逆向学习笔记(二)

这一篇文章主要是对程序中的循环结构做一个讲解,这三大基础的循环在逆向分析中十分重要,另外还有三个程序包括其源代码、汇编代码及其逆向过程做一个分析

补充一些指令及基础知识

imul src 带符号乘
idiv src 带符号除
mul src
div src
dec dest 自减
inc dest 自加
int 中断指令

call dword ptr [eax+5]  //eax = 1000h  eax+5 = 1005h      当两个操作数的宽度不一样时,就要用到ptr

call dword ptr [<&API>]  //执行一个系统API

cmp dest,src  //该指令是比较指令,可以当成dest-src ,该操作不改变当前值,只改变标志位的值(zf)
movsx dest,src    //带符号扩展,并传送
lea   (Load effect address)取有效地址,也就是取偏移地址

操作符 offert :取得标号的偏移地址

mov ax,offert start ;相当于 mov ax,0

变量与常量相加的区别
两常数相加是,编译器在编译期间就计算出了两常数相加后的结果
有变量参加的加法,会先取出内存中的数据放入寄存器中,再通过add完成计算结果,最后在存回内存中

三大基础的循环

do{}while,while,for,是编程语言中通用的循环,在逆向中对于循环的识别是相当重要的
下面就利用一段简单的代码(累加),来了解三种循环

#include
int main()
{
    int sum = 0;
    int count = 7;
    int index = 0;
    while( index <= count)       //循环替换部分
    {
        sum += index;
        index++;
    }                            //
    printf("%d\n",sum);

}

//以下为debug汇编代码,这里只需注意循环部分,连接处可能存在差异
//该处只解释循环部分汇编代码,其他部分下一个例子会有提及

1:#include
2:int main()
3:{
00401010   push ebp
00401011   mov ebp,esp
00401013   sub esp,4Ch
00401016   push ebx
00401017   push esi
00401018   push edi
00401019   lea edi,[ebp-4Ch]    //edi = ebp-4Ch 相当于mov edi,ebp  sub edi,4Ch
0040101C   mov ecx,13h
00401021   mov eax,0CCCCCCCCh
00401026   rep stos dword ptr [edi]
4:int sum = 0;
00401028   mov dword ptr [ebp-4],0
5:int count = 7;
0040102F   mov dword ptr [ebp-8],7
6:int index = 0;
00401036   mov dword ptr [ebp-0Ch],0
======================================
do{}while循环     
======================================
7:        do
8:        {
9:sum += index;
0040103D   mov eax,dword ptr [ebp-4]
00401040   add eax,dword ptr [ebp-0Ch]
00401043   mov dword ptr [ebp-4],eax
10:   index++;
00401046   mov ecx,dword ptr [ebp-0Ch]
00401049   add ecx,1
0040104C   mov dword ptr [ebp-0Ch],ecx
11:   }while(index <= count);
0040104F   mov edx,dword ptr [ebp-0Ch]
00401052   cmp edx,dword ptr [ebp-8]            //比较两个数据
00401055   jle main+2Dh (0040103d)              //根据比较结果,判断是否跳出,jle小于等于则跳出、

========================================
while循环
========================================
7:while( index <= count)
0040103D   mov eax,dword ptr [ebp-0Ch]          //条件判断,jg指令表示大于count,则跳转到00401059h
00401040   cmp eax,dword ptr [ebp-8]
00401043   jg  main+49h (00401059)              //即直接跳出循环(00401059h为循环外的地址)
8:{
9:sum += index;
00401045   mov ecx,dword ptr [ebp-4]
00401048   add ecx,dword ptr [ebp-0Ch]
0040104B   mov dword ptr [ebp-4],ecx
10:   index++;
0040104E   mov edx,dword ptr [ebp-0Ch]
00401051   add edx,1
00401054   mov dword ptr [ebp-0Ch],edx
11:   }
00401057   jmp main+2Dh (0040103d)              //跳转到0040103d       
========================================
for循环
=========================================
 7:for(index = 0;index < count;index ++)                1.赋初值
0040103D   mov dword ptr [ebp-0Ch],0                      初始化计数器变量index
00401044   jmp main+3Fh (0040104f)                        跳转到0040104f处,跳过步长操作
00401046   mov eax,dword ptr [ebp-0Ch]                  2.步长计算 
00401049   add eax,1                                      // 步长值加1
0040104C   mov dword ptr [ebp-0Ch],eax                     步长值放入计数器变量i中

