自学内容网 自学内容网

攻防世界---->Windows_Reverse1(补)

做题笔记。

做题回顾。

假设,我们不知道地址随机怎么办?不能动调,只能静态分析。

下载 查壳

upx脱壳。

32ida打开。

动调报错。

重新打开,静态分析。

跟进关键函数。

 不明白可以反汇编和汇编一起看。

溯源。

*decode 取值等于 byte_ [xxx] 是否说明了byte_ 是一张解密表?

可是没内容?

我们对 byte_ [xxx] 进行hex跟踪。

“ ? “ 表示为不可见字符。用0代替就好。

而这,又是一个整体

进行整理:

编写思路:

脚本:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main()
{
unsigned char encode_table[] =
{
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x4E,0xE6,0x40,0xBB,0xB1,0x19,0xBF,0x44,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFE,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x7E,0x7D,0x7C,0x7B,0x7A,0x79,0x78,0x77,
0x76,0x75,0x74,0x73,0x72,0x71,0x70,0x6F,0x6E,0x6D,0x6C,0x6B,0x6A,0x69,0x68,0x67,
0x66,0x65,0x64,0x63,0x62,0x61,0x60,0x5F,0x5E,0x5D,0x5C,0x5B,0x5A,0x59,0x58,0x57,
0x56,0x55,0x54,0x53,0x52,0x51,0x50,0x4F,0x4E,0x4D,0x4C,0x4B,0x4A,0x49,0x48,0x47,
0x46,0x45,0x44,0x43,0x42,0x41,0x40,0x3F,0x3E,0x3D,0x3C,0x3B,0x3A,0x39,0x38,0x37,
0x36,0x35,0x34,0x33,0x32,0x31,0x30,0x2F,0x2E,0x2D,0x2C,0x2B,0x2A,0x29,0x28,0x27,
0x26,0x25,0x24,0x23,0x22,0x21,0x20,0x00
};
unsigned char encode[] = "DDCTF{reverseME}";
char flag[50] = " ";
for (int i = 0; i < strlen(encode); i++)
{
flag[i] = encode_table[encode[i]];
}
printf("flag{%s}\n", flag);

system("pause");
return 0;
}


flag{ZZ[JX#,9(9,+9QY!}

总结:最好自己分析,不要纠结表的数据,为什么不一样。以自己的hex数据为准。

数据未显示时,可以尝试追踪hex内存。


原文地址:https://blog.csdn.net/shdbehdvd/article/details/142422741

免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!