链接:https://pan.baidu.com/s/1msA5EY_7hoYGBEema7nWwA
提取码:b9xf
wp:首先找不到main函数,然后寻找特殊字符串,
交叉引用
反汇编
主函数在sub_3D9当中,但是IDA分析错了
分析错误后,删除函数
创建函数
操作:与0x22异或,然后再加3
分析代码:
int sub_3D0()
{int v0; // ebxint v1; // eaxconst char *v2; // ebxint v4; // [esp+14h] [ebp-C4h]int v5; // [esp+18h] [ebp-C0h]int v6; // [esp+1Ch] [ebp-BCh]int v7[2]; // [esp+20h] [ebp-B8h] BYREFchar flag[52]; // [esp+28h] [ebp-B0h] BYREFchar v9[124]; // [esp+5Ch] [ebp-7Ch] BYREFsub_32B0(flag, 0, 48);sub_32B0(v9, 0, 120);v7[0] = 0;sub_2BF0(v7, flag, 48);sub_2BF0(v7, v9, 120);v5 = 0;qmemcpy(flag, dword_126F8, 0x30u);printf("Plz Input Flag: ");scanf("%s", flag);*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 0, 4) = 188;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 4, 4) = 10;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 8, 4) = 187;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 12, 4) = 193;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 16, 4) = 213;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 20, 4) = 134;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 24, 4) = 127;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 28, 4) = 10;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 32, 4) = 201;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 36, 4) = 185;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 40, 4) = 81;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 44, 4) = 78;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 48, 4) = 136;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 52, 4) = 10;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 56, 4) = 130;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 60, 4) = 185;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 64, 4) = 49;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 68, 4) = 141;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 72, 4) = 10;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 76, 4) = 253;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 80, 4) = 201;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 84, 4) = 199;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 88, 4) = 127;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 92, 4) = 185;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 96, 4) = 17;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 100, 4) = 78;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 104, 4) = 185;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 108, 4) = 232;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 112, 4) = 141;*(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 21, v9, 116, 4) = 87;v4 = strlen(flag);v0 = 0;if ( v4 <= 0 )goto LABEL_7;do{v1 = sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 24, flag, v0, 0);((void (__cdecl *)(int, int))sub_330)(v1, v4);// loc_330比较特殊。// 哦,我知道了,想这样loc开头的也是函数,只不过是以汇编形式展现的,想sub开头的是以反汇编形式展示的v6 = *(unsigned __int8 *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 26, flag, v0, 1);if ( *(_DWORD *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 26, v9, 4 * v0, 4) == v6 )++v5;++v0;}while ( v0 < v4 );if ( v5 == 30 )v2 = "Success";else
LABEL_7:v2 = "Try Again";sub_3350(v2);sub_2930(v7);return 0;
}// a1是flag
// a2是flag的长度
int __cdecl sub_330(int a1, unsigned int a2)
{bool v3; // zfunsigned int v4; // eaxunsigned int v5; // eax_DWORD v6[2]; // [esp-4h] [ebp-18h] BYREF_BYTE *v7; // [esp+4h] [ebp-10h]_BYTE *v8; // [esp+8h] [ebp-Ch]int v9; // [esp+Ch] [ebp-8h]v9 = 0;if ( !a2 )return 1;v8 = (_BYTE *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 10, a1, 0, 1);*v8 ^= 0x22u;v7 = (_BYTE *)sub_2450("C:/WindRiver/workspace/helloworld/helloworld.c", 11, a1, 0, 1);v3 = *v7 == 0xFD;*v7 += 3;if ( v3 || !v3 )goto LABEL_7;v4 = (unsigned int)v6 ^ 0x22;if ( ((unsigned int)v6 ^ 0x22) == v6[1] ){
LABEL_8:v5 = v4 - 1; // 这里是一个递归return sub_330(a1, v5);}v5 = ((int (*)(void))((char *)&loc_3D3 + 2))();if ( !v3 ){
LABEL_7:v4 = a2;goto LABEL_8;}return sub_330(a1, v5);
}
上脚本
#include <stdio.h>
#include <string.h>int main(void)
{int key[] = {188, 10, 187, 193, 213, 134, 127, 10, 201, 185, 81, 78,136, 10, 130, 185, 49, 141, 10, 253, 201, 199, 127, 185,17, 78, 185, 232, 141, 87};int i, j;for (i = 0; i < sizeof(key)/sizeof(int); i++){for (j = 0; j < sizeof(key)/sizeof(int); j++ ){key[i] -= 3;key[i] ^= 0x22;}printf("%c",key[i]);}return 0;
}
#flag{helo_w0rld_W3lcome_70_R3}
总结:IDA无法识别函数(F5大法失效原因)
1.堆栈指针问题
2.花指令问题