0040104F   mov ecx,dword ptr [ebp-0Ch]
00401052   cmp ecx,dword ptr [ebp-8]                    3.条件比较部分
00401055   jge main+52h (00401062)                        //比较后,大于count则跳转
8:{
9:sum += index;
00401057   mov edx,dword ptr [ebp-4]
0040105A   add edx,dword ptr [ebp-0Ch]
0040105D   mov dword ptr [ebp-4],edx
10:   }
00401060   jmp main+36h (00401046)
========================================
12:
13:   printf("%d\n",sum);
0040104E   mov edx,dword ptr [ebp-4]
00401051   push edx
00401052   push offset string "%d\n" (0042201c)
00401057   call printf (004010a0)
0040105C   add esp,8
14:
15:   }
0040105F   pop edi
00401060   pop esi
00401061   pop ebx
00401062   add esp,4Ch
00401065   cmp ebp,esp
00401067   call__chkesp (00401120)
0040106C   mov esp,ebp
0040106E   pop ebp
0040106F   ret

do{}while();循环执行效率最高,只用了一次跳转,编译器对循环进行优化是使用if单分支结构进行第一次执行循环的判断,以此来减少跳转指令。

栈结构在内存中占用一段连续的储存空间,ebp == esp 栈平衡,当ebp > esp时,就形成了栈帧

函数调用

参数的传递:通过栈或寄存器的方式传递参数
函数调用,将返回地址压入栈中:使用call指令调用参数,并将返回地址压入栈中(这一点在栈溢出的方面会详细介绍)

数组:以线性方式连续储存在内存中的一段相同数据类型的数据集合(数组名是一个地址常量值,保存数组首元素地址)字符串可以当做一个数组,函数中是通过数组/字符串的首地址(以指针的方式进行传递)来调用,函数参数中保存的是数组的首地址,是一个指针变量
字符串以 ‘\0’结尾,ida 中使用A来分析字符串的首地址

以下是是我写的三道题,并附上了c代码和其汇编代码,对于一些语句做了注释,每道题后都有逆向它的过程,程序虽然简单,但对于熟悉逆向的过程是有好处的

一段代码(creakme_1)

1:#include 
2:#include 
3:#define PASSWORD "Fuck_50_ea5y!"
4:int verify_password (char *password)
5:{
00401020   push ebp                  //保存栈底指针ebp
00401021   mov ebp,esp
00401023   sub esp,48h              //调高栈顶esp,开辟出48h的栈空间,为局部变量
00401026   push ebx
00401027   push esi
00401028   push edi
00401029   lea edi,[ebp-48h]       //取出此函数可用栈空间首地址放入edi
0040102C   mov ecx,12h
00401031   mov eax,0CCCCCCCCh      //局部变量初始化
00401036   rep stos dword ptr [edi]           //根据ecx的值,将eax中的内容,以dw为单位写到edi指向的内存中
6:int n;

7:for (int i = 0;i < 13;i++)
==========================================          1.赋初值
00401038   mov dword ptr [ebp-8],0            //初始化计数器变量i 
0040103F   jmp verify_password+2Ah (0401040a)     //跳转到0401040a处,跳过步长操作
==========================================       2.步长计算
00401041   mov eax,dword ptr [ebp-8]
00401044   add eax,1                             // 步长值加1
00401047   mov dword ptr [ebp-8],eax             步长值放入计数器变量i中
==========================================       3.条件比较部分
0040104A   cmp dword ptr [ebp-8],0Dh
0040104E   jge verify_password+62h (00401082)  //比较后,大于常数则跳转
==========================================
;for循环内部执行块

