Executing the program in Linux, prompting a segfault.
Static analysis:
ida opens the file. Find the main function.
When debugging, I found that authenticate () would get stuck and could not be executed.
The program has an error in authenticate ().
Enter the authenticate () function. An encryption function decrypt () was found.
Incoming s2 and dword_8048A90.
The internal logic is to subtract the value of the second array from the first array passed into this function.
Check the values at s and dword_8048A90.
shift + e is integrated. Write code.
s = [0x143A, 0x1436, 0x1437, 0x143B, 0x1480, 0x147A, 0x1471, 0x1478, 0x1463, 0x1466, 0x1473, 0x1467, 0x1462, 0x1465, 0x1473, 0x1460, 0x146B, 0x1471, 0x1478, 0x146A, 0x1473, 0x1470, 0x1464, 0x1478, 0x146E, 0x1470, 0x1470, 0x1464, 0x1470, 0x1464, 0x146E, 0x147B, 0x1476, 0x1478, 0x146A, 0x1473, 0x147B, 0x1480] """ 3A 14 00 00 36 14 00 00 37 14 00 00 3B 14 00 00 80 14 00 00 7A 14 00 00 71 14 00 00 78 14 00 00 63 14 00 00 66 14 00 00 73 14 00 00 67 14 00 00 62 14 00 00 65 14 00 00 73 14 00 00 60 14 00 00 6B 14 00 00 71 14 00 00 78 14 00 00 6A 14 00 00 73 14 00 00 70 14 00 00 64 14 00 00 78 14 00 00 6E 14 00 00 70 14 00 00 70 14 00 00 64 14 00 00 70 14 00 00 64 14 00 00 6E 14 00 00 7B 14 00 00 76 14 00 00 78 14 00 00 6A 14 00 00 73 14 00 00 7B 14 00 00 80 14 """ a = [0x1401, 0x1402, 0x1403, 0x1404, 0x1405] v6 = len(s) v7 = len(a) l = 0 for i in range(v6): if l >= v7: l = 0 s[i] -= a[l] l += 1 for i in s: print(chr(i), end='')
Dynamic debugging:
F7 enters the authenticate () function, and F8 steps through decrypt. Double-click the eax below to see the flag.