1.先附上這個(gè)小游戲的網(wǎng)址
http://ctf.bugku.com/files/d2935133b45ff7a32b2b9436851959d0/ConsoleApplication4.exe
游戲規(guī)則如下:
玩一個(gè)游戲
n是燈的序列號(hào)潮剪,m是燈的狀態(tài)庙楚。
如果第N個(gè)燈的M是1,它是開著的杖狼,如果不是澡屡,它就關(guān)掉了。
起初所有的燈都關(guān)了咐旧。
現(xiàn)在你可以輸入N來改變它的狀態(tài)驶鹉。
但是你應(yīng)該注意一點(diǎn),如果你改變了N燈的狀態(tài)铣墨,(n-1)TH和(n + 1)的狀態(tài)也會(huì)改變室埋。
當(dāng)所有的燈亮著,flag就會(huì)出現(xiàn)。
按照我當(dāng)初做這道題的思路便是直接將它放入od種姚淆,搜索字符串孕蝉,既然要求全部燈亮,那么我爆破就應(yīng)該可以腌逢。(當(dāng)時(shí)也是無語是怎么想的降淮,就一直在想直接爆破出flag)
以下是我爆破的結(jié)果:
之后在這些斷點(diǎn)的附近的判斷語句全部設(shè)為無條件跳轉(zhuǎn):jmp
之后重新運(yùn)行搏讶,便發(fā)現(xiàn)并沒有按預(yù)想出現(xiàn)flag
之后進(jìn)行跳轉(zhuǎn)循環(huán)追蹤發(fā)現(xiàn)程序一直在循環(huán)中進(jìn)行佳鳖,說明應(yīng)當(dāng)是滿足條件之后才能出現(xiàn)flag。
再次進(jìn)入字符串查找很明顯的便看見有一段:dongC教琛O捣浴!the flag is
那么跟進(jìn)這段代碼妒蔚,發(fā)現(xiàn)很長的一段對地址進(jìn)行賦值穿挨。
0045E975 |. C645 BC 12 mov byte ptr ss:[ebp-0x44],0x12
0045E979? |.? C645 BD 40? ? mov byte ptr ss:[ebp-0x43],0x40
0045E97D? |.? C645 BE 62? ? mov byte ptr ss:[ebp-0x42],0x62
0045E981? |.? C645 BF 05? ? mov byte ptr ss:[ebp-0x41],0x5
0045E985? |.? C645 C0 02? ? mov byte ptr ss:[ebp-0x40],0x2
0045E989? |.? C645 C1 04? ? mov byte ptr ss:[ebp-0x3F],0x4
0045E98D? |.? C645 C2 06? ? mov byte ptr ss:[ebp-0x3E],0x6
0045E991? |.? C645 C3 03? ? mov byte ptr ss:[ebp-0x3D],0x3
0045E995? |.? C645 C4 06? ? mov byte ptr ss:[ebp-0x3C],0x6
0045E999? |.? C645 C5 30? ? mov byte ptr ss:[ebp-0x3B],0x30
0045E99D? |.? C645 C6 31? ? mov byte ptr ss:[ebp-0x3A],0x31
0045E9A1? |.? C645 C7 41? ? mov byte ptr ss:[ebp-0x39],0x41
0045E9A5? |.? C645 C8 20? ? mov byte ptr ss:[ebp-0x38],0x20
0045E9A9? |.? C645 C9 0C? ? mov byte ptr ss:[ebp-0x37],0xC
0045E9AD? |.? C645 CA 30? ? mov byte ptr ss:[ebp-0x36],0x30
0045E9B1? |.? C645 CB 41? ? mov byte ptr ss:[ebp-0x35],0x41
0045E9B5? |.? C645 CC 1F? ? mov byte ptr ss:[ebp-0x34],0x1F
0045E9B9? |.? C645 CD 4E? ? mov byte ptr ss:[ebp-0x33],0x4E
0045E9BD? |.? C645 CE 3E? ? mov byte ptr ss:[ebp-0x32],0x3E
0045E9C1? |.? C645 CF 20? ? mov byte ptr ss:[ebp-0x31],0x20
0045E9C5? |.? C645 D0 31? ? mov byte ptr ss:[ebp-0x30],0x31
0045E9C9? |.? C645 D1 20? ? mov byte ptr ss:[ebp-0x2F],0x20
0045E9CD? |.? C645 D2 01? ? mov byte ptr ss:[ebp-0x2E],0x1
0045E9D1? |.? C645 D3 39? ? mov byte ptr ss:[ebp-0x2D],0x39