8:{
9:if(password[i] == 'o')
00401050   mov ecx,dword ptr [ebp+8]
00401053   add ecx,dword ptr [ebp-8]
00401056   movsx   edx,byte ptr [ecx]
00401059   cmp edx,6Fh                         // 判断是否相等
0040105C   jne verify_password+49h (00401069)   //根据zf==0,!=0就跳
10:   password[i] = '0';
0040105E   mov eax,dword ptr [ebp+8]
00401061   add eax,dword ptr [ebp-8]
00401064   mov byte ptr [eax],30h
11:   else if(password[i] == 's')  
00401067   jmp verify_password+60h (00401080)    //直接跳转到00401080,跳转到多个分支结构的结尾地址
00401069   mov ecx,dword ptr [ebp+8]
0040106C   add ecx,dword ptr [ebp-8]
0040106F   movsx   edx,byte ptr [ecx]
00401072   cmp edx,73h
00401075   jne verify_password+60h (00401080)
12:   password[i] = '5';
00401077   mov eax,dword ptr [ebp+8]
0040107A   add eax,dword ptr [ebp-8]
0040107D   mov byte ptr [eax],35h
13:
14:   }
00401080   jmp verify_password+21h (00401041)
15:
16:   n = strcmp(password,PASSWORD);       //获取常量的首地址,并将此地址压入栈中作为strcpy参数
00401082   push offset string "Fuck_50_ea5y!" (0042501c)
00401087   mov ecx,dword ptr [ebp+8]
0040108A   push ecx
0040108B   call strcmp (004011a0)
00401090   add esp,8
00401093   mov dword ptr [ebp-4],eax
17:   return n;
00401096   mov eax,dword ptr [ebp-4]
18:   }

//以下是函数退出时的代码
00401099   pop edi
0040109A   pop esi
0040109B   pop ebx
0040109C   add esp,48h               //降低栈顶esp,释放局部变量空间
0040109F   cmp ebp,esp               //检测栈平衡,
004010A1   call__chkesp (00401230)    //进入栈平衡错误检测函数
004010A6   mov esp,ebp
004010A8   pop ebp
004010A9   ret

/*

 */

19:
20:   main()
21:   {
004010D0   push ebp
004010D1   mov ebp,esp
004010D3   sub esp,444h
004010D9   push ebx
004010DA   push esi
004010DB   push edi
004010DC   lea edi,[ebp-444h]
004010E2   mov ecx,111h
004010E7   mov eax,0CCCCCCCCh
004010EC   rep stos  dword ptr [edi]
22:   int valid_flag=0;
004010EE   mov dword ptr [ebp-4],0
23:   char password[1024];

24:   while(1)
004010F5   mov eax,1
004010FA   test eax,eax
004010FC   je  main+87h (00401157)   //条件判断比较,判断是否跳转(与通常的while不同,由于这是死循环)
25:   {
26:   printf("please input password:");
004010FE   push offset string "please input password:" (00425064)
00401103   call printf (004012d0)
00401108   add esp,4
27:   scanf("%s",password);
0040110B   lea ecx,[ebp-404h]
00401111   push ecx
00401112   push offset string "%s" (00425060)
00401117   call scanf (00401270)
0040111C   add esp,8
28:   valid_flag = verify_password(password);
0040111F   lea edx,[ebp-404h]
00401125   push edx
00401126   call @ILT+0(verify_password) (00401005)         //调用函数
0040112B   add esp,4
0040112E   mov dword ptr [ebp-4],eax
29:   if(valid_flag)
00401131   cmp dword ptr [ebp-4],0
00401135   je  main+76h (00401146)
30:   {
31:   printf("incorrect password!\n\n"); 
00401137   push  offset string "incorrect password!\n\n" (00425044)
0040113C   call printf (004012d0)
00401141   add esp,4
32:   }
33:   else
00401144   jmp main+85h (00401155)
34:   {
35:   printf("Congratulation! \n");
00401146   push offset string "Congratulation! \n" (0042502c)
0040114B   call printf (004012d0)
00401150   add esp,4
36:   break;
00401153   jmp main+87h (00401157)
37:   }
38:   }
00401155   jmp main+25h (004010f5)
39:   }
00401157   pop edi
00401158   pop esi
00401159   pop ebx
0040115A   add esp,444h                       //降低栈顶esp,释放局部变量空间
00401160   cmp ebp,esp                        //检测栈平衡,
00401162   call__chkesp (00401230)           //进入栈平衡错误检测函数
00401167   mov esp,ebp
00401169   pop ebp
0040116A   ret

使用ida去分析程序,如果对一些汇编代码不熟,建议从od开始学习,动态调试工具可以更好地去熟悉。

找到main函数

分析一下,重点在 Z15verify_passwordPc 函数,以下简称password


分析完了,f5得到c伪代码


观察一下,得到flag

crackme_2

00401064   jmp yy (00401220)


