请注意,本文编写于 1504 天前,最后修改于 1504 天前,其中某些信息可能已经过时。
没有前言,简单的复现。
一个VM,比赛的时候懒得使用IDA进行动态调试,但是忘记了一件很重要的事情,就是IDA的动态调试是支持F5的。而gdb只能看汇编,导致效率直线下降,好在子洋师傅靠谱,很迅速的完成了这道题目,把我从苦痛中解放出来。比赛后的复现将采用IDA动调的方式,毕竟IDA才是逆向选手的爸爸(误)。比赛的时候已经注意到0x8048838这个地方应该是指令集了,这是gdb下搞出来的汇编:
0x08048838: 55 push ebp
0x08048839: 89 e5 mov ebp,esp
0x0804883b: 53 push ebx
0x0804883c: 83 ec 34 sub esp,0x34
0x0804883f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
0x08048842: 89 45 d4 mov DWORD PTR [ebp-0x2c],eax
0x08048845: 65 a1 14 00 00 00 mov eax,gs:0x14
0x0804884b: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
0x0804884e: 31 c0 xor eax,eax
0x08048850: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c] //返回跳转至这里
0x08048853: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048856: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048859: 3c 71 cmp al,0x71 //0x71
0x0804885b: 75 2f jne 0x804888c
0x0804885d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048860: 8b 40 18 mov eax,DWORD PTR [eax+0x18]
0x08048863: 8d 50 fc lea edx,[eax-0x4]
0x08048866: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048869: 89 50 18 mov DWORD PTR [eax+0x18],edx
0x0804886c: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x0804886f: 8b 40 18 mov eax,DWORD PTR [eax+0x18]
0x08048872: 8b 55 d4 mov edx,DWORD PTR [ebp-0x2c]
0x08048875: 8b 52 20 mov edx,DWORD PTR [edx+0x20]
0x08048878: 8b 52 01 mov edx,DWORD PTR [edx+0x1]
0x0804887b: 89 10 mov DWORD PTR [eax],edx
0x0804887d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048880: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048883: 8d 50 05 lea edx,[eax+0x5]
0x08048886: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048889: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x0804888c: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x0804888f: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048892: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048895: 3c 41 cmp al,0x41 //0x41 ADD
0x08048897: 75 23 jne 0x80488bc
0x08048899: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x0804889c: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x0804889f: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488a2: 8b 40 08 mov eax,DWORD PTR [eax+0x8]
0x080488a5: 01 c2 add edx,eax
0x080488a7: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488aa: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x080488ad: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488b0: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x080488b3: 8d 50 01 lea edx,[eax+0x1]
0x080488b6: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488b9: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x080488bc: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488bf: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x080488c2: 0f b6 00 movzx eax,BYTE PTR [eax]
0x080488c5: 3c 42 cmp al,0x42 //0x42 sub
0x080488c7: 75 23 jne 0x80488ec
0x080488c9: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488cc: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x080488cf: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488d2: 8b 40 10 mov eax,DWORD PTR [eax+0x10]
0x080488d5: 29 c2 sub edx,eax
0x080488d7: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488da: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x080488dd: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488e0: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x080488e3: 8d 50 01 lea edx,[eax+0x1]
0x080488e6: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488e9: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x080488ec: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488ef: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x080488f2: 0f b6 00 movzx eax,BYTE PTR [eax]
0x080488f5: 3c 43 cmp al,0x43 //C 0x43 *
0x080488f7: 75 24 jne 0x804891d
0x080488f9: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080488fc: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x080488ff: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048902: 8b 40 0c mov eax,DWORD PTR [eax+0xc]
0x08048905: 0f af d0 imul edx,eax
0x08048908: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x0804890b: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x0804890e: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048911: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048914: 8d 50 01 lea edx,[eax+0x1]
0x08048917: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x0804891a: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x0804891d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048920: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048923: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048926: 3c 44 cmp al,0x44 //D 0x44 div
0x08048928: 75 2a jne 0x8048954
0x0804892a: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x0804892d: 8b 40 04 mov eax,DWORD PTR [eax+0x4]
0x08048930: 8b 55 d4 mov edx,DWORD PTR [ebp-0x2c]
0x08048933: 8b 5a 14 mov ebx,DWORD PTR [edx+0x14]
0x08048936: ba 00 00 00 00 mov edx,0x0
0x0804893b: f7 f3 div ebx
0x0804893d: 89 c2 mov edx,eax
0x0804893f: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048942: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x08048945: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048948: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x0804894b: 8d 50 01 lea edx,[eax+0x1]
0x0804894e: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048951: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048954: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048957: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x0804895a: 0f b6 00 movzx eax,BYTE PTR [eax]
0x0804895d: 3c 80 cmp al,0x80 //0x80
0x0804895f: 75 33 jne 0x8048994
0x08048961: 8b 5d d4 mov ebx,DWORD PTR [ebp-0x2c]
0x08048964: 83 ec 08 sub esp,0x8
0x08048967: 6a 01 push 0x1
0x08048969: ff 75 d4 push DWORD PTR [ebp-0x2c]
0x0804896c: e8 7e fe ff ff call 0x80487ef
0x08048971: 83 c4 10 add esp,0x10
0x08048974: c1 e0 02 shl eax,0x2
0x08048977: 8d 14 03 lea edx,[ebx+eax*1]
0x0804897a: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x0804897d: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048980: 8b 40 02 mov eax,DWORD PTR [eax+0x2]
0x08048983: 89 02 mov DWORD PTR [edx],eax
0x08048985: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048988: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x0804898b: 8d 50 06 lea edx,[eax+0x6]
0x0804898e: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048991: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048994: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048997: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x0804899a: 0f b6 00 movzx eax,BYTE PTR [eax]
0x0804899d: 3c 77 cmp al,0x77 //0x77 w
0x0804899f: 75 23 jne 0x80489c4
0x080489a1: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489a4: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x080489a7: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489aa: 8b 40 24 mov eax,DWORD PTR [eax+0x24]
0x080489ad: 31 c2 xor edx,eax
0x080489af: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489b2: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x080489b5: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489b8: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x080489bb: 8d 50 01 lea edx,[eax+0x1]
0x080489be: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489c1: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x080489c4: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489c7: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x080489ca: 0f b6 00 movzx eax,BYTE PTR [eax]
0x080489cd: 3c 53 cmp al,0x53 //S putchr(??)
