r\t R U READDY?!\n\n\n");
sub_401A73("\tkey is %s (%s)");
sub_401423();
sub_401A73("\rThe game is starting in...\n");
v4 = _time64(0);
srand(v4);
sub_4012B2();
sub_4012D5(0xC8u);
if ( !sub_401435(0x1F4u, 32, 10) )
return 0;
if ( !sub_401435(0x12Cu, 120, 8) )
return 0;
if ( !sub_401435(0x12Cu, 109, 5) )
return 0;
sub_401A73("key is %s (%s)");
sub_401A73("\rTRAINING COMPLETE! \n");
v5 = Sleep;
v6 = 20;
do
{
Sleep(0xC8u);
sub_401A73("\n");
--v6;
}
while ( v6 );
sub_401A73("key is %s (%s)");
sub_401A73("\rNow you know everything you need to know");
v7 = 4;
do
{
sub_401A73(".");
Sleep(0x3E8u);
--v7;
}
while ( v7 );
sub_401A73("\n\n\nfor the rest of your life!\n");
v8 = 20;
do
{
Sleep(0xC8u);
sub_401A73("\n");
--v8;
}
while ( v8 );
sub_401A73("LETS PLAY !\n");
v9 = 20;
do
{
Sleep(0xC8u);
sub_401A73("\n");
--v9;
}
while ( v9 );
sub_4012B2();
sub_4012D5(0x64u);
if ( !sub_401507(5, 32, 0xC8u) )
return 0;
if ( !sub_401507(2, 120, 0xC8u) )
return 0;
if ( !sub_401507(1, 109, 0xC8u) )
return 0;
sub_401A73("key is %s (%s)");
sub_401423();
sub_401A73("\rooooh, you fancy!!!\n");
if ( !sub_401507(5, 109, 0xC8u) || !sub_401507(2, 120, 0xC8u) || !sub_401507(1, 32, 0xC8u) )
return 0;
sub_401A73("key is %s (%s)");
sub_401A73("\b\b");
sub_401A73("NIIICE JOB)!!!!\n");
v10 = 20;
do
{
Sleep(0x32u);
sub_401A73("\n");
--v10;
}
while ( v10 );
v25 = 1;
do
{
if ( v3 % 3 == 1 )
{
sub_401A73("key is %s (%s)");
sub_401423();
sub_401A73("\rTURBO TIME! \n");
v11 = 0;
do
{
v5(0x32u);
sub_401A73("\n");
if ( v11 == 19 )
{
v12 = sub_40141D();
sub_401D02(&v26, v12 - 5514);
dword_41A1F8 = (int)&v26;
dword_41A1FC = v12 - 5498;
sub_401AA5();
sub_401CC9();
sub_401A73("key is %s (%s)");
sub_401A73("\b\b");
v13 = &v26;
v14 = 16;
do
{
dwMilliseconds = *(unsigned __int8 *)v13;
sub_401A73("%02x");
v13 = (int *)((char *)v13 + 1);
--v14;
}
while ( v14 );
sub_401A73(")\n\n");
v5 = Sleep;
}
++v11;
}
while ( v11 < 20 );
v16 = 0;
while ( 1 )
{
v17 = rand();
if ( !sub_401507(1, byte_417B08[v17 % 3], 0x64u) )
break;
if ( ++v16 >= 10 )
goto LABEL_33;
}
v25 = 0;
LABEL_33:
v3 = v23;
}
v18 = 0;
while ( 1 )
{
v19 = rand();
v20 = v25;
v21 = v19 % 3;
if ( v25 )
break;
LABEL_38:
if ( ++v18 >= 10 )
goto LABEL_41;
}
if ( sub_401507(v21 + 3, byte_417B08[v21], 0x64u) )
{
v20 = v25;
goto LABEL_38;
}
v20 = 0;
v25 = 0;
LABEL_41:
if ( v3 == 1337 )
{
sub_4012F6();
v20 = v25;
}
v23 = ++v3;
}
while ( v20 );
return 0;
}
代码太长没怎么看得懂,直接查看判断函数sub_401435
和 sub_401507
char __usercall sub_401435@<al>(DWORD a1@<edx>, int a2@<ecx>, int a3)
{
DWORD v3; // edi
int v4; // esi
int v5; // edi
v3 = a1;
v4 = a2;
sub_401A73("key is %s (%s)");
sub_401423();
sub_401A73("\rZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMG\n");
if ( v4 == 32 )
sub_401A73("\nWhen you see an 's', press the space bar\n\n");
else
sub_401A73("\nWhen you see an '%c', press the '%c' key\n\n");
sub_401A73("key is %s (%s)");
sub_401423();
sub_401A73("\rZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMGZOMGZOMGOZMG\n");
sub_4012D5(v3);
v5 = a3;
if ( a3 > 0 )
{
do
{
sub_401A73(".");
Sleep(0xC8u);
--v5;
}
while ( v5 );
}
if ( (unsigned __int8)sub_401260(v4, 100000) )
return 1;
sub_401A73("key is %s (%s)\r");
sub_401423();
sub_401A73("\rUDDER FAILURE! http://imgur.com/4Ajx21P \n");
return 0;
}
char __usercall sub_401507@<al>(int a1@<edx>, int a2@<ecx>, DWORD dwMilliseconds)
{
int v3; // esi
int v4; // ebx
v3 = a1;
v4 = a2;
sub_401A73("key is %s (%s)");
sub_401423();
sub_401A73("\r \r");
if ( v3 > 0 )
{
do
{
sub_401A73(".");
Sleep(dwMilliseconds);
--v3;
}
while ( v3 );
}
if ( (unsigned __int8)sub_401260(v4, 500 * dwMilliseconds) )
return 1;
sub_401A73("key is %s (%s)\r");
sub_401A73("UDDER FAILURE! http://imgur.com/4Ajx21P \n");
return 0;
}
进去发现两个提示失败的字符串
\rUDDER FAILURE! http://imgur.com/4Ajx21P \n
UDDER FAILURE! http://imgur.com/4Ajx21P \n
x32dbg打开,字符串搜索UDDER FAILURE! http://imgur.com/4Ajx21P \n
观察到字符串上方有个跳转,但没有执行
修改程序让跳转执行,跳过失败字符串
第二个字符串处也同样修改
执行程序得到flag