1:#include
2:#include
3:#include
4:#include
5:using namespace std;
6:int flag = 1;
7:int a[16] = {21,27,20,28,19,101,9,3,5,108,84,44,57,84,26,15};
8:string k = "flag{Th1s_1s_!true}";
00401140   push ebp
00401141   mov ebp,esp
00401143   sub esp,44h
00401146   push ebx
00401147   push esi
00401148   push edi
00401149   lea edi,[ebp-44h]
0040114C   mov ecx,11h
00401151   mov eax,0CCCCCCCCh
00401156   rep stos dword ptr [edi]
00401158   lea eax,[ebp-4]     
0040115B   push eax
0040115C   push offset string "flag{Th1s_1s_!true}" (0042901c)
00401161   mov ecx,offset k (0042f0b0)
00401166   call @ILT+115(std::basic_string,std::allocator >::basic_str
0040116B   pop edi
0040116C   pop esi
0040116D   pop ebx
0040116E   add esp,44h
00401171   cmp ebp,esp
00401173   call__chkesp (00402820)
00401178   mov esp,ebp
0040117A   pop ebp
0040117B   ret
/*

 */

9:    void yy(char *x)
10:   {
00401220   push ebp
00401221   mov ebp,esp
00401223   sub esp,44h
00401226   push ebx
00401227   push esi
00401228   push edi
00401229   lea edi,[ebp-44h]
0040122C   mov ecx,11h
00401231   mov eax,0CCCCCCCCh
00401236   rep stos dword ptr [edi]
11:   for(int i = 0;i < 16;i++)
00401238   mov dword ptr [ebp-4],0
0040123F   jmp yy+2Ah (0040124a)
00401241   mov eax,dword ptr [ebp-4]
00401244   add eax,1
00401247   mov dword ptr [ebp-4],eax
0040124A   cmp dword ptr [ebp-4],10h
0040124E   jge yy+56h (00401276)
12:   {
13:   x[i] = x[i] ^ k[i];
00401250   mov ecx,dword ptr [ebp+8]
00401253   add ecx,dword ptr [ebp-4]
00401256   movsx   ebx,byte ptr [ecx]
00401259   mov edx,dword ptr [ebp-4]
0040125C   push edx
0040125D   mov ecx,offset k (0042f0b0)
00401262   call @ILT+55(std::basic_string,std::allocator >::operator[]
00401267   movsx   eax,byte ptr [eax]
0040126A   xor ebx,eax
0040126C   mov ecx,dword ptr [ebp+8]
0040126F   add ecx,dword ptr [ebp-4]
00401272   mov byte ptr [ecx],bl
14:   }
00401274   jmp yy+21h (00401241)
15:
16:   }
00401276   pop edi
00401277   pop esi
00401278   pop ebx
00401279   add esp,44h
0040127C   cmp ebp,esp
0040127E   call__chkesp (00402820)
00401283   mov esp,ebp
00401285   pop ebp
00401286   ret
 /*

 */

17:
18:   int main()
19:   {
004012A0   push ebp
004012A1   mov ebp,esp
004012A3   sub esp,0A8h
004012A9   push ebx
004012AA   push esi
004012AB   push edi
004012AC   lea edi,[ebp-0A8h]
004012B2   mov ecx,2Ah
004012B7   mov eax,0CCCCCCCCh
004012BC   rep stos dword ptr [edi]
20:   char v[100];
21:   printf("Please input flag:");
004012BE   push offset string "Please input flag:" (00429054)
004012C3   call printf (00402a60)
004012C8   add esp,4
22:   scanf("%s",v);
004012CB   lea eax,[ebp-64h]
004012CE   push eax
004012CF   push offset string "%s" (00429050)
004012D4   call scanf (00402a00)
004012D9   add esp,8
23:   if(strlen(v) == 16)
004012DC   lea ecx,[ebp-64h]
004012DF   push ecx
004012E0   call strlen (00402980)
004012E5   add esp,4
004012E8   cmp eax,10h
004012EB   jne main+0BAh (0040135a)
24:   {
25:   yy(v);
004012ED   lea edx,[ebp-64h]
004012F0   push edx
004012F1   call @ILT+95(yy) (00401064)
004012F6   add esp,4
26:   for(int i = 0;i < 16;i++)
004012F9   mov dword ptr [i],0
00401300   jmp main+6Bh (0040130b)
00401302   mov eax,dword ptr [i]
00401305   add eax,1
00401308   mov dword ptr [i],eax
0040130B   cmp dword ptr [i],10h
0040130F   jge main+93h (00401333)
27:   {
28:   if((int)v[i] != a[i])
00401311   mov ecx,dword ptr [i]
00401314   movsx   edx,byte ptr [ebp+ecx-64h]
00401319   mov eax,dword ptr [i]
0040131C   cmp edx,dword ptr [eax*4+42BD54h]
00401323   je  main+91h (00401331)
29:   {
30:   flag = 0;
00401325   mov dword ptr [flag (0042bd50)],0
31:   break;
0040132F   jmp main+93h (00401333)
32:   }
33:   }
00401331   jmp main+62h (00401302)
34:   if(flag)
00401333   cmp dword ptr [flag (0042bd50)],0
0040133A   je  main+0ABh (0040134b)
35:   printf("成功了!\n");
0040133C   push offset string "\xb3\xc9\xb9\xa6\xc1\xcb\xa3\xa1\n" (00429044)
00401341   call printf (00402a60)
00401346   add esp,4
36:   else
00401349   jmp main+0B8h (00401358)
37:   printf("Tryagain!\n");
0040134B   push offset string "Tryagain!\n" (00429034)
00401350   call printf (00402a60)
00401355   add esp,4
38:
39:   }
40:   else
00401358   jmp main+0C7h (00401367)
41:   printf("Tryagain!\n");
0040135A   push offset string "Tryagain!\n" (00429034)
0040135F   call printf (00402a60)
00401364   add esp,4
42:
43:   return 0;
00401367   xor eax,eax
44:   }
00401369   pop edi
0040136A   pop esi
0040136B   pop ebx
0040136C   add esp,0A8h
00401372   cmp ebp,esp
00401374   call __chkesp (00402820)
00401379   mov esp,ebp
0040137B   pop ebp
0040137C   ret