0x080489cf: 75 27 jne 0x80489f8
0x080489d1: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489d4: 8b 40 0c mov eax,DWORD PTR [eax+0xc]
0x080489d7: 0f b6 00 movzx eax,BYTE PTR [eax]
0x080489da: 0f be c0 movsx eax,al
0x080489dd: 83 ec 0c sub esp,0xc
0x080489e0: 50 push eax
0x080489e1: e8 0a fc ff ff call 0x80485f0 <putchar@plt>
0x080489e6: 83 c4 10 add esp,0x10
0x080489e9: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489ec: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x080489ef: 8d 50 02 lea edx,[eax+0x2]
0x080489f2: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489f5: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x080489f8: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x080489fb: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x080489fe: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048a01: 3c 22 cmp al,0x22 //0x22 逻辑右移
0x08048a03: 75 25 jne 0x8048a2a
0x08048a05: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a08: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x08048a0b: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a0e: 8b 40 08 mov eax,DWORD PTR [eax+0x8]
0x08048a11: 89 c1 mov ecx,eax
0x08048a13: d3 ea shr edx,cl
0x08048a15: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a18: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x08048a1b: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a1e: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048a21: 8d 50 01 lea edx,[eax+0x1]
0x08048a24: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a27: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048a2a: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a2d: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048a30: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048a33: 3c 23 cmp al,0x23 //0x23 逻辑左移
0x08048a35: 75 25 jne 0x8048a5c
0x08048a37: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a3a: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x08048a3d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a40: 8b 40 08 mov eax,DWORD PTR [eax+0x8]
0x08048a43: 89 c1 mov ecx,eax
0x08048a45: d3 e2 shl edx,cl
0x08048a47: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a4a: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x08048a4d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a50: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048a53: 8d 50 01 lea edx,[eax+0x1]
0x08048a56: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a59: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048a5c: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a5f: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048a62: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048a65: 3c 99 cmp al,0x99 //0x99
0x08048a67: 0f 84 5d 03 00 00 je 0x8048dca //退出报错
0x08048a6d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a70: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048a73: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048a76: 3c 76 cmp al,0x76 //0x76
0x08048a78: 75 38 jne 0x8048ab2
0x08048a7a: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a7d: 8b 40 18 mov eax,DWORD PTR [eax+0x18]
0x08048a80: 8b 10 mov edx,DWORD PTR [eax]
0x08048a82: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a85: 89 50 0c mov DWORD PTR [eax+0xc],edx
0x08048a88: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a8b: 8b 40 18 mov eax,DWORD PTR [eax+0x18]
0x08048a8e: c7 00 00 00 00 00 mov DWORD PTR [eax],0x0
0x08048a94: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048a97: 8b 40 18 mov eax,DWORD PTR [eax+0x18]
0x08048a9a: 8d 50 04 lea edx,[eax+0x4]
0x08048a9d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048aa0: 89 50 18 mov DWORD PTR [eax+0x18],edx
0x08048aa3: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048aa6: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048aa9: 8d 50 05 lea edx,[eax+0x5]
0x08048aac: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048aaf: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048ab2: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ab5: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048ab8: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048abb: 3c 54 cmp al,0x54 //0x54 getchar
0x08048abd: 75 24 jne 0x8048ae3
0x08048abf: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ac2: 8b 40 0c mov eax,DWORD PTR [eax+0xc]
0x08048ac5: 89 45 e0 mov DWORD PTR [ebp-0x20],eax
