签到题(easyre)
1、使用ExeinfoPe工具查看一下easyre.exe的详细信息,可以看到这个程序加了一个.aspack类型的壳;
2、使用Unpacker_ASPack工具进行自动脱壳,点击Dump,进行脱壳,并另存为;
3、使用较新版本的IDA打开,按F5进行反编译,找到main()函数后,对代码进行分析;
4、这个Destination就是我们需要的,而代码中只有这个函数sub_401771(Destination)用到了,点击函数查看代码
5、这个Str就是我们需要的,sub_401619(Str, v3)函数中调用了Str,查看函数代码,发现代码中并未使用Str,所以我们可以不用管它
6、从下面代码可知byte_492A60[j]=v2[j],而v2[j]这个数组代码中已经给出来了,所以我们现在需要求出dword_492940[i]这个数组,查看这前面这几个函数代码
7、根据上述代码写脚本计算出Str,并转换成字符,就得到了flag。其中反编译过来的代码有LOBYTE(dword_492940[i]),LOBYTE()是取第一字节,我们可以异或0xff代替。
#include<stdio.h>
#include<string.h>
#include<malloc.h>
#include<iostream>
using namespace std;
int dword_492040[256];
size_t byte_492440[1280];
int dword_492940[72];
int sub_401500()
{
int result; // eax
int i; // [esp+Ch] [ebp-4h]
for ( i = 0; i <= 255; ++i )
{
result = i;
dword_492040[i] = i;
}
return result;
}
size_t sub_40152B()
{
size_t result; // eax
char Str[8]; // [esp+14h] [ebp-24h] BYREF
int v2; // [esp+1Ch] [ebp-1Ch]
int v3; // [esp+20h] [ebp-18h]
int v4; // [esp+24h] [ebp-14h]
int v5; // [esp+28h] [ebp-10h]
int i; // [esp+2Ch] [ebp-Ch]
strcpy(Str, "123456");
Str[7] = 0;
v2 = 0;
v3 = 0;
v4 = 0;
result = strlen(Str);
v5 = result;
for ( i = 0; i <= 255; ++i )
{
result = (unsigned __int8)Str[i % v5];
byte_492440[i] = result;
}
return result;
}
int sub_401593()
{
int result; // eax
int v1; // [esp+4h] [ebp-Ch]
int i; // [esp+8h] [ebp-8h]
int v3; // [esp+Ch] [ebp-4h]
v3 = 0;
for ( i = 0; i <= 255; ++i )
{
v3 = ((char)byte_492440[i] + v3 + dword_492040[i]) % 256;
v1 = dword_492040[i];
dword_492040[i] = dword_492040[v3];
result = v3;
dword_492040[v3] = v1;
}
return result;
}
bool __cdecl sub_401619(int a2)
{
int v2; // eax
bool result; // al
int v4; // [esp+10h] [ebp-10h]
int v5; // [esp+14h] [ebp-Ch]
int v6; // [esp+18h] [ebp-8h]
int i; // [esp+1Ch] [ebp-4h]
v5 = 0;
v6 = 0;
for ( i = 0; ; dword_492940[v5++] = dword_492040[(dword_492040[v6] + dword_492040[i]) % 256] )
{
v2 = a2--;
result = v2 != 0;
if ( !result )
break;
i = (i + 1) % 256;
v6 = (v6 + dword_492040[i]) % 256;
v4 = dword_492040[i] + 66;
dword_492040[i] = dword_492040[v6] - 33;
dword_492040[i] ^= 2u;
dword_492040[v6] = 5 * v4;
dword_492040[v6] = dword_492040[i] - 10;
dword_492040[v6] += dword_492040[i];
dword_492040[i] -= 18;
}
return result;
}
int main()
{
sub_401500();
sub_40152B();
sub_401593();
sub_401619(42);
int v2[50];
memset(v2, 0, sizeof(v2));
v2[0] = -61;
v2[1] = -128;
v2[2] = -43;
v2[3] = -14;
v2[4] = -101;
v2[5] = 48;
v2[6] = 11;
v2[7] = -76;
v2[8] = 85;
v2[9] = -34;
v2[10] = 34;
v2[11] = -125;
v2[12] = 47;
v2[13] = -105;
v2[14] = -72;
v2[15] = 32;
v2[16] = 29;
v2[17] = 116;
v2[18] = -47;
v2[19] = 1;
v2[20] = 115;
v2[21] = 26;
v2[22] = -78;
v2[23] = -56;
v2[24] = -59;
v2[25] = 116;
v2[26] = -64;
v2[27] = 91;
v2[28] = -9;
v2[29] = 15;
v2[30] = -45;
v2[31] = 1;
v2[32] = 85;
v2[33] = -78;
v2[34] = -92;
v2[35] = -82;
v2[36] = 123;
v2[37] = -84;
v2[38] = 92;
v2[39] = 86;
v2[40] = -68;
v2[41] = 35;
for (int i = 0; i < 42; ++i )
cout<<char(((v2[i] - 71) ^ dword_492940[i]) & 0xff);
return 0;
}