1.下载附件,exeinfo查壳,无壳
2.32位IDA分析,F5反汇编,分析函数
int __cdecl main(int a1, char **a2)
{
if ( a1 > 1 && sub_8048414(a2[1], 0) ) // 满足条件,即可
{
puts("Access granted"); // 成功输出
sub_8048538(a2[1]);
}
else
{
puts("Access denied");
}
return 0;
}
3.双击进入 sub_8048414函数中
int __cdecl sub_8048414(_BYTE *a1, int a2)
{
int result; // eax
switch ( a2 )
{
case 0:
if ( *a1 == 105 )
goto LABEL_19;
result = 0;
break;
case 1:
if ( *a1 == 101 )
goto LABEL_19;
result = 0;
break;
case 3:
if ( *a1 == 110 )
goto LABEL_19;
result = 0;
break;
case 4:
if ( *a1 == 100 )
goto LABEL_19;
result = 0;
break;
case 5:
if ( *a1 == 97 )
goto LABEL_19;
result = 0;
break;
case 6:
if ( *a1 == 103 )
goto LABEL_19;
result = 0;
break;
case 7:
if ( *a1 == 115 )
goto LABEL_19;
result = 0;
break;
case 9:
if ( *a1 == 114 )
LABEL_19:
result = sub_8048414(a1 + 1, 7 * (a2 + 1) % 11); //关键代码思路
else
result = 0;
break;
default:
result = 1;
break;
}
return result;
}
首先,确定a2的值,因为a2是双底层值得,**a2。重点是如何确定a2,通过分析,a2是通过a2在语句中确定的(总感觉a2两个,猜测是IDA编译器编译的错误)
a2=0
for i in range(9):
a2 = 7*(a2+1)%11
print(a2)
脚本确定a2的顺序。
4.返回到主函数中,然后进入函数sub_8048538
发现代码是对v2进行处理加密
在进入到&unk_8048760函数中,进去后发现,是一堆数据,猜测是v2的值
观察数据,发现每隔4个十六进制的数,就会有一个有效数,将这数提取。
0x0F,0x1F,0x04,0x09,0x1C,0x12,0x42,0x09,0x0C,0x44,0x0D,0x07,0x09,0x06,0x2D,0x37,0x59,0x1E,0x00,0x59,0x0F,0x08,0x1C,0x23,0x36,0x07,0x55,0x02,0x0C,0x08,0x41,0x0A,0x14
有一个数是0x00,是因为隔了4个数,所以要根据顺序添加。
5.编写脚本
key=[105,115,101,110,103,97,114,100]#key的顺序是根据前面的a2的程序输出顺序
v2=[0x0F,0x1F,0x04,0x09,0x1C,0x12,0x42,0x09,0x0C,0x44,0x0D,0x07,0x09,0x06,0x2D,0x37,0x59,0x1E,0x00,0x59,0x0F,0x08,0x1C,0x23,0x36,0x07,0x55,0x02,0x0C,0x08,0x41,0x0A,0x14]
flag=''
for i in range(33):
flag+=chr(v2[i]^key[(i%8)])
print(flag)
flag{s0me7hing_S0me7hinG_t0lki3n}