天津垓.exe
无壳,64位
IDA很快找到第一个关键函数
写脚本逆向:
flag1 = ''
dat1 = [17,8,6,10,15,20,42,59,47,3,47,4,16,72,62,0,7,16]
dat2 = [0x52,0x69,0x73,0x69,0x6E,0x67,0x5F,0x48,0x6F,0x70,0x70,0x65,0x72,0X21]
for i in range(0,18):
for j in range(33,127):
if(dat1[i] == ~(j & dat2[i % 14]) & (j | dat2[i % 14])):
flag1 += chr(j)
print(flag1)
#Caucasus@s_ability
发现还有第二个输入,于是继续定位关键函数
有反调试,先断点给nop掉
在运行输入上面得到的字符串,来到第二个关键函数,注意到对这个lpAddress进行了解密,很可疑,在解密完成后点击进入。
猜测这里被解密后是代码
果然出来了整整齐齐的汇编,再创建函数来反汇编成伪代码
第二个关键函数的逻辑就很清楚了,写脚本逆向即可得到flag了
flag2 = ''
dat3 = [2007666,2125764,1909251,2027349,2421009,1653372,2047032,2184813,2302911
,2263545,1909251,2165130,1968300,2243862,2066715,2322594,1987983,2243862,1869885
,2066715,2263545,1869885,964467,944784,944784,944784,728271,1869885,2263545,2283228,
2243862,2184813,2165130,2027349,1987983,2243862,1869885,2283228,2047032,1909251,
2165130,1869885,2401326,1987983,2243862,2184813,885735,2184813,2165130,1987983,2460375]
v1 = 0x8000000B
v2 = 19683
for k in range(0,51):
for m in range(33,127):
if((v2 * m) % v1 == dat3[k]):
flag2 += chr(m)
print(flag2)
#flag{Thousandriver_is_1000%_stronger_than_zero-one}