Article Directory
statement
After analyzing this question, there are two pieces of knowledge, one is stack pointer modification, and one smc self-modification (for self-modification, there are two methods of breaking, one is idc script, the other is dynamic adjustment)
Stack pointer modification
Enter 0x401838
the sp pointer (stack imbalance) of the direct address of the program and report an error, click options—>general—>check the stack pointer, and then find the address 0x401838
, take a screenshot to see if the position of the
top pointer of the stack sp
is different before and after the call function is called , is it possible? ? ? ? ? ? ? How to balance the stack? ? ? ? For details, please see https://blog.csdn.net/dj0379/article/details/8699219?utm_source=app&app_version=4.5.5 If
nothing else, change it. Click the mouse to call, then press the keyboard, and then Alt + K
change this sp to 0.
Then, there is another error like this below, you can
modify it and you will be able to do it after you finish the F5
modification.
wrong
omg
Export memory array shortcut keysshift + E
unsigned char unk_4030C0[] =
{
0x66,0x6B,0x63,0x64,0x7F,0x61,0x67,0x64,
0x3B,0x56,0x6B,0x61,0x7B,0x26,0x3B,0x50,
0x63,0x5F,0x4D,0x5A,0x71,0x0C,0x37,0x66
};
This wrong function and omg get a false flag, which is a waste of expressionflag{fak3_alw35_sp_me!!}
smc self-modification
There is a very long for loop here, which is smc at first glance, so that I
can't do it directly with F5 when I enter encrypt in a static state. I am excited by the pointer on the top of the stack. . . . The blind didn't look directly, and then modified the stack pointer. . . .
These two instructions are also given to patch. . I also specifically checked what was the data added after the enter command. . . . Forget it, it's all blind tragedy. . .
Dynamic
Enter encrtpt (analyze the data segment programming code)
.text:0040152C jmp short near ptr dword_401534+43h
The jump address is a data segment, which is not convenient for us to observe, and the compiler is not convenient for parsing, but it does not affect the execution of the program. . . If we need to observe, we need to make this bunch of data segments into code (press the c key) to parse, and then become like this.
Next press the p key, that is, treat it as a function to parse.
int __cdecl encrypt(char *a1)
{
int v2[19]; // [sp+1Ch] [bp-6Ch]@1
int v3; // [sp+68h] [bp-20h]@1
int i; // [sp+6Ch] [bp-1Ch]@1
v3 = 1;
qmemcpy(v2, &unk_403040, sizeof(v2));
for ( i = 0; i <= 18; ++i )
{
if ( (char)(a1[i] ^ aHahahaha_do_yo[i]) != v2[i] )
{
puts("wrong ~");
v3 = 0;
exit(0);
}
}
if ( v3 == 1 )
puts("come here");
return v3;
}
unsigned char unk_403040[] =
{
0x0E,0x0D,0x09,0x06,0x13,0x05,
0x58,0x56,0x3E,0x06,0x0C,0x3C,
0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D,
};
aHahahaha_do_yo db 'hahahaha_do_you_find_me?'
There are only 19 bits above, and the remaining five bits are in the finally function. The
last one is 58 because the last one of the flag is all }
, and it }
needs to be XORed with 71 , and then the previous four values are XORed with 71 . A bit strong
flag{
d07abccf8a410cb37a}
idc script
#include<idc.idc>
static main(){
auto start=0x401500l;
auto i =0;
for(;i<187;i++){
auto a=Byte(start+i);
PatchByte(i+start,a^0x41);
}
}
Save it as a file with a suffix of .idc,
and then import the script file you wrote,
Before import
After import
Just press the p key. . . After F5