0045E9D5? |.? C645 D4 60? ? mov byte ptr ss:[ebp-0x2C],0x60
0045E9D9? |.? C645 D5 03? ? mov byte ptr ss:[ebp-0x2B],0x3
0045E9DD? |.? C645 D6 15? ? mov byte ptr ss:[ebp-0x2A],0x15
0045E9E1? |.? C645 D7 09? ? mov byte ptr ss:[ebp-0x29],0x9
0045E9E5? |.? C645 D8 04? ? mov byte ptr ss:[ebp-0x28],0x4
0045E9E9? |.? C645 D9 3E? ? mov byte ptr ss:[ebp-0x27],0x3E
0045E9ED? |.? C645 DA 03? ? mov byte ptr ss:[ebp-0x26],0x3
0045E9F1? |.? C645 DB 05? ? mov byte ptr ss:[ebp-0x25],0x5
0045E9F5? |.? C645 DC 04? ? mov byte ptr ss:[ebp-0x24],0x4
0045E9F9? |.? C645 DD 01? ? mov byte ptr ss:[ebp-0x23],0x1
0045E9FD? |.? C645 DE 02? ? mov byte ptr ss:[ebp-0x22],0x2
0045EA01? |.? C645 DF 03? ? mov byte ptr ss:[ebp-0x21],0x3
0045EA05? |.? C645 E0 2C? ? mov byte ptr ss:[ebp-0x20],0x2C
0045EA09? |.? C645 E1 41? ? mov byte ptr ss:[ebp-0x1F],0x41
0045EA0D? |.? C645 E2 4E? ? mov byte ptr ss:[ebp-0x1E],0x4E
0045EA11? |.? C645 E3 20? ? mov byte ptr ss:[ebp-0x1D],0x20
0045EA15? |.? C645 E4 10? ? mov byte ptr ss:[ebp-0x1C],0x10
0045EA19? |.? C645 E5 61? ? mov byte ptr ss:[ebp-0x1B],0x61
0045EA1D? |.? C645 E6 36? ? mov byte ptr ss:[ebp-0x1A],0x36
0045EA21? |.? C645 E7 10? ? mov byte ptr ss:[ebp-0x19],0x10
0045EA25? |.? C645 E8 2C? ? mov byte ptr ss:[ebp-0x18],0x2C
0045EA29? |.? C645 E9 34? ? mov byte ptr ss:[ebp-0x17],0x34
0045EA2D? |.? C645 EA 20? ? mov byte ptr ss:[ebp-0x16],0x20
0045EA31? |.? C645 EB 40? ? mov byte ptr ss:[ebp-0x15],0x40
0045EA35? |.? C645 EC 59? ? mov byte ptr ss:[ebp-0x14],0x59
0045EA39? |.? C645 ED 2D? ? mov byte ptr ss:[ebp-0x13],0x2D
0045EA3D? |.? C645 EE 20? ? mov byte ptr ss:[ebp-0x12],0x20
0045EA41? |.? C645 EF 41? ? mov byte ptr ss:[ebp-0x11],0x41
0045EA45? |.? C645 F0 0F? ? mov byte ptr ss:[ebp-0x10],0xF
0045EA49? |.? C645 F1 22? ? mov byte ptr ss:[ebp-0xF],0x22
0045EA4D? |.? C645 F2 12? ? mov byte ptr ss:[ebp-0xE],0x12
0045EA51? |.? C645 F3 10? ? mov byte ptr ss:[ebp-0xD],0x10
0045EA55? |.? C645 F4 00? ? mov byte ptr ss:[ebp-0xC],0x0
0045EA59? |.? C685 78FFFFFF>mov byte ptr ss:[ebp-0x88],0x7B
0045EA60? |.? C685 79FFFFFF>mov byte ptr ss:[ebp-0x87],0x20
0045EA67? |.? C685 7AFFFFFF>mov byte ptr ss:[ebp-0x86],0x12
