解压得到两个程序
IDA打开分析发现:
进程执行:创建子进程
another:flag算法
思路:调试子进程获取key,逆向即可
调试子进程
1.修改子程序
将子程序的开头改为跳转自己的死循环
将开头修改为 jmp 0040c1c0,跳转自己形成死循环
保存修改到文件
用windbag32打开主程序,根据IDA地址找到程序创建进程的地方,下断点运行到这里,F8下一步创建进程
附加子进程
第一个程序
程序断到子进程程序的开头,我们修改子进程的开头为原来程序的代码。
然后根据IDA地址断点下在0x401410处F9运行来到子进程主函数,运行到0x401488就得到了key值
得到KEY值DASCTF{Y0u'v3_be3n_tr1ck3d!}
这里根据种子1,C语言写代码得到随机值
#include<stdio.h>
#include<stdlib.h>
int main() {
srand(1);
for(int i=0;i<32;i++)
printf("0x%x,", rand());
}
0x29,0x4823,0x18be,0x6784,0x4ae1,0x3d6c,0x2cd6,0x72ae,0x6952,0x5f90,0x1649,
0x6df1,0x5af1,0x41bb,0x26e9,0x1eb,0xbb3,0x2ea6,0x12db,0x153c,0x7e87,0x390c,
0xf3e,0x99,0x124,0x305e,0x440d,0x491c,0x4d06,0x4db7,0x1547,0x54de
然后python写出逆向脚本
enflag=[0x77, 0x00, 0x72, 0x17, 0x0B, 0x34, 0x13, 0x69, 0x6F, 0x21, 0x54, 0x45, 0x6C, 0x3E, 0x3D, 0x16, 0x5A, 0x3D, 0x30, 0x0D, 0x11, 0x61, 0x30, 0x4A, 0x70, 0x1F, 0x52, 0x39, 0x02, 0x04, 0x2E, 0x10]
rands= [0x29,0x4823,0x18be,0x6784,0x4ae1,0x3d6c,0x2cd6,0x72ae,0x6952,0x5f90,0x1649,0x6df1,0x5af1,0x41bb,0x26e9,0x1eb,0xbb3,
0x2ea6,0x12db,0x153c,0x7e87,0x390c,0xf3e,0x99,0x124,0x305e,0x440d,0x491c,0x4d06,0x4db7,0x1547,0x54de]
key="DASCTF{Y0u'v3_be3n_tr1ck3d!}"
XB=[]
for i in range(32):
XB.append(i)
def swap(a,b):
x=XB[b]
XB[b]=XB[a]
XB[a]=x
crflag=[]
for i in range(32):
enflag[i]^=ord(key[i%len(key)])
print(len(enflag))
for i in range(32):
v4=rands[i]%32
swap(i,v4)
print(enflag)
flag=[0]*32
for i in range(32):
flag[XB[i]]=enflag[i]
for i in range(32):
print(chr(flag[i]),end='')
总结:OD附加半天不得行,然后用windbg32一下就ok了