-
-
[看雪CTF2016]第十六题分析
-
发表于:
2016-12-3 00:18
2463
-
运行, 附加, 在gets末尾下断, 断下后在vm相关函数下断, 剩下的就慢慢跟了
0040140D >/. 55 push ebp ; gets_s
0040140E |. 8BEC mov ebp, esp
00401410 |. 6A 00 push 0
00401412 |. FF75 0C push dword ptr [ebp+C]
00401415 |. FF75 08 push dword ptr [ebp+8]
00401418 |. E8 D8FDFFFF call <gets_helper>
0040141D |. 83C4 0C add esp, 0C
00401420 |. 5D pop ebp
00401421 \. C3 retn
vm_dispatcher
00421224 FF2485 1B274200 jmp dword ptr [eax*4+42271B]
vm_sub
004213E1 > 8B45 00 mov eax, dword ptr [ebp]
vm_nand
00421C3B > 81EA 396B9CED sub edx, ED9C6B39
vm_push_imm8
00421FC4 8A06 mov al, byte ptr [esi]
sn长度为0x0D
sn[0] = 0x57 ^ 0x1B = 0x4C = L
sn[1] = 0x6F ^ 0x06 = 0x69 = i
sn[2] = 0x4A ^ 0x02 = 0x48 = H
sn[3] = 0x69 ^ 0x08 = 0x61 = a
sn[4] = 0x75 ^ 0x1C = 0x69 = i
sn[5] = 0x53 ^ 0x1F = 0x4C = L
sn[6] = 0x68 ^ 0x0D = 0x65 = e
sn[7] = 0x69 ^ 0x3E = 0x57 = W
sn[8] = 0x5A ^ 0x35 = 0x6F = o
sn[9] = 0x68 ^ 0x2C = 0x44 = D
sn[10] = 0x65 = e
sn[11] = 0x4D ^ 0x0A = 0x47 = G
sn[12] = 0x65 = e
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