分析

ida中 var_表示局部变量

f5一下

进入yy()函数

从汇编代码中找到异或后比较的数组

与之异或的字符串

整理一下思路,输入一段字符串与程序内一字符串异或后与a1[]相比,相等及成功。(因为程序内的字符串和数组定义在函数外,增加了逆向难度)

reverse

1:#include
2:#include
3:#include
4:#include
5:#include
6:using namespace std;
7:int main()
8:{
004010F0   push ebp
004010F1   mov ebp,esp
004010F3   push 0FFh
004010F5   push offset __ehhandler$_main (004216ec)
004010FA   mov eax,fs:[00000000]
00401100   push eax
00401101   mov dword ptr fs:[0],esp
00401108   sub esp,4CCh
0040110E   push ebx
0040110F   push esi
00401110   push edi
00401111   lea edi,[ebp-4D8h]
00401117   mov ecx,133h
0040111C   mov eax,0CCCCCCCCh
00401121   rep stos dword ptr [edi]
9:int v11 = 24;
00401123   mov dword ptr [ebp-10h],18h
10:   int v3 = 1;
0040112A   mov dword ptr [ebp-14h],1
11:   int v2[] = {31,102,14,97,48,123,57,95,32,95,39,95,16,95,7,116,29,65,26,100,84,48,15,100};
00401131   mov dword ptr [ebp-74h],1Fh
00401138   mov dword ptr [ebp-70h],66h
0040113F   mov dword ptr [ebp-6Ch],0Eh
00401146   mov dword ptr [ebp-68h],61h
0040114D   mov dword ptr [ebp-64h],30h
00401154   mov dword ptr [ebp-60h],7Bh
0040115B   mov dword ptr [ebp-5Ch],39h
00401162   mov dword ptr [ebp-58h],5Fh
00401169   mov dword ptr [ebp-54h],20h
00401170   mov dword ptr [ebp-50h],5Fh
00401177   mov dword ptr [ebp-4Ch],27h
0040117E   mov dword ptr [ebp-48h],5Fh
00401185   mov dword ptr [ebp-44h],10h
0040118C   mov dword ptr [ebp-40h],5Fh
00401193   mov dword ptr [ebp-3Ch],7
0040119A   mov dword ptr [ebp-38h],74h
004011A1   mov dword ptr [ebp-34h],1Dh
004011A8   mov dword ptr [ebp-30h],41h
004011AF   mov dword ptr [ebp-2Ch],1Ah
004011B6   mov dword ptr [ebp-28h],64h
004011BD   mov dword ptr [ebp-24h],54h
004011C4   mov dword ptr [ebp-20h],30h
004011CB   mov dword ptr [ebp-1Ch],0Fh
004011D2   mov dword ptr [ebp-18h],64h
12:   string k = "sicnuisasher";
004011D9   lea eax,[ebp-498h]
004011DF   push eax
004011E0   push offset string "sicnuisasher" (00433064)
004011E5   lea ecx,[ebp-84h]
004011EB   call @ILT+110(std::basic_string,std::allocator >::basic_str   //调用函数
004011F0   mov dword ptr [ebp-4],0
13:   char s[1024];
14:   int v8 = 0;
004011F7   mov dword ptr [ebp-488h],0
15:   int i;
16:   do{
17:   printf("flag's:");
00401201   push offset string "flag's:" (00433058)
00401206   call printf (00408b50)
0040120B   add esp,4
18:   scanf("%s",s);
0040120E   lea ecx,[ebp-484h]
00401214   push ecx
00401215   push offset string "%s" (00433054)
0040121A   call scanf (00408af0)
0040121F   add esp,8
19:   int b = strlen(s);
00401222   lea edx,[ebp-484h]
00401228   push edx
00401229   call strlen (00408a70)
0040122E   add esp,4
00401231   mov dword ptr [b],eax
20:   for(i = 0;i < b;i++)
00401237   mov dword ptr [ebp-48Ch],0
00401241   jmp main+162h (00401252)
00401243   mov eax,dword ptr [ebp-48Ch]
00401249   add eax,1
0040124C   mov dword ptr [ebp-48Ch],eax
00401252   mov ecx,dword ptr [ebp-48Ch]
00401258   cmp ecx,dword ptr [b]
0040125E   jge main+1D8h (004012c8)
21:   {
22:   if(v8 == 12)  break;
00401260   cmp dword ptr [ebp-488h],0Ch
00401267   jne main+17Bh (0040126b)
00401269   jmp main+1D8h (004012c8)
23:   if(i % 2 != 0)
0040126B   mov edx,dword ptr [ebp-48Ch]
00401271   and edx,80000001h
00401277   jns main+18Eh (0040127e)
00401279   dec edx
0040127A   or  edx,0FEh
0040127D   inc edx
0040127E   test edx,edx
00401280   je  main+1D3h (004012c3)
24:   {
25:   s[i] = ((char)(s[i] ^ k[v8]));
00401282   mov eax,dword ptr [ebp-48Ch]
00401288   movsx   ebx,byte ptr [ebp+eax-484h]
