做题笔记。
做题回顾。
假设,我们不知道地址随机怎么办?不能动调,只能静态分析。
下载 查壳
upx脱壳。
32ida打开。
动调报错。
重新打开,静态分析。
跟进关键函数。
不明白可以反汇编和汇编一起看。
溯源。
*decode 取值等于 byte_ [xxx] 是否说明了byte_ 是一张解密表?
可是没内容?
我们对 byte_ [xxx] 进行hex跟踪。
“ ? “ 表示为不可见字符。用0代替就好。
而这,又是一个整体
进行整理:
编写思路:
脚本:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main()
{
unsigned char encode_table[] =
{
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x4E,0xE6,0x40,0xBB,0xB1,0x19,0xBF,0x44,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFE,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x7E,0x7D,0x7C,0x7B,0x7A,0x79,0x78,0x77,
0x76,0x75,0x74,0x73,0x72,0x71,0x70,0x6F,0x6E,0x6D,0x6C,0x6B,0x6A,0x69,0x68,0x67,
0x66,0x65,0x64,0x63,0x62,0x61,0x60,0x5F,0x5E,0x5D,0x5C,0x5B,0x5A,0x59,0x58,0x57,
0x56,0x55,0x54,0x53,0x52,0x51,0x50,0x4F,0x4E,0x4D,0x4C,0x4B,0x4A,0x49,0x48,0x47,
0x46,0x45,0x44,0x43,0x42,0x41,0x40,0x3F,0x3E,0x3D,0x3C,0x3B,0x3A,0x39,0x38,0x37,
0x36,0x35,0x34,0x33,0x32,0x31,0x30,0x2F,0x2E,0x2D,0x2C,0x2B,0x2A,0x29,0x28,0x27,
0x26,0x25,0x24,0x23,0x22,0x21,0x20,0x00
};
unsigned char encode[] = "DDCTF{reverseME}";
char flag[50] = " ";
for (int i = 0; i < strlen(encode); i++)
{
flag[i] = encode_table[encode[i]];
}
printf("flag{%s}\n", flag);
system("pause");
return 0;
}
flag{ZZ[JX#,9(9,+9QY!}
总结:最好自己分析,不要纠结表的数据,为什么不一样。以自己的hex数据为准。
数据未显示时,可以尝试追踪hex内存。
