海拉尔网站建设sjteam,建网站系统能换吗,运行时间 wordpress,句容网站制作公司链接#xff1a;https://pan.baidu.com/s/1msA5EY_7hoYGBEema7nWwA 提取码#xff1a;b9xf
wp:首先找不到main函数#xff0c;然后寻找特殊字符串#xff0c; 交叉引用 反汇编 主函数在sub_3D9当中#xff0c;但是IDA分析错了 分析错误后#xff0c;删除函数 创建函数 操…链接https://pan.baidu.com/s/1msA5EY_7hoYGBEema7nWwA 提取码b9xf
wp:首先找不到main函数然后寻找特殊字符串 交叉引用 反汇编 主函数在sub_3D9当中但是IDA分析错了 分析错误后删除函数 创建函数 操作与0x22异或然后再加3
分析代码
int sub_3D0()
{int v0; // ebxint v1; // eaxconst char *v2; // ebxint v4; // [esp14h] [ebp-C4h]int v5; // [esp18h] [ebp-C0h]int v6; // [esp1Ch] [ebp-BCh]int v7[2]; // [esp20h] [ebp-B8h] BYREFchar flag[52]; // [esp28h] [ebp-B0h] BYREFchar v9[124]; // [esp5Ch] [ebp-7Ch] BYREFsub_32B0(flag, 0, 48);sub_32B0(v9, 0, 120);v7[0] 0;sub_2BF0(v7, flag, 48);sub_2BF0(v7, v9, 120);v5 0;qmemcpy(flag, dword_126F8, 0x30u);printf(Plz Input Flag: );scanf(%s, flag);*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 0, 4) 188;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 4, 4) 10;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 8, 4) 187;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 12, 4) 193;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 16, 4) 213;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 20, 4) 134;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 24, 4) 127;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 28, 4) 10;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 32, 4) 201;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 36, 4) 185;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 40, 4) 81;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 44, 4) 78;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 48, 4) 136;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 52, 4) 10;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 56, 4) 130;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 60, 4) 185;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 64, 4) 49;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 68, 4) 141;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 72, 4) 10;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 76, 4) 253;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 80, 4) 201;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 84, 4) 199;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 88, 4) 127;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 92, 4) 185;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 96, 4) 17;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 100, 4) 78;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 104, 4) 185;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 108, 4) 232;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 112, 4) 141;*(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 21, v9, 116, 4) 87;v4 strlen(flag);v0 0;if ( v4 0 )goto LABEL_7;do{v1 sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 24, flag, v0, 0);((void (__cdecl *)(int, int))sub_330)(v1, v4);// loc_330比较特殊。// 哦我知道了想这样loc开头的也是函数只不过是以汇编形式展现的想sub开头的是以反汇编形式展示的v6 *(unsigned __int8 *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 26, flag, v0, 1);if ( *(_DWORD *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 26, v9, 4 * v0, 4) v6 )v5;v0;}while ( v0 v4 );if ( v5 30 )v2 Success;else
LABEL_7:v2 Try Again;sub_3350(v2);sub_2930(v7);return 0;
}
// a1是flag
// a2是flag的长度
int __cdecl sub_330(int a1, unsigned int a2)
{bool v3; // zfunsigned int v4; // eaxunsigned int v5; // eax_DWORD v6[2]; // [esp-4h] [ebp-18h] BYREF_BYTE *v7; // [esp4h] [ebp-10h]_BYTE *v8; // [esp8h] [ebp-Ch]int v9; // [espCh] [ebp-8h]v9 0;if ( !a2 )return 1;v8 (_BYTE *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 10, a1, 0, 1);*v8 ^ 0x22u;v7 (_BYTE *)sub_2450(C:/WindRiver/workspace/helloworld/helloworld.c, 11, a1, 0, 1);v3 *v7 0xFD;*v7 3;if ( v3 || !v3 )goto LABEL_7;v4 (unsigned int)v6 ^ 0x22;if ( ((unsigned int)v6 ^ 0x22) v6[1] ){
LABEL_8:v5 v4 - 1; // 这里是一个递归return sub_330(a1, v5);}v5 ((int (*)(void))((char *)loc_3D3 2))();if ( !v3 ){
LABEL_7:v4 a2;goto LABEL_8;}return sub_330(a1, v5);
} 上脚本
#include stdio.h
#include string.hint main(void)
{int key[] {188, 10, 187, 193, 213, 134, 127, 10, 201, 185, 81, 78,136, 10, 130, 185, 49, 141, 10, 253, 201, 199, 127, 185,17, 78, 185, 232, 141, 87};int i, j;for (i 0; i sizeof(key)/sizeof(int); i){for (j 0; j sizeof(key)/sizeof(int); j ){key[i] - 3;key[i] ^ 0x22;}printf(%c,key[i]);}return 0;
}
#flag{helo_w0rld_W3lcome_70_R3} 总结IDA无法识别函数F5大法失效原因 1.堆栈指针问题 2.花指令问题
