1.先附上这个小游戏的网址
http://ctf.bugku.com/files/d2935133b45ff7a32b2b9436851959d0/ConsoleApplication4.exe
游戏规则如下:
玩一个游戏
n是灯的序列号,m是灯的状态。
如果第N个灯的M是1,它是开着的,如果不是,它就关掉了。
起初所有的灯都关了。
现在你可以输入N来改变它的状态。
但是你应该注意一点,如果你改变了N灯的状态,(n-1)TH和(n + 1)的状态也会改变。
当所有的灯亮着,flag就会出现。
按照我当初做这道题的思路便是直接将它放入od种,搜索字符串,既然要求全部灯亮,那么我爆破就应该可以。(当时也是无语是怎么想的,就一直在想直接爆破出flag)
以下是我爆破的结果:
之后在这些断点的附近的判断语句全部设为无条件跳转:jmp
之后重新运行,便发现并没有按预想出现flag
之后进行跳转循环追踪发现程序一直在循环中进行,说明应当是满足条件之后才能出现flag。
再次进入字符串查找很明显的便看见有一段:dong!!!the flag is
那么跟进这段代码,发现很长的一段对地址进行赋值。
0045E975 |. C645 BC 12 mov byte ptr ss:[ebp-0x44],0x12
0045E979 |. C645 BD 40 mov byte ptr ss:[ebp-0x43],0x40
0045E97D |. C645 BE 62 mov byte ptr ss:[ebp-0x42],0x62
0045E981 |. C645 BF 05 mov byte ptr ss:[ebp-0x41],0x5
0045E985 |. C645 C0 02 mov byte ptr ss:[ebp-0x40],0x2
0045E989 |. C645 C1 04 mov byte ptr ss:[ebp-0x3F],0x4
0045E98D |. C645 C2 06 mov byte ptr ss:[ebp-0x3E],0x6
0045E991 |. C645 C3 03 mov byte ptr ss:[ebp-0x3D],0x3
0045E995 |. C645 C4 06 mov byte ptr ss:[ebp-0x3C],0x6
0045E999 |. C645 C5 30 mov byte ptr ss:[ebp-0x3B],0x30
0045E99D |. C645 C6 31 mov byte ptr ss:[ebp-0x3A],0x31
0045E9A1 |. C645 C7 41 mov byte ptr ss:[ebp-0x39],0x41
0045E9A5 |. C645 C8 20 mov byte ptr ss:[ebp-0x38],0x20
0045E9A9 |. C645 C9 0C mov byte ptr ss:[ebp-0x37],0xC
0045E9AD |. C645 CA 30 mov byte ptr ss:[ebp-0x36],0x30
0045E9B1 |. C645 CB 41 mov byte ptr ss:[ebp-0x35],0x41
0045E9B5 |. C645 CC 1F mov byte ptr ss:[ebp-0x34],0x1F
0045E9B9 |. C645 CD 4E mov byte ptr ss:[ebp-0x33],0x4E
0045E9BD |. C645 CE 3E mov byte ptr ss:[ebp-0x32],0x3E
0045E9C1 |. C645 CF 20 mov byte ptr ss:[ebp-0x31],0x20
0045E9C5 |. C645 D0 31 mov byte ptr ss:[ebp-0x30],0x31
0045E9C9 |. C645 D1 20 mov byte ptr ss:[ebp-0x2F],0x20
0045E9CD |. C645 D2 01 mov byte ptr ss:[ebp-0x2E],0x1
0045E9D1 |. C645 D3 39 mov byte ptr ss:[ebp-0x2D],0x39
0045E9D5 |. C645 D4 60 mov byte ptr ss:[ebp-0x2C],0x60
0045E9D9 |. C645 D5 03 mov byte ptr ss:[ebp-0x2B],0x3
0045E9DD |. C645 D6 15 mov byte ptr ss:[ebp-0x2A],0x15
0045E9E1 |. C645 D7 09 mov byte ptr ss:[ebp-0x29],0x9
0045E9E5 |. C645 D8 04 mov byte ptr ss:[ebp-0x28],0x4
0045E9E9 |. C645 D9 3E mov byte ptr ss:[ebp-0x27],0x3E
0045E9ED |. C645 DA 03 mov byte ptr ss:[ebp-0x26],0x3
0045E9F1 |. C645 DB 05 mov byte ptr ss:[ebp-0x25],0x5
0045E9F5 |. C645 DC 04 mov byte ptr ss:[ebp-0x24],0x4
0045E9F9 |. C645 DD 01 mov byte ptr ss:[ebp-0x23],0x1
0045E9FD |. C645 DE 02 mov byte ptr ss:[ebp-0x22],0x2
0045EA01 |. C645 DF 03 mov byte ptr ss:[ebp-0x21],0x3
0045EA05 |. C645 E0 2C mov byte ptr ss:[ebp-0x20],0x2C
0045EA09 |. C645 E1 41 mov byte ptr ss:[ebp-0x1F],0x41
0045EA0D |. C645 E2 4E mov byte ptr ss:[ebp-0x1E],0x4E
