链接:https://pan.baidu.com/s/1msA5EY_7hoYGBEema7nWwA
提取码:b9xf
wp:首先找不到main函数,然后寻找特殊字符串,
交叉引用
反汇编
主函数在sub_3D9当中,但是IDA分析错了
分析错误后,删除函数
创建函数
操作:与0x22异或,然后再加3
分析代码:
int sub_3D0()
{
int v0; // ebx
int v1; // eax
const char *v2; // ebx
int v4; // [esp+14h] [ebp-C4h]
int v5; // [esp+18h] [ebp-C0h]
int v6; // [esp+1Ch] [ebp-BCh]
int v7[2]; // [esp+20h] [ebp-B8h] BYREF
char flag[52]; // [esp+28h] [ebp-B0h] BYREF
char v9[124]; // [esp+5Ch] [ebp-7Ch] BYREF
sub_32B0(flag, 0, 48);
sub_32B0(v9, 0, 120);
v7[0] = 0;
sub_2BF0(v7, flag, 48);
sub_2BF0(v7, v9, 120);
v5 = 0;
qmemcpy(flag, dword_126F8, 0x30u);
printf("Plz Input Flag: ");
scanf("%s", flag);
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 0, 4) = 188;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 4, 4) = 10;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 8, 4) = 187;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 12, 4) = 193;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 16, 4) = 213;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 20, 4) = 134;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 24, 4) = 127;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 28, 4) = 10;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 32, 4) = 201;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 36, 4) = 185;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 40, 4) = 81;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 44, 4) = 78;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 48, 4) = 136;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 52, 4) = 10;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 56, 4) = 130;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 60, 4) = 185;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 64, 4) = 49;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 68, 4) = 141;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 72, 4) = 10;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 76, 4) = 253;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 80, 4) = 201;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 84, 4) = 199;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 88, 4) = 127;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 92, 4) = 185;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 96, 4) = 17;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 100, 4) = 78;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 104, 4) = 185;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 108, 4) = 232;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 112, 4) = 141;
*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 116, 4) = 87;
v4 = strlen(flag);
v0 = 0;
if ( v4 <= 0 )
goto LABEL_7;
do
{
v1 = sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 24, flag, v0, 0);
((void (__cdecl *)(int, int))sub_330)(v1, v4);// loc_330比较特殊。
// 哦,我知道了,想这样loc开头的也是函数,只不过是以汇编形式展现的,想sub开头的是以反汇编形式展示的
v6 = *(unsigned __int8 *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 26, flag, v0, 1);
if ( *(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 26, v9, 4 * v0, 4) == v6 )
++v5;
++v0;
}
while ( v0 < v4 );
if ( v5 == 30 )
v2 = "Success";
else
LABEL_7:
v2 = "Try Again";
sub_3350(v2);
sub_2930(v7);
return 0;
}// a1是flag
// a2是flag的长度
int __cdecl sub_330(int a1, unsigned int a2)
{
bool v3; // zf
unsigned int v4; // eax
unsigned int v5; // eax
_DWORD v6[2]; // [esp-4h] [ebp-18h] BYREF
_BYTE *v7; // [esp+4h] [ebp-10h]
_BYTE *v8; // [esp+8h] [ebp-Ch]
int v9; // [esp+Ch] [ebp-8h]
v9 = 0;
if ( !a2 )
return 1;
v8 = (_BYTE *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 10, a1, 0, 1);
*v8 ^= 0x22u;
v7 = (_BYTE *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 11, a1, 0, 1);
v3 = *v7 == 0xFD;
*v7 += 3;
if ( v3 || !v3 )
goto LABEL_7;
v4 = (unsigned int)v6 ^ 0x22;
if ( ((unsigned int)v6 ^ 0x22) == v6[1] )
{
LABEL_8:
v5 = v4 - 1; // 这里是一个递归
return sub_330(a1, v5);
}
v5 = ((int (*)(void))((char *)&loc_3D3 + 2))();
if ( !v3 )
{
LABEL_7:
v4 = a2;
goto LABEL_8;
}
return sub_330(a1, v5);
}
上脚本
#include <stdio.h>
#include <string.h>
int main(void)
{
int key[] =
{
188, 10, 187, 193, 213, 134, 127, 10, 201, 185, 81, 78,
136, 10, 130, 185, 49, 141, 10, 253, 201, 199, 127, 185,
17, 78, 185, 232, 141, 87
};
int i, j;
for (i = 0; i < sizeof(key)/sizeof(int); i++)
{
for (j = 0; j < sizeof(key)/sizeof(int); j++ )
{
key[i] -= 3;
key[i] ^= 0x22;
}
printf("%c",key[i]);
}
return 0;
}
#flag{helo_w0rld_W3lcome_70_R3}
总结:IDA无法识别函数(F5大法失效原因)
1.堆栈指针问题
2.花指令问题
