天津垓.exe
無殼,64位
IDA很快找到第一個關鍵函數
寫腳本逆向:
flag1 = ''
dat1 = [17,8,6,10,15,20,42,59,47,3,47,4,16,72,62,0,7,16]
dat2 = [0x52,0x69,0x73,0x69,0x6E,0x67,0x5F,0x48,0x6F,0x70,0x70,0x65,0x72,0X21]
for i in range(0,18):
for j in range(33,127):
if(dat1[i] == ~(j & dat2[i % 14]) & (j | dat2[i % 14])):
flag1 += chr(j)
print(flag1)
#Caucasus@s_ability
發現還有第二個輸入,於是繼續定位關鍵函數
有反調試,先斷點給nop掉
在運行輸入上面得到的字符串,來到第二個關鍵函數,注意到對這個lpAddress進行了解密,很可疑,在解密完成後點擊進入。
猜測這裏被解密後是代碼
果然出來了整整齊齊的彙編,再創建函數來反彙編成僞代碼
第二個關鍵函數的邏輯就很清楚了,寫腳本逆向即可得到flag了
flag2 = ''
dat3 = [2007666,2125764,1909251,2027349,2421009,1653372,2047032,2184813,2302911
,2263545,1909251,2165130,1968300,2243862,2066715,2322594,1987983,2243862,1869885
,2066715,2263545,1869885,964467,944784,944784,944784,728271,1869885,2263545,2283228,
2243862,2184813,2165130,2027349,1987983,2243862,1869885,2283228,2047032,1909251,
2165130,1869885,2401326,1987983,2243862,2184813,885735,2184813,2165130,1987983,2460375]
v1 = 0x8000000B
v2 = 19683
for k in range(0,51):
for m in range(33,127):
if((v2 * m) % v1 == dat3[k]):
flag2 += chr(m)
print(flag2)
#flag{Thousandriver_is_1000%_stronger_than_zero-one}