csaw2013reversing2
Type :REV
Source : XCTF
File : Click me
First of all, let’s run this program to get a general idea of the principle(原理)
Open the software can only display a garbled pop-up window
I think he should have carried out a judgment. You can skip the garbled code and display the real flag by changing the assembly code.
Open it with DTdbg:
Finded the info about flag.
Find the calling address from the stack
Found that he is not a simple jump judgment, should be an encryption program.
Combined with the pseudo code in IDA, we can find that a function is skipped:
This function just operates on the flag, so first locate the isdebugerpresent function and find the encryption function nearby:
The commend which is marked by blue line , has jumped the encrypt function.
So we can point the JMP instruction to the skipped function, and then point the JMP after the function directly to the output message box.
Like this:
Then we can find the flag in reg EAX or run the new file: