攻防crackme(手动脱壳nspack)
放到exeinfope查壳,是nspack
尝试进行手动托脱壳
拖入od
设硬件断点
执行pushfd和pushad后,在esp的位置设置硬件断点
再按f9执行到popfd后,jmp跳到的地方即为oep
dump:插件中dump
修复IAT
fixdump:修复iat(针对上次dump后的文件)
最后生成一个crackme_dump_scy.exe文件,即为脱壳后的文件:
拖入ida
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // eax
char Buffer[52]; // [esp+4h] [ebp-38h] BYREF
memset(Buffer, 0, 50);
printf("Please Input Flag:");
gets_s(Buffer, 44u);
if ( strlen(Buffer) == 42 )
{
v4 = 0;
while ( (Buffer[v4] ^ byte_402130[v4 % 16]) == dword_402150[v4] )
{
if ( ++v4 >= 42 )
{
printf("right!\n");
return 0;
}
}
printf("error!\n");
return 0;
}
else
{
printf("error!\n");
return -1;
}
}
是一个简单的异或
解密脚本:
#include <stdio.h>
int main()
{
char d[] = {0x12,0x4,0x8,0x14,0x24,0x5c,0x4a,0x3d,0x56,0xa,0x10,0x67,0x00,0x41,0x00,0x1,0x46,0x5a,0x44,0x42,0x6e,0xc,0x44,0x72,0x0c,0x0d,0x40,0x3E,0x4B, 0x5F, 0x2, 0x1, 0x4C, 0x5E, 0x5B, 0x17, 0x6E, 0x0C ,0x16,0x68,0x5b,0x12,0x02,0x48,0x0e};
char flag[20] = {0};
char b[] = "this_is_not_flag";
int i;
for(i=0;i<42;i++)
{
flag[i] = d[i] ^ b[i%16];
}
printf("%s",flag);
return 0;
}
flag{59b8ed8f-af22-11e7-bb4a-3cf862d1ee75}