00401290   mov ecx,dword ptr [ebp-488h]
00401296   push ecx
00401297   lea ecx,[ebp-84h]
0040129D   call  @ILT+55(std::basic_string,std::allocator >::operator[]
004012A2   movsx   edx,byte ptr [eax]
004012A5   xor ebx,edx
004012A7   mov eax,dword ptr [ebp-48Ch]
004012AD   mov byte ptr [ebp+eax-484h],bl
26:   ++v8;
004012B4   mov ecx,dword ptr [ebp-488h]
004012BA   add ecx,1
004012BD   mov dword ptr [ebp-488h],ecx
27:   }
28:
29:   }
004012C3   jmp main+153h (00401243)
30:   for(i = 0;i < b;i++)
004012C8   mov dword ptr [ebp-48Ch],0
004012D2   jmp main+1F3h (004012e3)
004012D4   mov edx,dword ptr [ebp-48Ch]
004012DA   add edx,1
004012DD   mov dword ptr [ebp-48Ch],edx
004012E3   mov eax,dword ptr [ebp-48Ch]
004012E9   cmp eax,dword ptr [b]
004012EF   jge main+25Ah (0040134a)
31:   {
32:   if(i % 2 == 0)
004012F1   mov ecx,dword ptr [ebp-48Ch]
004012F7   and ecx,80000001h
004012FD   jns main+214h (00401304)
004012FF   dec ecx
00401300   or  ecx,0FEh
00401303   inc ecx
00401304   test ecx,ecx
00401306   jne main+258h (00401348)
33:   {
34:   char v0 = s[i];
00401308   mov edx,dword ptr [ebp-48Ch]
0040130E   mov al,byte ptr [ebp+edx-484h]
00401315   mov byte ptr [v0],al
35:   s[i] = s[i+1];
0040131B   mov ecx,dword ptr [ebp-48Ch]
00401321   mov edx,dword ptr [ebp-48Ch]
00401327   mov al,byte ptr [ebp+edx-483h]
0040132E   mov byte ptr [ebp+ecx-484h],al
36:   s[i+1] = v0;
00401335   mov ecx,dword ptr [ebp-48Ch]
0040133B   mov dl,byte ptr [v0]
00401341   mov byte ptr [ebp+ecx-483h],dl
37:   }
38:   }
00401348   jmp main+1E4h (004012d4)
39:   i = 0;
0040134A   mov dword ptr [ebp-48Ch],0
40:   while(i < b)
00401354   mov eax,dword ptr [ebp-48Ch]
0040135A   cmp eax,dword ptr [b]
00401360   jge main+2BAh (004013aa)
41:   {
42:   if(b != v11) v3 = 0;
00401362   mov ecx,dword ptr [b]
00401368   cmp ecx,dword ptr [ebp-10h]
0040136B   je  main+286h (00401376)
0040136D   mov dword ptr [ebp-14h],0
43:   else if(s[i] != v2[i]) v3 = 0;
00401374   jmp main+2BAh (004013aa)
00401376   mov edx,dword ptr [ebp-48Ch]
0040137C   movsx   eax,byte ptr [ebp+edx-484h]
00401384   mov ecx,dword ptr [ebp-48Ch]
0040138A   cmp eax,dword ptr [ebp+ecx*4-74h]
0040138E   je  main+2A9h (00401399)
00401390   mov dword ptr [ebp-14h],0
44:   else{
00401397   jmp main+2BAh (004013aa)
45:   ++i;
00401399   mov edx,dword ptr [ebp-48Ch]
0040139F   add edx,1
004013A2   mov dword ptr [ebp-48Ch],edx
46:   continue;
004013A8   jmp main+264h (00401354)
47:   }
48:   break;
49:   }
50:   if(v3 == 0)
004013AA   cmp dword ptr [ebp-14h],0
004013AE   jne main+2CFh (004013bf)
51:   printf("Tryagain!\n");
004013B0   push offset string "Tryagain!\n" (00433044)
004013B5   call printf (00408b50)
004013BA   add esp,4
52:   else
004013BD   jmp main+2DCh (004013cc)
53:   {
54:   printf("Congratulation! This is true.\n");
004013BF   push offset string "Congratulation! This is true.\n" (0043301c)
004013C4   call printf (00408b50)
004013C9   add esp,4
55:   }
56:   }while(v3 == 0);
004013CC   cmp dword ptr [ebp-14h],0
004013D0   je  main+111h (00401201)
57:
58:   }
004013D6   mov dword ptr [ebp-4],0FFFFFFFFh
004013DD   lea ecx,[ebp-84h]
004013E3   call  @ILT+75(std::basic_string,std::allocator >::~basic_str
004013E8   mov ecx,dword ptr [ebp-0Ch]
004013EB   mov dword ptr fs:[0],ecx
004013F2   pop edi
004013F3   pop esi
004013F4   pop ebx
004013F5   add esp,4D8h
004013FB   cmp ebp,esp
004013FD   call__chkesp (00408fb0)
00401402   mov esp,ebp
00401404   pop ebp
00401405   ret

