DiE查询发现是UPX加壳,使用工具拆壳
./upx -d file.exe
32位程序使用ida32打开
找到关键代码
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [esp+12h] [ebp-2Eh]
char v5; // [esp+13h] [ebp-2Dh]
char v6; // [esp+14h] [ebp-2Ch]
char v7; // [esp+15h] [ebp-2Bh]
char v8; // [esp+16h] [ebp-2Ah]
char v9; // [esp+17h] [ebp-29h]
char v10; // [esp+18h] [ebp-28h]
char v11; // [esp+19h] [ebp-27h]
char v12; // [esp+1Ah] [ebp-26h]
char v13; // [esp+1Bh] [ebp-25h]
char v14; // [esp+1Ch] [ebp-24h]
char v15; // [esp+1Dh] [ebp-23h]
int v16; // [esp+1Eh] [ebp-22h]
int v17; // [esp+22h] [ebp-1Eh]
int v18; // [esp+26h] [ebp-1Ah]
__int16 v19; // [esp+2Ah] [ebp-16h]
char v20; // [esp+2Ch] [ebp-14h]
char v21; // [esp+2Dh] [ebp-13h]
char v22; // [esp+2Eh] [ebp-12h]
int v23; // [esp+2Fh] [ebp-11h]
int v24; // [esp+33h] [ebp-Dh]
int v25; // [esp+37h] [ebp-9h]
char v26; // [esp+3Bh] [ebp-5h]
int i; // [esp+3Ch] [ebp-4h]
__main();
v4 = '*';
v5 = 'F';
v6 = '\'';
v7 = '"';
v8 = 'N';
v9 = ',';
v10 = '"';
v11 = '(';
v12 = 'I';
v13 = '?';
v14 = '+';
v15 = '@';
printf("Please input:");
scanf("%s", &v19);
if ( (_BYTE)v19 != 'A' || HIBYTE(v19) != 'C' || v20 != 'T' || v21 != 'F' || v22 != '{' || v26 != '}' )
return 0;
v16 = v23;
v17 = v24;
v18 = v25;
for ( i = 0; i <= 11; ++i )
{
if ( *(&v4 + i) != _data_start__[*((char *)&v16 + i) - 1] )
return 0;
}
printf("You are correct!");
return 0;
}
分析
if ( (&v4 + i) != data_start_[((char *)&v16 + i) - 1] )
即:v4[i]!=data_start[flag[i]-1],所以需要v4[i]=data_start[flag[i]-1]
v4[i]=data_start[x] ==> flag[i]-1=x
根据v4的值可以得到data_start的下标,根据下标得到flag的值
v4 = [42,70,39,34,78,44,34,40,73,63,43,64]
model = r"}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(" + chr(0x27) + r'&%$# !"'
pos = []
for i in v4:
pos.append(model.find(chr(i))+1)
s = [chr(i + 1) for i in pos]
flag = ''.join(s)
print ('flag{'+flag+'}')
flag{U9X_1S_W6@T?}