目标:exe无论输入什么都能显示登录成功。
可以收获:IDA修改exe的基本操作。小白入门向。
作者:hans774882968以及hans774882968
实验1
编译代码
#include <bits/stdc++.h>
using namespace std;
const int N = 505;
void dbg() {
puts ("");
}
template<typename T, typename... R>void dbg (const T &f, const R &... r) {
cout << f << " ";
dbg (r...);
}
int main (int argc, char const *argv[]) {
string uname, pwd;
cout << "input username: ";
cin >> uname;
if (uname != "admin") {
puts ("login failed!");
return 0;
}
cout << "input password: ";
cin >> pwd;
if (pwd != "114514") {
puts ("login failed!");
return 0;
}
puts ("login success!");
return 0;
}
用IDA查看,发现如下两条语句是关键
jz short loc_40149D
jz short loc_4014F0
如果跳转,就通过,否则失败。因此直接用IDA的Patch program --> Assemble
把它们改成jmp:
jmp short loc_40149D
jmp short loc_4014F0
此时可以再次F5,可以发现代码还能正确反编译,并且变成了我们想要的样子。
然后用IDA的Patch program --> Apply patches to input file
保存出新的exe。实验成功!
实验1的变式
把代码逻辑等价地改一下
#include <bits/stdc++.h>
using namespace std;
const int N = 505;
void dbg() {
puts ("");
}
template<typename T, typename... R>void dbg (const T &f, const R &... r) {
cout << f << " ";
dbg (r...);
}
int main (int argc, char const *argv[]) {
string uname, pwd;
cout << "input username: ";
cin >> uname;
if (uname == "admin") {
cout << "input password: ";
cin >> pwd;
if (pwd == "114514") {
puts ("login success!");
return 0;
}
puts ("login failed!");
return 0;
}
puts ("login failed!");
return 0;
}
用IDA查看exe,找到两条jz
指令。
此时与实验1相反,我们不希望跳转发生了,就把jz
指令都替换为nop。一条jz
指令要2字节,所以要填充2个nop。
填充完毕后按F5:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [sp+10h] [bp-34h]@1
char v5; // [sp+28h] [bp-1Ch]@1
__main();
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v5);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v4);
std::operator<<<std::char_traits<char>>(&std::cout, "input username: ");
std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &v5);
std::operator==<char,std::char_traits<char>,std::allocator<char>>(&v5, "admin");
std::operator<<<std::char_traits<char>>(&std::cout, "input password: ");
std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &v4);
std::operator==<char,std::char_traits<char>,std::allocator<char>>(&v4, "114514");
puts("login success!");
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v4);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v5);
return 0;
}
实验依旧成功!