新手一枚,如有錯誤(不足)請指正,謝謝!!
個人博客:點擊進入
鏈接: https://pan.baidu.com/s/11oIbMxd2I3-KC5QNxqAZSg 提取碼: 2020
EnumFunc()函數,檢測窗口名稱,反調試,修改代碼nop掉10040114B,100401152
挨個函數查看……
找到sub_1004011F6()函數(修改後)
寫腳本爆破出來,,,,
#include <stdio.h>
int main()
{
char data[18] = { 0 }, input[19] = { 0 };
data[0] = 17;
data[1] = 8;
data[2] = 6;
data[3] = 10;
data[4] = 15;
data[5] = 20;
data[6] = 42;
data[7] = 59;
data[8] = 47;
data[9] = 3;
data[10] = 47;
data[11] = 4;
data[12] = 16;
data[13] = 72;
data[14] = 62;
data[15] = 0;
data[16] = 7;
data[17] = 16;
char temp, str[] = "Rising_Hopper!";
int i, j;
for (i = 0; i < 18; i++)
for (j = 0; j < 256; j++)
{
temp = ~(j & str[i % 14]) & (j | str[i % 14]);
if (data[i] == temp)
input[i] = j;
}
puts(input);
}
然後剩下的就沒法搞了,,
sub_100401506()函數,進去後對byte_10040164D進行了VirtualProtect……
而byte_10040164D的代碼IDA無法解釋成僞代碼……
(做完後,經過IDA動調,F8單步會執行到此處,並將byte_10040164D解釋成彙編代碼,也就是第二關)
先下載了他缺少的cygwin1.dll
,破壞掉動調,然後用x64dbg來dump出程序的內存
(也可以一步一步IDA動調,此處代碼會自動解釋成彙編代碼)
然後IDA載入dump程序的內存,這裏的代碼已經可以F5了
(優化後的代碼)
然後將數據提取出來,寫腳本
#include <stdio.h>
int main()
{
int i, j, data0[] = { 2007666,2125764,1909251,2027349,2421009,1653372,2047032,
2184813,2302911,2263545,1909251,2165130,1968300,2243862,
2066715,2322594,1987983,2243862,1869885,2066715,2263545,
1869885,964467,944784,944784,944784,728271,1869885,
2263545,2283228,2243862,2184813,2165130,2027349,1987983,2243862,1869885,2283228,2047032,1909251,
2165130,1869885,2401326,1987983,2243862,2184813,885735,2184813,2165130,1987983,2460375 };
unsigned int v53, v55;
v55 = 0x8000000B;
for (i = 0; i < 51; i++)
{
for (j = 0; j < 256; j++)
{
v53 = 19683 * j % v55;
if (v53 == data0[i])
printf("%c", j);
}
}
}
得出flag爲flag{Thousandriver_is_1000%_stronger_than_zero-one}