fa放进IDA发现堆栈不平衡 这里的调试技巧是: 哪里有问题,就在哪里的上一行Alt+K 赋值为0
F5 main
对v4操作对一系列全是假的flag 靠
这里有对encyrpt函数异或 写一个IDC脚本泡一下
#include <idc.idc> static main() { auto Address = 0x00401500; auto Value; for(;Address <= 0x00401500 + 186;Address++) { Value = Byte(Address); Value = Value ^ 0x41; PatchByte(Address, Value); } }
然后正常反编译 (用u和c乱搞以下)
这里还是异或 不过只有19位 我们发现main函数里面还有一个finally函数
这里v3到v7刚好5位 加上前面对19位就是24位刚好
不过这里如果还用19位对异或字符串 "hahahaha_do_you_find_me?" 解出来是错误的
我们猜测最后五个还是异或的同一个数 这个数 可以通过flag最后以为是 '}' 反解出来 最终得到flag
(被注释掉的是fakeflag)
''' a = [] f = open('so.in') for i in range(6): s = f.readline() for j in range(16): if(j%4==0): a.append(int(s[j*3:j*3+2],16)) print a for i in range(len(a)): if i & 1: a[i] += i else: a[i] ^= i Input = '' for i in range(len(a)): Input += chr(a[i]) print Input ''' a = [] b = 'hahahaha_do_you_find_me?' f = open('so.in') for i in range(5): s = f.readline() for j in range(16): if(j%4==0): a.append(int(s[j*3:j*3+2],16)) del a[len(a)-1] a.append(37) a.append(116) a.append(112) a.append(38) a.append(58) print a for i in range(19): a[i] ^= ord(b[i]) k = ord('}') ^ 58 for i in range(19,24): a[i] ^= k Input = '' for i in range(len(a)): Input += chr(a[i]) print Input
so.in 两份(前面的是fakeflag 后面的是flag)
66 00 00 00 6B 00 00 00 63 00 00 00 64 00 00 00 7F 00 00 00 61 00 00 00 67 00 00 00 64 00 00 00 3B 00 00 00 56 00 00 00 6B 00 00 00 61 00 00 00 7B 00 00 00 26 00 00 00 3B 00 00 00 50 00 00 00 63 00 00 00 5F 00 00 00 4D 00 00 00 5A 00 00 00 71 00 00 00 0C 00 00 00 37 00 00 00 66 00 00 00 0E 00 00 00 0D 00 00 00 09 00 00 00 06 00 00 00 13 00 00 00 05 00 00 00 58 00 00 00 56 00 00 00 3E 00 00 00 06 00 00 00 0C 00 00 00 3C 00 00 00 1F 00 00 00 57 00 00 00 14 00 00 00 6B 00 00 00 57 00 00 00 59 00 00 00 0D 00 00 00 00 00 00 00