测试文件:https://www.lanzous.com/ib515vi
脱壳
获取到信息
- 32位文件
- upx加密
代码分析
1 int __cdecl main(int argc, const char **argv, const char **envp)
2 {
3 char v4; // [esp+12h] [ebp-2Eh]
4 char v5; // [esp+13h] [ebp-2Dh]
5 char v6; // [esp+14h] [ebp-2Ch]
6 char v7; // [esp+15h] [ebp-2Bh]
7 char v8; // [esp+16h] [ebp-2Ah]
8 char v9; // [esp+17h] [ebp-29h]
9 char v10; // [esp+18h] [ebp-28h]
10 char v11; // [esp+19h] [ebp-27h]
11 char v12; // [esp+1Ah] [ebp-26h]
12 char v13; // [esp+1Bh] [ebp-25h]
13 char v14; // [esp+1Ch] [ebp-24h]
14 char v15; // [esp+1Dh] [ebp-23h]
15 int v16; // [esp+1Eh] [ebp-22h]
16 int v17; // [esp+22h] [ebp-1Eh]
17 int v18; // [esp+26h] [ebp-1Ah]
18 __int16 v19; // [esp+2Ah] [ebp-16h]
19 char v20; // [esp+2Ch] [ebp-14h]
20 char v21; // [esp+2Dh] [ebp-13h]
21 char v22; // [esp+2Eh] [ebp-12h]
22 int v23; // [esp+2Fh] [ebp-11h]
23 int v24; // [esp+33h] [ebp-Dh]
24 int v25; // [esp+37h] [ebp-9h]
25 char v26; // [esp+3Bh] [ebp-5h]
26 int i; // [esp+3Ch] [ebp-4h]
27
28 __main();
29 v4 = 42;
30 v5 = 70;
31 v6 = 39;
32 v7 = 34;
33 v8 = 78;
34 v9 = 44;
35 v10 = 34;
36 v11 = 40;
37 v12 = 73;
38 v13 = 63;
39 v14 = 43;
40 v15 = 64;
41 printf("Please input:");
42 scanf("%s", &v19);
43 if ( (_BYTE)v19 != 65 || HIBYTE(v19) != 67 || v20 != 84 || v21 != 70 || v22 != 123 || v26 != 125 )
44 return 0;
45 v16 = v23;
46 v17 = v24;
47 v18 = v25;
48 for ( i = 0; i <= 11; ++i )
49 {
50 if ( *(&v4 + i) != _data_start__[*((char *)&v16 + i) - 1] )
51 return 0;
52 }
53 printf("You are correct!");
54 return 0;
55 }
着眼观察for循环就行,从for循环了解到flag长度应该是12,将flag的ASCII值作为下标取值,与v4数组比较。很简单,只需要利用v4数组在_data_start__中找位置,就是我们flag的值
脚本
# -*- coding:utf-8 -*-
v4 = [42,70,39,34,78,44,34,40,73,63,43,64]
model = r"}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(" + chr(0x27) + r'&%$# !"'
pos = []
for i in v4:
pos.append(model.find(chr(i))+1)
s = [chr(x + 1) for x in pos]
flag = ''.join(s)
print ('flag{'+flag+'}')
get flag!
flag{U9X_1S_W6@T?}