新手一枚,如有錯誤(不足)請指正,謝謝!!
bang
找個軟件一鍵脫殼,jeb打開搜索就有flag,,
signal
虛擬機指令,看了一下貌似不能逆,,就直接用angr跑了
import angr
p = angr.Project('/home/cx330/Desktop/Debugging/signal.exe')
state = p.factory.entry_state()
sm = p.factory.simulation_manager(state)
def good(state):
return b"good" in state.posix.dumps(1)
def bad(state):
return b"what" in state.posix.dumps(1)
sm.explore(find = good, avoid = bad)
if sm.found:
find_state = sm.found[0]
flag = find_state.posix.dumps(0)
print(flag)
輸出爲
b'757515121f3d478\x00\x89)\x02\xa2\x01\x8c\x00\x00\x01\x00\x01\x08\x02\x00\x8a\x08\x00*)\x00I\x00\x00\x1a\x00\x00\x00\x02\x0e\x00J\x1a\x0eJ\x00\x00J\x08\x02\x02\x00\x8a\x00\x19'
jocker
這題,挺操蛋
main函數無法F5,改一下棧指針。
然後是一個假的驗證,驗證下面是SMC自解密
附上IDC代碼(動調也可以
#include <idc.idc>
static main()
{
auto addr = 0x401500;
auto i = 0;
for(i=0;i<187;i++)
{
PatchByte(addr+i,Byte(addr+i)^0x41);
}
}
解密出來就一個異或運算,不過不全,,,少了5位。
腦洞就很難受
解題腳本
#include <stdio.h>
#include <string.h>
#include "defs.h"
unsigned int date[28] = {
0x0000000E, 0x0000000D, 0x00000009, 0x00000006, 0x00000013, 0x00000005, 0x00000058, 0x00000056,
0x0000003E, 0x00000006, 0x0000000C, 0x0000003C, 0x0000001F, 0x00000057, 0x00000014, 0x0000006B,
0x00000057, 0x00000059, 0x0000000D, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000
};
char str[] = "hahahaha_do_you_find_me?";
int main(void)
{
int i = 0;
char flag[25] = { 0 };
for (i = 0; i < 19; i++)
flag[i] = date[i] ^ str[i];
flag[23] = '}';
flag[22] = '}' ^ 58 ^ 38;
flag[21] = '}' ^ 58 ^ 112;
flag[20] = '}' ^ 58 ^ 116;
flag[19] = '}' ^ 58 ^ 37;
puts(flag);
}