0045EA11 |. C645 E3 20 mov byte ptr ss:[ebp-0x1D],0x20
0045EA15 |. C645 E4 10 mov byte ptr ss:[ebp-0x1C],0x10
0045EA19 |. C645 E5 61 mov byte ptr ss:[ebp-0x1B],0x61
0045EA1D |. C645 E6 36 mov byte ptr ss:[ebp-0x1A],0x36
0045EA21 |. C645 E7 10 mov byte ptr ss:[ebp-0x19],0x10
0045EA25 |. C645 E8 2C mov byte ptr ss:[ebp-0x18],0x2C
0045EA29 |. C645 E9 34 mov byte ptr ss:[ebp-0x17],0x34
0045EA2D |. C645 EA 20 mov byte ptr ss:[ebp-0x16],0x20
0045EA31 |. C645 EB 40 mov byte ptr ss:[ebp-0x15],0x40
0045EA35 |. C645 EC 59 mov byte ptr ss:[ebp-0x14],0x59
0045EA39 |. C645 ED 2D mov byte ptr ss:[ebp-0x13],0x2D
0045EA3D |. C645 EE 20 mov byte ptr ss:[ebp-0x12],0x20
0045EA41 |. C645 EF 41 mov byte ptr ss:[ebp-0x11],0x41
0045EA45 |. C645 F0 0F mov byte ptr ss:[ebp-0x10],0xF
0045EA49 |. C645 F1 22 mov byte ptr ss:[ebp-0xF],0x22
0045EA4D |. C645 F2 12 mov byte ptr ss:[ebp-0xE],0x12
0045EA51 |. C645 F3 10 mov byte ptr ss:[ebp-0xD],0x10
0045EA55 |. C645 F4 00 mov byte ptr ss:[ebp-0xC],0x0
0045EA59 |. C685 78FFFFFF>mov byte ptr ss:[ebp-0x88],0x7B
0045EA60 |. C685 79FFFFFF>mov byte ptr ss:[ebp-0x87],0x20
0045EA67 |. C685 7AFFFFFF>mov byte ptr ss:[ebp-0x86],0x12
0045EA6E |. C685 7BFFFFFF>mov byte ptr ss:[ebp-0x85],0x62
0045EA75 |. C685 7CFFFFFF>mov byte ptr ss:[ebp-0x84],0x77
0045EA7C |. C685 7DFFFFFF>mov byte ptr ss:[ebp-0x83],0x6C
0045EA83 |. C685 7EFFFFFF>mov byte ptr ss:[ebp-0x82],0x41
0045EA8A |. C685 7FFFFFFF>mov byte ptr ss:[ebp-0x81],0x29
0045EA91 |. C645 80 7C mov byte ptr ss:[ebp-0x80],0x7C
0045EA95 |. C645 81 50 mov byte ptr ss:[ebp-0x7F],0x50
0045EA99 |. C645 82 7D mov byte ptr ss:[ebp-0x7E],0x7D
0045EA9D |. C645 83 26 mov byte ptr ss:[ebp-0x7D],0x26
0045EAA1 |. C645 84 7C mov byte ptr ss:[ebp-0x7C],0x7C
0045EAA5 |. C645 85 6F mov byte ptr ss:[ebp-0x7B],0x6F
0045EAA9 |. C645 86 4A mov byte ptr ss:[ebp-0x7A],0x4A
0045EAAD |. C645 87 31 mov byte ptr ss:[ebp-0x79],0x31
0045EAB1 |. C645 88 53 mov byte ptr ss:[ebp-0x78],0x53
0045EAB5 |. C645 89 6C mov byte ptr ss:[ebp-0x77],0x6C
0045EAB9 |. C645 8A 5E mov byte ptr ss:[ebp-0x76],0x5E
0045EABD |. C645 8B 6C mov byte ptr ss:[ebp-0x75],0x6C
0045EAC1 |. C645 8C 54 mov byte ptr ss:[ebp-0x74],0x54
0045EAC5 |. C645 8D 06 mov byte ptr ss:[ebp-0x73],0x6
0045EAC9 |. C645 8E 60 mov byte ptr ss:[ebp-0x72],0x60
0045EACD |. C645 8F 53 mov byte ptr ss:[ebp-0x71],0x53
0045EAD1 |. C645 90 2C mov byte ptr ss:[ebp-0x70],0x2C
0045EAD5 |. C645 91 79 mov byte ptr ss:[ebp-0x6F],0x79
0045EAD9 |. C645 92 68 mov byte ptr ss:[ebp-0x6E],0x68
0045EADD |. C645 93 6E mov byte ptr ss:[ebp-0x6D],0x6E
0045EAE1 |. C645 94 20 mov byte ptr ss:[ebp-0x6C],0x20
