发现IDA无法反编译judge函数, 注意到
应该是在执行judge函数前执行了函数解密, 后来得知这是SMC(Self-Modifying Code, 自解码)
所以用IDA的python脚本自动化patch这一段judge函数然后再反编译即可得到源码
IDA7.5的脚本API有一定变化, 可见官方文档
https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
import sys
from idautils import *
from ida_bytes import *
from idaapi import *
from idc import *
if __name__ =="__main__":
start_addr=0x600B00
for i in range(182):
patch_byte(start_addr+i,get_wide_byte(start_addr+i)^0xC)
运行后, 看到反汇编窗口右键create function, F5反编译
逆向judge函数得到flag, 就是单纯异或14个数值
flag = ''
v = [0x66,0x6D,0x63,0x64,0x7F,0x6B,0x37,0x64,0x3B,0x56,0x60,0x3B,0x6E,0x70]
for i in range(len(v)):
flag += chr(i ^ v[i])
print(flag)
flag{n1c3_j0b}