0x08048ac8: e8 b3 fa ff ff call 0x8048580 <getchar@plt>
0x08048acd: 89 c2 mov edx,eax
0x08048acf: 8b 45 e0 mov eax,DWORD PTR [ebp-0x20]
0x08048ad2: 88 10 mov BYTE PTR [eax],dl
0x08048ad4: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ad7: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048ada: 8d 50 02 lea edx,[eax+0x2]
0x08048add: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ae0: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048ae3: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ae6: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048ae9: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048aec: 3c 30 cmp al,0x30 //0x30 |
0x08048aee: 75 23 jne 0x8048b13
0x08048af0: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048af3: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x08048af6: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048af9: 8b 40 08 mov eax,DWORD PTR [eax+0x8]
0x08048afc: 09 c2 or edx,eax
0x08048afe: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b01: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x08048b04: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b07: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048b0a: 8d 50 01 lea edx,[eax+0x1]
0x08048b0d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b10: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048b13: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b16: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048b19: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048b1c: 3c 31 cmp al,0x31 //0x31 and
0x08048b1e: 75 23 jne 0x8048b43
0x08048b20: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b23: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x08048b26: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b29: 8b 40 08 mov eax,DWORD PTR [eax+0x8]
0x08048b2c: 21 c2 and edx,eax
0x08048b2e: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b31: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x08048b34: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b37: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048b3a: 8d 50 01 lea edx,[eax+0x1]
0x08048b3d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b40: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048b43: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b46: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048b49: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048b4c: 3c 09 cmp al,0x9 //0x9 初始化
0x08048b4e: 75 1b jne 0x8048b6b
0x08048b50: 8b 15 8c b2 04 08 mov edx,DWORD PTR ds:0x804b28c
0x08048b56: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b59: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x08048b5c: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b5f: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048b62: 8d 50 01 lea edx,[eax+0x1]
0x08048b65: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b68: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048b6b: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b6e: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048b71: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048b74: 3c 10 cmp al,0x10 //0x10
0x08048b76: 75 1b jne 0x8048b93
0x08048b78: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b7b: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x08048b7e: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b81: 89 50 24 mov DWORD PTR [eax+0x24],edx
0x08048b84: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b87: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048b8a: 8d 50 01 lea edx,[eax+0x1]
0x08048b8d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b90: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048b93: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048b96: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048b99: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048b9c: 3c 11 cmp al,0x11 //0x11
0x08048b9e: 75 26 jne 0x8048bc6
0x08048ba0: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ba3: 8b 40 04 mov eax,DWORD PTR [eax+0x4]
0x08048ba6: 83 ec 08 sub esp,0x8
0x08048ba9: 50 push eax
0x08048baa: 68 0c 92 04 08 push 0x804920c "%P"
0x08048baf: e8 bc f9 ff ff call 0x8048570 <printf@plt>
0x08048bb4: 83 c4 10 add esp,0x10
0x08048bb7: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048bba: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048bbd: 8d 50 01 lea edx,[eax+0x1]
0x08048bc0: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048bc3: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048bc6: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048bc9: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048bcc: 0f b6 00 movzx eax,BYTE PTR [eax] //虚拟机取操作
0x08048bcf: 3c a0 cmp al,0xa0 //0xa0
0x08048bd1: 75 28 jne 0x8048bfb
0x08048bd3: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048bd6: 8b 40 04 mov eax,DWORD PTR [eax+0x4]
0x08048bd9: 3d 00 d1 f8 26 cmp eax,0x26f8d100 //很像判断
0x08048bde: 75 11 jne 0x8048bf1
0x08048be0: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048be3: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048be6: 8d 50 01 lea edx,[eax+0x1]
0x08048be9: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048bec: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048bef: eb 0a jmp 0x8048bfb //重头开始
0x08048bf1: 83 ec 0c sub esp,0xc
0x08048bf4: 6a 00 push 0x0
0x08048bf6: e8 c5 f9 ff ff call 0x80485c0 <exit@plt>
0x08048bfb: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048bfe: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048c01: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048c04: 3c a1 cmp al,0xa1 //0xa1 打印print("flag:")并且读入数据检验长度
0x08048c06: 75 52 jne 0x8048c5a
0x08048c08: 83 ec 0c sub esp,0xc
0x08048c0b: 68 10 92 04 08 push 0x8049210 //flag
0x08048c10: e8 5b f9 ff ff call 0x8048570 <printf@plt> //print("flag:")
0x08048c15: 83 c4 10 add esp,0x10
0x08048c18: 83 ec 04 sub esp,0x4
0x08048c1b: 6a 28 push 0x28
0x08048c1d: 68 e0 b2 04 08 push 0x804b2e0
0x08048c22: 6a 00 push 0x0
0x08048c24: e8 37 f9 ff ff call 0x8048560 <read@plt>
0x08048c29: 83 c4 10 add esp,0x10
0x08048c2c: 83 ec 0c sub esp,0xc
0x08048c2f: 68 e0 b2 04 08 push 0x804b2e0 //flag内存地址
0x08048c34: e8 97 f9 ff ff call 0x80485d0 <strlen@plt>
0x08048c39: 83 c4 10 add esp,0x10
0x08048c3c: 83 f8 21 cmp eax,0x21 //len(flag)!=0x21 33
0x08048c3f: 74 0a je 0x8048c4b
0x08048c41: 83 ec 0c sub esp,0xc
0x08048c44: 6a 00 push 0x0
0x08048c46: e8 75 f9 ff ff call 0x80485c0 <exit@plt> //exit()
0x08048c4b: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c] //长度判断符合规则
0x08048c4e: 8b 40 20 mov eax,DWORD PTR [eax+0x20] //[[ebp-0x2c]+0x20]+0x1
0x08048c51: 8d 50 01 lea edx,[eax+0x1]
0x08048c54: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048c57: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048c5a: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048c5d: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048c60: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048c63: 3c b1 cmp al,0xb1 //0xb1 加载函数
0x08048c65: 75 1b jne 0x8048c82
0x08048c67: 8b 15 a0 b2 04 08 mov edx,DWORD PTR ds:0x804b2a0 //?下一个地址
0x08048c6d: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048c70: 89 50 24 mov DWORD PTR [eax+0x24],edx
0x08048c73: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048c76: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048c79: 8d 50 01 lea edx,[eax+0x1]
0x08048c7c: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048c7f: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048c82: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048c85: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048c88: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048c8b: 3c b2 cmp al,0xb2 //0xb2
0x08048c8d: 75 1b jne 0x8048caa
0x08048c8f: 8b 15 a4 b2 04 08 mov edx,DWORD PTR ds:0x804b2a4
0x08048c95: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048c98: 89 50 24 mov DWORD PTR [eax+0x24],edx
0x08048c9b: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048c9e: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048ca1: 8d 50 01 lea edx,[eax+0x1]
0x08048ca4: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ca7: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048caa: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048cad: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048cb0: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048cb3: 3c a4 cmp al,0xa4 //0xa4
0x08048cb5: 75 37 jne 0x8048cee
0x08048cb7: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048cba: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048cbd: 83 c0 01 add eax,0x1
0x08048cc0: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048cc3: 0f b6 c0 movzx eax,al
0x08048cc6: 89 45 e4 mov DWORD PTR [ebp-0x1c],eax
0x08048cc9: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ccc: 8b 40 04 mov eax,DWORD PTR [eax+0x4]
0x08048ccf: 89 45 e8 mov DWORD PTR [ebp-0x18],eax
0x08048cd2: 8b 55 e8 mov edx,DWORD PTR [ebp-0x18]
0x08048cd5: 8b 45 e4 mov eax,DWORD PTR [ebp-0x1c]
0x08048cd8: 89 14 85 a0 b2 04 08 mov DWORD PTR [eax*4+0x804b2a0],edx //?存入函数
0x08048cdf: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ce2: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048ce5: 8d 50 04 lea edx,[eax+0x4]
0x08048ce8: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048ceb: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048cee: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048cf1: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048cf4: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048cf7: 3c b3 cmp al,0xb3 //加载
0x08048cf9: 75 1b jne 0x8048d16
0x08048cfb: 8b 15 a8 b2 04 08 mov edx,DWORD PTR ds:0x804b2a8
0x08048d01: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d04: 89 50 24 mov DWORD PTR [eax+0x24],edx
0x08048d07: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d0a: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048d0d: 8d 50 01 lea edx,[eax+0x1]
0x08048d10: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d13: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048d16: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d19: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048d1c: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048d1f: 3c b4 cmp al,0xb4 //0xb4
0x08048d21: 75 1b jne 0x8048d3e
0x08048d23: 8b 15 ac b2 04 08 mov edx,DWORD PTR ds:0x804b2ac //加载
0x08048d29: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d2c: 89 50 24 mov DWORD PTR [eax+0x24],edx
0x08048d2f: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d32: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048d35: 8d 50 01 lea edx,[eax+0x1]
0x08048d38: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d3b: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048d3e: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d41: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048d44: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048d47: 3c c1 cmp al,0xc1 //?存入
0x08048d49: 75 35 jne 0x8048d80
0x08048d4b: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d4e: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048d51: 83 c0 01 add eax,0x1
0x08048d54: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048d57: 0f b6 c0 movzx eax,al
0x08048d5a: 89 45 ec mov DWORD PTR [ebp-0x14],eax
0x08048d5d: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
0x08048d60: 05 e0 b2 04 08 add eax,0x804b2e0
0x08048d65: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048d68: 0f b6 d0 movzx edx,al
0x08048d6b: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d6e: 89 50 04 mov DWORD PTR [eax+0x4],edx
0x08048d71: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d74: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048d77: 8d 50 02 lea edx,[eax+0x2]
0x08048d7a: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d7d: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048d80: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d83: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048d86: 0f b6 00 movzx eax,BYTE PTR [eax]
0x08048d89: 3c c2 cmp al,0xc2 //0xc2
0x08048d8b: 0f 85 bf fa ff ff jne 0x8048850
0x08048d91: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048d94: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048d97: 83 c0 01 add eax,0x1
0x08048d9a: 8b 00 mov eax,DWORD PTR [eax]
0x08048d9c: 89 45 f0 mov DWORD PTR [ebp-0x10],eax
0x08048d9f: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048da2: 8b 50 04 mov edx,DWORD PTR [eax+0x4]
0x08048da5: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]
0x08048da8: 39 c2 cmp edx,eax //edx?=eax 可能为判断指令是否取完
0x08048daa: 74 0a je 0x8048db6 //退出
0x08048dac: 83 ec 0c sub esp,0xc
0x08048daf: 6a 00 push 0x0
0x08048db1: e8 0a f8 ff ff call 0x80485c0 <exit@plt>
0x08048db6: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c] //不退出跳转
0x08048db9: 8b 40 20 mov eax,DWORD PTR [eax+0x20]
0x08048dbc: 8d 50 05 lea edx,[eax+0x5]
0x08048dbf: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
0x08048dc2: 89 50 20 mov DWORD PTR [eax+0x20],edx
0x08048dc5: e9 86 fa ff ff jmp 0x8048850 //去指令继续跳转
0x08048dca: 90 nop
0x08048dcb: 90 nop
0x08048dcc: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
0x08048dcf: 65 33 05 14 00 00 00 xor eax,DWORD PTR gs:0x14
0x08048dd6: 74 05 je 0x8048ddd