0045EAE5 |. C645 95 5F mov byte ptr ss:[ebp-0x6B],0x5F
0045EAE9 |. C645 96 75 mov byte ptr ss:[ebp-0x6A],0x75
0045EAED |. C645 97 65 mov byte ptr ss:[ebp-0x69],0x65
0045EAF1 |. C645 98 63 mov byte ptr ss:[ebp-0x68],0x63
0045EAF5 |. C645 99 7B mov byte ptr ss:[ebp-0x67],0x7B
0045EAF9 |. C645 9A 7F mov byte ptr ss:[ebp-0x66],0x7F
0045EAFD |. C645 9B 77 mov byte ptr ss:[ebp-0x65],0x77
0045EB01 |. C645 9C 60 mov byte ptr ss:[ebp-0x64],0x60
0045EB05 |. C645 9D 30 mov byte ptr ss:[ebp-0x63],0x30
0045EB09 |. C645 9E 6B mov byte ptr ss:[ebp-0x62],0x6B
0045EB0D |. C645 9F 47 mov byte ptr ss:[ebp-0x61],0x47
0045EB11 |. C645 A0 5C mov byte ptr ss:[ebp-0x60],0x5C
0045EB15 |. C645 A1 1D mov byte ptr ss:[ebp-0x5F],0x1D
0045EB19 |. C645 A2 51 mov byte ptr ss:[ebp-0x5E],0x51
0045EB1D |. C645 A3 6B mov byte ptr ss:[ebp-0x5D],0x6B
0045EB21 |. C645 A4 5A mov byte ptr ss:[ebp-0x5C],0x5A
0045EB25 |. C645 A5 55 mov byte ptr ss:[ebp-0x5B],0x55
0045EB29 |. C645 A6 40 mov byte ptr ss:[ebp-0x5A],0x40
0045EB2D |. C645 A7 0C mov byte ptr ss:[ebp-0x59],0xC
0045EB31 |. C645 A8 2B mov byte ptr ss:[ebp-0x58],0x2B
0045EB35 |. C645 A9 4C mov byte ptr ss:[ebp-0x57],0x4C
0045EB39 |. C645 AA 56 mov byte ptr ss:[ebp-0x56],0x56
0045EB3D |. C645 AB 0D mov byte ptr ss:[ebp-0x55],0xD
0045EB41 |. C645 AC 72 mov byte ptr ss:[ebp-0x54],0x72
0045EB45 |. C645 AD 01 mov byte ptr ss:[ebp-0x53],0x1
0045EB49 |. C645 AE 75 mov byte ptr ss:[ebp-0x52],0x75
0045EB4D |. C645 AF 7E mov byte ptr ss:[ebp-0x51],0x7E
0045EB51 |. C645 B0 00 mov byte ptr ss:[ebp-0x50],0x0
写成c语言的话便是:
#include<stdio.h>
int main()
{
int ss[57]={0x12,0x40,0x62,0x5,0x2,0x4,0x6,0x3,0x6,0x30,0x31,0x41,0x20,0xc,0x30,0x41,0x1f,0x4e,0x3e,0x20,0x31,0x20,0x1,0x39,0x60,0x3,0x15,0x9,0x4,0x3e,0x3,0x5,0x4,0x1,0x2,0x3,0x2c,0x41,0x4e,0x20,0x10,0x61,0x36,0x10,0x2c,0x34,0x20,0x40,0x59,0x2d,0x20,0x41,0xf,0x22,0x12,0x10,0x0};
int s[57]= {0x7b,0x20,0x12,0x62,0x77,0x6c,0x41,0x29,0x7c,0x51,0x7d,0x26,0x7c,0x6f,0x4a,0x31,0x53,0x6c,0x5e,0x6c,0x54,0x6,0x60,0x53,0x2c,0x79,0x68,0x6e,0x20,0x5f,0x75,0x65,0x63,0x7b,0x7f,0x77,0x60,0x30,0x6b,0x47,0x5c,0x1d,0x51,0x6b,0x5a,0x55,0x40,0xc,0x2b,0x4c,0x56,0xd,0x72,0x1,0x75,0x7e,0x0};
int *p[56],*pp[56];
int i;
int a,b;
for(i=0;i<=55;i++)
{
p[i]=&ss[i];
pp[i]=&s[i];
}
for(i=0;i<=55;i++)
{
a= *p[i] ^ *pp[i];
b=a^0x13;
printf("%c",b);
}
return 0;
}
总结:在重新写了之后发现过程真的很简单,但耗时却很久。关键还是在逆向这一方面没有一些特定的思维方式,简单的来说没有明白编写这个程序的人是想叫我们干什么,而我们需要做的事情有哪些。作为一个新人,在有些地方浪费了太多的时间,有一段甚至还在观察这段题目的意思。
在其中出现的错误,一些很基本的概念也出差这是很不应该的,就像成为作家的人却一直在写错别字。
(ps:当然也可以使用ida进行反编译,查看伪代码,但个人觉得很麻烦,要是想写源代码的话可以试试。源代码以后再附上~)
下面附上我出错的地方****号后是改正之后:
