首页
论坛
专栏
课程

2019ddctf reverse1_final

2019-4-20 01:23 1488

2019ddctf reverse1_final

2019-4-20 01:23
1488

0x00 运行程序

0x01 查壳


程序加了upx的壳

0x2 脱壳

这个壳可以工具脱,也可以手脱。
工具脱:执行命令:upx -d 文件名
脱过之后:

0x03 分析

1、将脱壳后的程序拖到IDA中:

 


sub_401000这个函数是关键。
从0x402ff8开始,以我们的输入为索引,形成新字符串,这个字符串与“DDCTF{reverseME}”作比较,相同即会输入正确。
2、拖到OD里面去看0x402ff8开始的数据
ctrl + g 输入0x402ff8

0x04 解题脚本

table = [00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xFF,0x3A,0xFC,0x30,0x00,0xC5,0x03,0xCF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x7E,0x7D,0x7C,0x7B,0x7A,0x79,0x78,0x77,0x76,0x75,0x74,0x73,0x72,0x71,0x70,0x6F,0x6E,0x6D,0x6C,0x6B,0x6A,0x69,0x68,0x67,0x66,0x65,0x64,0x63,0x62,0x61,0x60,0x5F,0x5E,0x5D,0x5C,0x5B,0x5A,0x59,0x58,0x57,0x56,0x55,0x54,0x53,0x52,0x51,0x50,0x4F,0x4E,0x4D,0x4C,0x4B,0x4A,0x49,0x48,0x47,0x46,0x45,0x44,0x43,0x42,0x41,0x40,0x3F,0x3E,0x3D,0x3C,0x3B,0x3A,0x39,0x38,0x37,0x36,0x35,0x34,0x33,0x32,0x31,0x30,0x2F,0x2E,0x2D,0x2C,0x2B,0x2A,0x29,0x28,0x27,0x26,0x25,0x24,0x23,0x22,0x21,0x20,0x00,0x01,0x00,0x00,0x00,0x70,0x19,0x38,0x00,0x80,0x12,0x38,0x00,0x00,0x00,0x00,0x00]
flag = ''
str1 = "DDCTF{reverseME}"
for i in range(len(str1)):
    flag += chr(table.index(ord(str1[i])))
print(flag)

得到:ZZ[JX#,9(9,+9QY!



[推荐]看雪企服平台,提供安全分析、定制项目开发、APP等级保护、渗透测试等安全服务!

最后于 2019-4-20 01:27 被无名无名氏编辑 ,原因:
上传的附件:
上一主题 下一主题
最新回复 (0)
游客
登录 | 注册 方可回帖
返回