0x08048dd8: e8 b3 f7 ff ff call 0x8048590 <__stack_chk_fail@plt>
0x08048ddd: 8b 5d fc mov ebx,DWORD PTR [ebp-0x4]
0x08048de0: c9 leave
是不是看起来很恶心,那我们这次使用IDA试一下。在目标处打上断点,创建函数,直接F5。emmmmm由此观之能用IDA的时候最好不要偷懒。舒适~
int __cdecl sub_8048838(_DWORD *a1)
{
_BYTE *v1; // ST28_4
int result; // eax
unsigned int v3; // et1
int v4; // [esp-Ch] [ebp-44h]
int v5; // [esp-8h] [ebp-40h]
int v6; // [esp-4h] [ebp-3Ch]
unsigned int v7; // [esp+2Ch] [ebp-Ch]
v7 = __readgsdword(0x14u);
while ( 1 ) //VM取指令的标志
{
if ( *a1[8] == 113 ) //a1[8]操作码
{
a1[6] -= 4;
*a1[6] = *(a1[8] + 1); //可能是一个取值
a1[8] += 5;
}
if ( *a1[8] == 65 ) //a[1]=a[1]+a[2]
{
a1[1] += a1[2]; //add操作
++a1[8];
}
if ( *a1[8] == 66 ) //sub操作
{
a1[1] -= a1[4]; //a1[1]=a[1]-a[4]
++a1[8];
}
if ( *a1[8] == 67 ) //乘操作
{
a1[1] *= a1[3]; //a1[1]=a[1]*a[3]
++a1[8];
}
if ( *a1[8] == 68 ) //dev操作
{
a1[1] /= a1[5]; //a1[1]=a1[1]/a1[5]
++a1[8];
}
if ( *a1[8] == -128 ) //
{
a1[(unk_80487EF)(a1, 1)] = *(a1[8] + 2);
a1[8] += 6;
}
if ( *a1[8] == 119 ) //xor
{
a1[1] ^= a1[9]; //a1[1]=a1[1]^a1[9]
++a1[8];
}
if ( *a1[8] == 83 )
{
(unk_80485F0)(*a1[3]);
a1[8] += 2;
}
if ( *a1[8] == 34 ) //R移位操作
{
a1[1] >>= a1[2];
++a1[8];
}
if ( *a1[8] == 35 ) //L移位操作
{
a1[1] <<= a1[2];
++a1[8];
}
if ( *a1[8] == -103 ) //退出
break;
if ( *a1[8] == 118 ) //
{
a1[3] = *a1[6];
*a1[6] = 0;
a1[6] += 4;
a1[8] += 5;
}
if ( *a1[8] == 84 ) //取值?
{
v1 = a1[3];
*v1 = (unk_8048580)();
a1[8] += 2;
}
if ( *a1[8] == 48 ) //or
{
a1[1] |= a1[2];
++a1[8];
}
if ( *a1[8] == 49 ) //and
{
a1[1] &= a1[2];
++a1[8];
}
if ( *a1[8] == 9 ) //取值存如a1[1]
{
a1[1] = dword_804B28C;
++a1[8];
}
if ( *a1[8] == 16 ) //赋值a1[9]=a1[1]
{
a1[9] = a1[1];
++a1[8];
}
if ( *a1[8] == 17 ) //print(a1[1])
{
(unk_8048570)(&unk_804920C, a1[1]);
++a1[8];
}
if ( *a1[8] == -96 ) //if(a1[1]==653840640) next
{
if ( a1[1] == 653840640 )
++a1[8];
else
(unk_80485C0)(0, v4, v5, v6);
}
if ( *a1[8] == -95 ) //print(flag:)
{
(unk_8048570)("flag:");
(unk_8048560)(0, byte_804B2E0, 40); //cin>>flag==byte_804B2E0
if ( (unk_80485D0)(byte_804B2E0) != 33 )
(unk_80485C0)(0, v4, v5, v6);
++a1[8];
}
if ( *a1[8] == -79 ) //a1[9]==dword_804B2A0[0]
{
a1[9] = dword_804B2A0[0];
++a1[8];
}
if ( *a1[8] == -78 ) //a1[9]==dword_804B2A4
{
a1[9] = dword_804B2A4;
++a1[8];
}
if ( *a1[8] == -92 )
{
dword_804B2A0[*(a1[8] + 1)] = a1[1]; //存入操作
a1[8] += 4;
}
if ( *a1[8] == -77 ) //a1[9]=dword_804B2A8
{
a1[9] = dword_804B2A8;
++a1[8];
}
if ( *a1[8] == -76 ) //a1[9] = dword_804B2AC
{
a1[9] = dword_804B2AC;
++a1[8];
}
if ( *a1[8] == -63 ) //取一位bete 并且a1[8]+=2
{
a1[1] = byte_804B2E0[*(a1[8] + 1)];
a1[8] += 2;
}
if ( *a1[8] == -62 ) //if判断
{
if ( a1[1] != *(a1[8] + 1) )
(unk_80485C0)(0, v4, v5, v6);
a1[8] += 5;
}
}
v3 = __readgsdword(0x14u);
result = v3 ^ v7;
if ( v3 != v7 )
result = (unk_8048590)();
return result;
}
然后我们导出字节码数据:
这里需要将字节码稍微的处理一下,起码处理成我们可以看的样子。这里稍微要注意的地方就是,不是所有的指令都会按照对应的格式排列,有些指令可能会用到好几位字节码,而有的也有可能只会用到一个。我们来写一个脚本稍微处理一下:(这里嫖了子洋师傅的指令集,因为我写的真的有点惨不忍睹)
A=[
0x09, 0x10, 0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x22, 0x77,
0x10, 0x80, 0x02, 0x09, 0x00, 0x00, 0x00, 0x23, 0x80, 0x02,
0x00, 0x96, 0xF3, 0x78, 0x31, 0x77, 0x10, 0x80, 0x02, 0x11,
0x00, 0x00, 0x00, 0x23, 0x80, 0x02, 0x00, 0x00, 0xD4, 0x85,
0x31, 0x77, 0x10, 0x80, 0x02, 0x13, 0x00, 0x00, 0x00, 0x22,
0x77, 0xA0, 0x09, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31,
0x80, 0x03, 0x02, 0x00, 0x00, 0x00, 0x43, 0x80, 0x02, 0x18,
0x00, 0x00, 0x00, 0x41, 0xA4, 0x00, 0x00, 0x00, 0x09, 0x80,
0x02, 0x08, 0x00, 0x00, 0x00, 0x22, 0x80, 0x02, 0xFF, 0x00,
0x00, 0x00, 0x31, 0x80, 0x05, 0x07, 0x00, 0x00, 0x00, 0x44,
0x80, 0x02, 0x21, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x01, 0x00,
0x00, 0x09, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x22, 0x80,
0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x09, 0xBB, 0x00,
0x00, 0x00, 0x77, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x41,
0xA4, 0x02, 0x00, 0x00, 0x09, 0x80, 0x02, 0x18, 0x00, 0x00,
0x00, 0x22, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80,
0x04, 0xA0, 0x00, 0x00, 0x00, 0x42, 0x80, 0x02, 0x77, 0x00,
0x00, 0x00, 0x41, 0xA4, 0x03, 0x00, 0x00, 0xA1, 0xC1, 0x00,
0xB1, 0x77, 0xC2, 0x0B, 0x01, 0x00, 0x00, 0xC1, 0x01, 0xB2,
0x77, 0xC2, 0x7A, 0x00, 0x00, 0x00, 0xC1, 0x02, 0xB4, 0x77,
0xC2, 0x95, 0x00, 0x00, 0x00, 0xC1, 0x03, 0xB3, 0x77, 0xC2,
0x06, 0x01, 0x00, 0x00, 0xC1, 0x04, 0xB2, 0x77, 0xC2, 0x7D,
0x00, 0x00, 0x00, 0xC1, 0x05, 0xB4, 0x77, 0xC2, 0xAD, 0x00,