0045EA6E? |.? C685 7BFFFFFF>mov byte ptr ss:[ebp-0x85],0x62
0045EA75? |.? C685 7CFFFFFF>mov byte ptr ss:[ebp-0x84],0x77
0045EA7C? |.? C685 7DFFFFFF>mov byte ptr ss:[ebp-0x83],0x6C
0045EA83? |.? C685 7EFFFFFF>mov byte ptr ss:[ebp-0x82],0x41
0045EA8A? |.? C685 7FFFFFFF>mov byte ptr ss:[ebp-0x81],0x29
0045EA91? |.? C645 80 7C? ? mov byte ptr ss:[ebp-0x80],0x7C
0045EA95? |.? C645 81 50? ? mov byte ptr ss:[ebp-0x7F],0x50
0045EA99? |.? C645 82 7D? ? mov byte ptr ss:[ebp-0x7E],0x7D
0045EA9D? |.? C645 83 26? ? mov byte ptr ss:[ebp-0x7D],0x26
0045EAA1? |.? C645 84 7C? ? mov byte ptr ss:[ebp-0x7C],0x7C
0045EAA5? |.? C645 85 6F? ? mov byte ptr ss:[ebp-0x7B],0x6F
0045EAA9? |.? C645 86 4A? ? mov byte ptr ss:[ebp-0x7A],0x4A
0045EAAD? |.? C645 87 31? ? mov byte ptr ss:[ebp-0x79],0x31
0045EAB1? |.? C645 88 53? ? mov byte ptr ss:[ebp-0x78],0x53
0045EAB5? |.? C645 89 6C? ? mov byte ptr ss:[ebp-0x77],0x6C
0045EAB9? |.? C645 8A 5E? ? mov byte ptr ss:[ebp-0x76],0x5E
0045EABD? |.? C645 8B 6C? ? mov byte ptr ss:[ebp-0x75],0x6C
0045EAC1? |.? C645 8C 54? ? mov byte ptr ss:[ebp-0x74],0x54
0045EAC5? |.? C645 8D 06? ? mov byte ptr ss:[ebp-0x73],0x6
0045EAC9? |.? C645 8E 60? ? mov byte ptr ss:[ebp-0x72],0x60
0045EACD? |.? C645 8F 53? ? mov byte ptr ss:[ebp-0x71],0x53
0045EAD1? |.? C645 90 2C? ? mov byte ptr ss:[ebp-0x70],0x2C
0045EAD5? |.? C645 91 79? ? mov byte ptr ss:[ebp-0x6F],0x79
0045EAD9? |.? C645 92 68? ? mov byte ptr ss:[ebp-0x6E],0x68
0045EADD? |.? C645 93 6E? ? mov byte ptr ss:[ebp-0x6D],0x6E
0045EAE1? |.? C645 94 20? ? mov byte ptr ss:[ebp-0x6C],0x20
0045EAE5? |.? C645 95 5F? ? mov byte ptr ss:[ebp-0x6B],0x5F
0045EAE9? |.? C645 96 75? ? mov byte ptr ss:[ebp-0x6A],0x75
0045EAED? |.? C645 97 65? ? mov byte ptr ss:[ebp-0x69],0x65
0045EAF1? |.? C645 98 63? ? mov byte ptr ss:[ebp-0x68],0x63
0045EAF5? |.? C645 99 7B? ? mov byte ptr ss:[ebp-0x67],0x7B
0045EAF9? |.? C645 9A 7F? ? mov byte ptr ss:[ebp-0x66],0x7F
0045EAFD? |.? C645 9B 77? ? mov byte ptr ss:[ebp-0x65],0x77
0045EB01? |.? C645 9C 60? ? mov byte ptr ss:[ebp-0x64],0x60
0045EB05? |.? C645 9D 30? ? mov byte ptr ss:[ebp-0x63],0x30
0045EB09? |.? C645 9E 6B? ? mov byte ptr ss:[ebp-0x62],0x6B
0045EB0D? |.? C645 9F 47? ? mov byte ptr ss:[ebp-0x61],0x47
0045EB11? |.? C645 A0 5C? ? mov byte ptr ss:[ebp-0x60],0x5C
0045EB15? |.? C645 A1 1D? ? mov byte ptr ss:[ebp-0x5F],0x1D
0045EB19? |.? C645 A2 51? ? mov byte ptr ss:[ebp-0x5E],0x51
0045EB1D? |.? C645 A3 6B? ? mov byte ptr ss:[ebp-0x5D],0x6B
0045EB21? |.? C645 A4 5A? ? mov byte ptr ss:[ebp-0x5C],0x5A
0045EB25? |.? C645 A5 55? ? mov byte ptr ss:[ebp-0x5B],0x55
0045EB29? |.? C645 A6 40? ? mov byte ptr ss:[ebp-0x5A],0x40
0045EB2D? |.? C645 A7 0C? ? mov byte ptr ss:[ebp-0x59],0xC
0045EB31? |.? C645 A8 2B? ? mov byte ptr ss:[ebp-0x58],0x2B
0045EB35? |.? C645 A9 4C? ? mov byte ptr ss:[ebp-0x57],0x4C
0045EB39? |.? C645 AA 56? ? mov byte ptr ss:[ebp-0x56],0x56
0045EB3D? |.? C645 AB 0D? ? mov byte ptr ss:[ebp-0x55],0xD
0045EB41? |.? C645 AC 72? ? mov byte ptr ss:[ebp-0x54],0x72
0045EB45? |.? C645 AD 01? ? mov byte ptr ss:[ebp-0x53],0x1
0045EB49? |.? C645 AE 75? ? mov byte ptr ss:[ebp-0x52],0x75
0045EB4D? |.? C645 AF 7E? ? mov byte ptr ss:[ebp-0x51],0x7E
0045EB51? |.? C645 B0 00? ? mov byte ptr ss:[ebp-0x50],0x0
寫成c語言的話便是:
#include<stdio.h>
int main()
{
int ss[57]={0x12,0x40,0x62,0x5,0x2,0x4,0x6,0x3,0x6,0x30,0x31,0x41,0x20,0xc,0x30,0x41,0x1f,0x4e,0x3e,0x20,0x31,0x20,0x1,0x39,0x60,0x3,0x15,0x9,0x4,0x3e,0x3,0x5,0x4,0x1,0x2,0x3,0x2c,0x41,0x4e,0x20,0x10,0x61,0x36,0x10,0x2c,0x34,0x20,0x40,0x59,0x2d,0x20,0x41,0xf,0x22,0x12,0x10,0x0};
int s[57]= {0x7b,0x20,0x12,0x62,0x77,0x6c,0x41,0x29,0x7c,0x51,0x7d,0x26,0x7c,0x6f,0x4a,0x31,0x53,0x6c,0x5e,0x6c,0x54,0x6,0x60,0x53,0x2c,0x79,0x68,0x6e,0x20,0x5f,0x75,0x65,0x63,0x7b,0x7f,0x77,0x60,0x30,0x6b,0x47,0x5c,0x1d,0x51,0x6b,0x5a,0x55,0x40,0xc,0x2b,0x4c,0x56,0xd,0x72,0x1,0x75,0x7e,0x0};
int *p[56],*pp[56];
int i;
int a,b;
for(i=0;i<=55;i++)
{
p[i]=&ss[i];
pp[i]=&s[i];
}
for(i=0;i<=55;i++)
{
a= *p[i] ^ *pp[i];
b=a^0x13;
printf("%c",b);
}
return 0;
}
總結(jié):在重新寫了之后發(fā)現(xiàn)過程真的很簡單肴盏,但耗時(shí)卻很久科盛。關(guān)鍵還是在逆向這一方面沒有一些特定的思維方式,簡單的來說沒有明白編寫這個(gè)程序的人是想叫我們干什么叁鉴,而我們需要做的事情有哪些土涝。作為一個(gè)新人,在有些地方浪費(fèi)了太多的時(shí)間幌墓,有一段甚至還在觀察這段題目的意思但壮。
在其中出現(xiàn)的錯(cuò)誤,一些很基本的概念也出差這是很不應(yīng)該的常侣,就像成為作家的人卻一直在寫錯(cuò)別字蜡饵。
(ps:當(dāng)然也可以使用ida進(jìn)行反編譯,查看偽代碼胳施,但個(gè)人覺得很麻煩溯祸,要是想寫源代碼的話可以試試。源代碼以后再附上~)
下面附上我出錯(cuò)的地方****號(hào)后是改正之后:
