之前文章讲过的技巧和知识,就不再详细描述了,如果有不明白的地方建议按照做题题目顺序查看。
找到关键代码页,有一个加密函数decrypt,函数的参数&s和dword_8048A90写在了.rodata
如果输入的ws等于加密过后的s2那么输出success
图1
进入decrypt函数,查看加密过程。图2
查看两个参数数据。图3
图2
图3
写出解密代码,开始红色字报错,删掉dest最后的零。但是得到的结果依然有问题不是flag的样子可以看之前运行的结果。于是想到会不会是a里面的零应该去掉,于是a的内容从1,2,3,4,5,0循环变成1,2,3,4,5循环。再次运行得到flag
题目要求是运行程序即可得到flag,动态调试的方法网上有文章讲过了,没看清题目的我就给大家分享硬写代码的方法吧。。。
图4
附代码:
1 a=[1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5] 2 3 dest=[0x3A,0X36,0X37,0X3B,0X80,0X7A,0X71,0X78,0X63,0X66,0X73,0X67,0X62,0X65,0X73,0X60,0X6B,0X71,0X78,0X6A,0X73,0X70,0X64,0X78,0X6E,0X70,0X70,0X64,0X70,0X64,0X6E,0X7B,0X76,0X78,0X6A,0X73,0X7B,0X80] 4 5 lend=len(dest) 6 7 lena=len(a) 8 9 print("lena:",lena," ") 10 11 for i in range(0,lend): 12 13 dest[i]=int(dest[i]) 14 15 print(chr(dest[i]),end='') 16 17 print(" lendest:",lend," ") 18 19 for i in range(0,lend): 20 21 dest[i]=int(dest[i])-a[i] 22 23 print(chr(dest[i]),end='') 24 25 ''' 26 27 while(j<lend): 28 29 for i in range(0,lena): 30 31 dest[j] -= a[i] 32 33 j += 1 34 35 print(chr(dest[j]),end='') 36 37 38 39 print(" ---------------") 40 41 print("j:",j) 42 43 print("---------------") 44 45 '''