download file
When opening a file, no matter what is entered, there is no response.
1. Check the shell (found a UPX shell)
. . . If we put the shelled file directly into ida for analysis
There are only two functions here
. . . Unable to obtain valid information
2. Use unpacking software to unpack
After clicking Unpack, a newly unpacked file will be generated on the desktop.
3. Put this unpacked file into ida32 for analysis
Shif+F12 View string (find keywords)
Double-click a string to see where it is referenced
Double-click the location referencing the string to enter the flow chart
Press F5 directly to view the pseudo code
strcpy(Str2, "HappyNewYear!");
——>HappyNewYear! Copy this string to Str2
Strlen(Str2)——>Return the length of string Str2
strncmp(Str1, Str2, strlen(Str2))
——> Compare the string Str1 and the string Str2, up to the length before comparison (the length of the string Str2). When str1=str2, the return value=0
if ( !strncmp(Str1, Str2, strlen(Str2)) )
——>Suppose a=strncmp(Str1, Str2, strlen(Str2)), the original formula can be converted into if(!a), only when !a is true (a is 0 at this time), the if condition is established and returns puts(aThisIsTrueFlag)
Double-click puts(aThisIsTrueFlag), you can see that the string output by puts is this is true flag!
Because the last output string is this is true flag! , so it can be concluded that Str1 and Str2 are equal, and the content of the Str2 string isHappyNewYear!
得到flag:flag{ HappyNewYear!}
Process summary
Question conditions:
- PE file (exe file is a type of PE file)
Steps to do the question:
- Double-click the exe file to see if there is any information
- Use the shell checking software to check the shell and find out how many bits the program is (64-bit or 32-bit)
- If there is a shell file, remove it first.
- Use ida to analyze (use Shift+F12 to check the string and look for keywords (such as flag, etc.))
ida analysis process:
- Shift+F12 check the string and look for keywords (such as flag, etc.). If there are no keywords, search for information in the main function.
- Double-click a string to see where it is contained
- View the detailed address referencing the string
- Use F5 to disassemble and view pseudocode
- Analyze pseudocode (after selecting a number, press the "R" key on the keyboard to convert the number into a character; after selecting a variable, press the "X" key on the keyboard to view the cross-reference of the variable)