After first download the attachment, check shell
Although nothing was found, but look at the sector, we know that this is the Big Dipper shell. So we first began to shell off loaded od
It can also be seen which is characterized pushfd and Compass shell pushad
I use esp there is shelling the law, of course, also possible to use a single step f8, or the method of images to say here about the Compass shell can be directly applied directly to the breakpoint at Getversion OEP
Then began shelling
F9 to run here, remove the hardware breakpoints, then you can dump here is that the shelling comes od sometimes not easy to use tool, you can also add your own, can not say here
Shelling continued to complete the analysis down, loaded ida F12 View
Cross-reference look at the basic structure
F5 look
Here you can see that we want to enter a string length of 42,
First string length is detected whether the input 42, then the operation of the input string, with the following python
serial_1 = "this_is_not_flag" serial_2 = [0x12,4,8,0x14,0x24,0x5c,0x4a,0x3d,0x56,0xa,0x10,0x67,0,0x41,0,1,0x46,0x5a,0x44,0x42,0x6e,0x0c,0x44,0x72,0x0c,0x0d,0x40,0x3e,0x4b,0x5f,2,1,0x4c,0x5e,0x5b,0x17,0x6e,0xc,0x16,0x68,0x5b,0x12,0x48,0x0e] result = "" for i in range(42): result += chr(serial_2[i] ^ ord(serial_1[i%16])) print(result)
这里的flag为flag{59b8ed8f-af22-11e7-bb4a-3cf862d1ee75}