f5结果

看一下failure:4013F7:call analysis falied

到4013F7

修正一下


未知的就是v6[]数组里面的内容了

看看汇编代码发现

点进去,修改一下

根据以上分析,梳理一下程序执行的过程:要求输入一个字符串s,将其奇数位与程序内的一个字符串进行异或,然后再将奇数位和偶数位交换,再去与程序内的一个数组相比较,如果相同则正确。

把算法反过来,先交换,再异或,然后将其中没有声明的变量声明一下,运行,直接跑出flag.

#include
#include
#include
using namespace std;
int main()
{
    int j = 0;
    int v2[24]={31,102,14,97,48,123,57,95,32,95,39,95,16,95,7,116,29,65,26,100,84,48,15,100};
    string k = "sicnuisasher";
    for(int i = 0;i < 24;i++)
    {
        if(i % 2 == 0)
        {
            int v = v2[i];
            v2[i] = v2[i+1];
            v2[i+1] = v;
        }
    }
    for(int i = 0;i < 24;i++)
    {
        if(i % 2 != 0)
        {
            v2[i] = ((int)(v2[i] ^ k[j]));
            j++;
        }
    }
    for(int i = 0;i < 24;i++)
        printf("%c",v2[i]);
    return 0;
}

本篇文章中用到的ida 是一款相当强大的逆向工具,掌握起来也较困难,推荐一本书《IDA Pro权威指南 (第2版)》,大家如果有不会的就查书,希望可以对大家有所帮助,本篇文章如有错误,请留言。

你可能感兴趣的:(总结)