0x00, 0x00, 0xC1, 0x06, 0xB1, 0x77, 0xC2, 0x2F, 0x01, 0x00,
0x00, 0xC1, 0x07, 0xB3, 0x77, 0xC2, 0x65, 0x01, 0x00, 0x00,
0xC1, 0x08, 0xB1, 0x77, 0xC2, 0x2D, 0x01, 0x00, 0x00, 0xC1,
0x09, 0xB1, 0x77, 0xC2, 0x2F, 0x01, 0x00, 0x00, 0xC1, 0x0A,
0xB3, 0x77, 0xC2, 0x39, 0x01, 0x00, 0x00, 0xC1, 0x0B, 0xB3,
0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x0C, 0xB4, 0x77,
0xC2, 0xBB, 0x00, 0x00, 0x00, 0xC1, 0x0D, 0xB2, 0x77, 0xC2,
0x08, 0x00, 0x00, 0x00, 0xC1, 0x0E, 0xB3, 0x77, 0xC2, 0x0D,
0x01, 0x00, 0x00, 0xC1, 0x0F, 0xB1, 0x77, 0xC2, 0x3F, 0x01,
0x00, 0x00, 0xC1, 0x10, 0xB3, 0x77, 0xC2, 0x3A, 0x01, 0x00,
0x00, 0xC1, 0x11, 0xB3, 0x77, 0xC2, 0x61, 0x01, 0x00, 0x00,
0xC1, 0x12, 0xB2, 0x77, 0xC2, 0x57, 0x00, 0x00, 0x00, 0xC1,
0x13, 0xB1, 0x77, 0xC2, 0x20, 0x01, 0x00, 0x00, 0xC1, 0x14,
0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x15, 0xB1,
0x77, 0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x16, 0xB3, 0x77,
0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x17, 0xB4, 0x77, 0xC2,
0xB5, 0x00, 0x00, 0x00, 0xC1, 0x18, 0xB1, 0x77, 0xC2, 0x13,
0x01, 0x00, 0x00, 0xC1, 0x19, 0xB4, 0x77, 0xC2, 0xA0, 0x00,
0x00, 0x00, 0xC1, 0x1A, 0xB1, 0x77, 0xC2, 0x21, 0x01, 0x00,
0x00, 0xC1, 0x1B, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00,
0xC1, 0x1C, 0xB2, 0x77, 0xC2, 0x0B, 0x00, 0x00, 0x00, 0xC1,
0x1D, 0xB3, 0x77, 0xC2, 0x39, 0x01, 0x00, 0x00, 0xC1, 0x1E,
0xB1, 0x77, 0xC2, 0x73, 0x01, 0x00, 0x00, 0xC1, 0x1F, 0xB2,
0x77, 0xC2, 0x46, 0x00, 0x00, 0x00, 0x99, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x4C, 0xF7, 0xF7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x45, 0xF7, 0xF7, 0x60, 0x4D, 0xF7, 0xF7,
0x00, 0x00, 0x00, 0x00]
dic = [
(65, 'a1[1] += a1[2]', 1),
(66, 'a1[1] -= a1[4]', 1),
(67, 'a1[1] *= a1[3]', 1),
(68, 'a1[1] /= a1[5]', 1),
(128, 'a1[?] = %d', 6),
(119, 'a1[1] ^= a1[9]', 1),
(34, 'a1[1] >>= a1[2]', 1),
(35, 'a1[1] <<= a1[2]', 1),
(153, '跳出循环', 1),
(48, 'a1[1] |= a1[2]', 1),
(49, 'a1[1] &= a1[2]', 1),
(9, 'a1[1] = 输入int', 1),
(16, 'a1[9] = a1[1]', 1),
(17, 'printf("%p\n", a1[1])', 1),
(160, 'if (a1[1] == 0x26F8D100) opn++ else exit()', 1),
(161, '输入flag, flag = byte_804B2E0', 1),
(177, 'a1[9] = dword_804B2A0[0]', 1),
(178, 'a1[9] = dword_804B2A4', 1),
(164, 'dword_804B2A0[%d] = a1[1]', 4),
(179, 'a1[9] = dword_804B2A8', 1),
(180, 'a1[9] = dword_804B2AC', 1),
(193, 'a1[1] = byte_804B2E0[%d]', 2),
(194, 'if (a1[1] == %d)', 5)
]
for i in range(0,len(A)):
for j in range(0,len(dic)):
if A[i]==dic[j][0]:
print(dic[j][1],end="")
H=dic[j][2]
C=1
while C!=(H):
print(hex(A[i+C]),end=" ")
C=C+1
print()
i=i+dic[j][3]
break
然后分析一下结果:
a1[1] = 输入int
a1[9] = a1[1]
a1[?] = %d0x2 0xd 0x0 0x0 0x0
a1[1] >>= a1[2]
a1[1] ^= a1[9]
a1[9] = a1[1]
a1[?] = %d0x2 0x9 0x0 0x0 0x0
a1[1] = 输入int
a1[1] <<= a1[2]
a1[?] = %d0x2 0x0 0x96 0xf3 0x78
a1[1] &= a1[2]
a1[1] ^= a1[9]
a1[9] = a1[1]
a1[?] = %d0x2 0x11 0x0 0x0 0x0
printf("%p
", a1[1])
a1[1] <<= a1[2]
a1[?] = %d0x2 0x0 0x0 0xd4 0x85
a1[1] &= a1[2]
a1[1] ^= a1[9]
a1[9] = a1[1]
a1[?] = %d0x2 0x13 0x0 0x0 0x0
a1[1] >>= a1[2]
a1[1] ^= a1[9]
if (a1[1] == 0x26F8D100) opn++ else exit()
a1[1] = 输入int
a1[?] = %d0x2 0xff 0x0 0x0 0x0
a1[1] &= a1[2]
a1[?] = %d0x3 0x2 0x0 0x0 0x0
a1[1] *= a1[3]
a1[?] = %d0x2 0x18 0x0 0x0 0x0
a1[1] += a1[2]
dword_804B2A0[%d] = a1[1]0x0 0x0 0x0
a1[1] = 输入int
a1[?] = %d0x2 0x8 0x0 0x0 0x0
a1[1] >>= a1[2]
a1[?] = %d0x2 0xff 0x0 0x0 0x0
a1[1] &= a1[2]
a1[?] = %d0x5 0x7 0x0 0x0 0x0
a1[1] /= a1[5]
a1[?] = %d0x2 0x21 0x0 0x0 0x0
a1[1] += a1[2]
dword_804B2A0[%d] = a1[1]0x1 0x0 0x0
a1[1] = 输入int
a1[?] = %d0x2 0x10 0x0 0x0 0x0
a1[9] = a1[1]
a1[1] >>= a1[2]
a1[?] = %d0x2 0xff 0x0 0x0 0x0
a1[1] &= a1[2]
a1[?] = %d0x9 0xbb 0x0 0x0 0x0
a1[1] = 输入int
a1[1] ^= a1[9]
a1[?] = %d0x2 0xff 0x0 0x0 0x0
a1[1] += a1[2]
dword_804B2A0[%d] = a1[1]0x2 0x0 0x0
a1[1] = 输入int
a1[?] = %d0x2 0x18 0x0 0x0 0x0
a1[1] >>= a1[2]
a1[?] = %d0x2 0xff 0x0 0x0 0x0
a1[1] &= a1[2]
a1[?] = %d0x4 0xa0 0x0 0x0 0x0
if (a1[1] == 0x26F8D100) opn++ else exit()
a1[1] -= a1[4]
a1[?] = %d0x2 0x77 0x0 0x0 0x0
a1[1] ^= a1[9]
a1[1] += a1[2]
dword_804B2A0[%d] = a1[1]0x3 0x0 0x0
输入flag, flag = byte_804B2E0
a1[1] = byte_804B2E0[%d]0x0
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0xb 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x1
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x7a 0x0 0x0 0x0
a1[1] = byte_804B2E0[%d]0x2
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0x95 0x0 0x0 0x0
a1[1] = byte_804B2E0[%d]0x3
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x6 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x4
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x7d 0x0 0x0 0x0
a1[1] = byte_804B2E0[%d]0x5
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0xad 0x0 0x0 0x0
a1[1] = byte_804B2E0[%d]0x6
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x2f 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x7
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x65 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x8
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x2d 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x9
a1[1] = 输入int
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x2f 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0xa
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x39 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0xb
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0xd 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0xc
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0xbb 0x0 0x0 0x0
a1[1] = byte_804B2E0[%d]0xd
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x8 0x0 0x0 0x0
a1[1] = byte_804B2E0[%d]0xe
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0xd 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0xf
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x3f 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x10
a1[9] = a1[1]
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x3a 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x11
printf("%p
", a1[1])
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x61 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x12
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x57 0x0 0x0 0x0
a1[1] = byte_804B2E0[%d]0x13
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x20 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x14
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0xd 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x15
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x3f 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x16
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x3f 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x17
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0xb5 0x0 0x0 0x0
a1[1] = byte_804B2E0[%d]0x18
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x13 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x19
a1[9] = dword_804B2AC
a1[1] ^= a1[9]
if (a1[1] == %d)0xa0 0x0 0x0 0x0
if (a1[1] == 0x26F8D100) opn++ else exit()
a1[1] = byte_804B2E0[%d]0x1a
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x21 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x1b
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0xd 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x1c
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0xb 0x0 0x0 0x0
a1[1] = byte_804B2E0[%d]0x1d
a1[9] = dword_804B2A8
a1[1] ^= a1[9]
if (a1[1] == %d)0x39 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x1e
a1[9] = dword_804B2A0[0]
a1[1] ^= a1[9]
if (a1[1] == %d)0x73 0x1 0x0 0x0
a1[1] = byte_804B2E0[%d]0x1f
a1[9] = dword_804B2A4
a1[1] ^= a1[9]
if (a1[1] == %d)0x46 0x0 0x0 0x0
跳出循环
if (a1[1] == 0x26F8D100) opn++ else exit()
这里偷懒了,为了使脚本简单一点,就把操作使用的寄存器与数据接到了指令的后面。我们只需要对程序进行亿点点的处理就可以了。
第一部分是一个小算法,以后就叫作子洋师傅的七夕节算法吧!这里是传送门
第二部分是一个加密小算法:具体流程这里。解出flag:GACTF{c7ack_m3_sh3ll_smc_vm_0k?}
这道题目纯属出题师傅与我师傅的双重炫技,朴实无华的界面,配上朴实无华的音乐,再配上朴实无华的WP,对我造成了成吨的伤害。题目给的是一个解密的exe,和一个被加密过的flag。我们的目的就是获得KEY将flag进行解密,但是我的静态分析水平又很感人,导致我迟迟找不到关键的函数。
这道题目师傅已经写得很具体了,我只记录几个我觉得比较痛苦的东西。
首先就是结构体,有些时候我们在f5后会出现类似结构体的结构,不要怕,这是个好事。因为如果是出题人自己搞得结构体,一般来说IDA是无法识别的,需要我们自己进行创建。这里先说一下这里面的结构体。
typedef struct tagPAINTSTRUCT {
HDC hdc;
BOOL fErase;
RECT rcPaint;
BOOL fRestore;
BOOL fIncUpdate;
BYTE rgbReserved[32];
} PAINTSTRUCT, *PPAINTSTRUCT;
hdc:用于绘制的设备环境句柄
fErase:1. 表示背景是否必须擦除,如果为非零值则擦除背景,否则不擦除背景2. 如果创建窗口类的时候没有设置背景画刷,则负责擦除背景
rcPaint:一个 RECT 结构,指定左上角和右下角的坐标确定一个要绘制的矩形范围
fRestore:系统保留
fIncUpdate:系统保留
rgbReserved:系统保留
所以本题目的这个结构体其实没有啥影响,最多也就影响到了一个加密的取值。
其次是一些函数,老恶心了,不知道是啥意思。但是IDA中命名还是有一点规则的,所以不要担心,看这里。
SSE指令集
这里说一个东西:_mm_unpacklo_epi8(_m128i S0,_m128i S1):将S0和S1的低64位数以8位为单位进行交错;
S0:A15 A14 A13 A12 A11 A10 A9 A8 A7 A6 A5 A4 A3 A2 A1 A0
S1:B15 B14 B13 B12 B11 B10 B9 B8 B7 B6 B5 B4 B3 B2 B1 B0
_mm_unpacklo_epi8(S0,S1):B7 A7 B6 A6 B5 A5 B4 A4 B3 A3 B2 A2 B1 A1 B0 A0
全部评论 (共 1 条评论)