32位upx壳
脱一下
字符串没啥
查看main函数
int main_0()
{
HANDLE v1; // [esp+D0h] [ebp-14h]
HANDLE hObject; // [esp+DCh] [ebp-8h]
sub_4110FF();
::hObject = CreateMutexW(0, 0, 0);
j_strcpy(Dest, Source);
hObject = CreateThread(0, 0, StartAddress, 0, 0, 0);
v1 = CreateThread(0, 0, sub_41119F, 0, 0, 0);
CloseHandle(hObject);
CloseHandle(v1);
while ( dword_418008 != -1 )
;
sub_411190();
CloseHandle(::hObject);
return 0;
}
CreateThread()新东西,函数起到创建新线程,调用函数执行用,值得注意的是这里使用了两次CreateThread,创建线程A,B。程序会执行完A之后,才会执行B,B执行后再次执行A,这样交替执行。
先看第一个线程
void __stdcall StartAddress_0(int a1)
{
while ( 1 )
{
WaitForSingleObject(hObject, 0xFFFFFFFF);
if ( dword_418008 > -1 )//dword_418008 初始值为29,
{
sub_41112C(Source, dword_418008);
--dword_418008;
Sleep(0x64u);
}
ReleaseMutex(hObject);
}
}
跟进函数
堆栈指针不平衡
汇编界面打开option->general的stack pointer
选择上方(也就是411A03),按下ALT+K修改栈指针为0x0
然后函数就可以正常打开了
char *__cdecl sub_411940(int a1, int a2)
{
char *result; // eax
char v3; // [esp+D3h] [ebp-5h]
v3 = *(a2 + a1);
if ( (v3 < 97 || v3 > 122) && (v3 < 65 || v3 > 90) )
exit(0);
if ( v3 < 97 || v3 > 122 )
{
result = off_418000[0];
*(a2 + a1) = off_418000[0][*(a2 + a1) - 38];
}
else
{
result = off_418000[0];
*(a2 + a1) = off_418000[0][*(a2 + a1) - 96];
}
return result;
}
//off_418000='QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm'
将字符串进行了替换,大写字母替换为off_418000处-38,小写则替换后-96
第二个线程直接就啥也不干摆烂了
void __stdcall sub_411B10(int a1)
{
while ( 1 )
{
WaitForSingleObject(hObject, 0xFFFFFFFF);
if ( dword_418008 > -1 )
{
Sleep(0x64u);
--dword_418008;
}
ReleaseMutex(hObject);
}
}
29干活28睡觉,以此类推,得只对奇数下标进行加密操作
跑!
off_418000 = "QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm"
off_418004 = "TOiZiZtOrYaToUwPnToBsOaOapsyS"
flag=''
for i in range(len(off_418004)):
if i %2 == 0:
flag += off_418004[i]
continue
if(off_418004[i].isupper()):
flag += chr(off_418000.find(off_418004[i]) + 96)
else:
flag += chr(off_418000.find(off_418004[i]) + 38)
print(flag)
最后的sub_411880()函数只比较前29位,最后一位手爆一下是E
int sub_411880()
{
int i; // [esp+D0h] [ebp-8h]
for ( i = 0; i < 29; ++i )
{
if ( Source[i] != off_418004[i] )
exit(0);
}
return printf("\nflag{%s}\n\n", Dest);
}
flag{ThisisthreadofwindowshahaIsESE}
关于改值意外研究了好久,后面翻到一篇大佬的文章