本文主要是介绍buu逆向-刮开有奖,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
首先查壳
拖到ida找到主函数
进入DialogFunc函数得到
INT_PTR __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{const char *v4; // esiconst char *v5; // ediint v7[2]; // [esp+8h] [ebp-20030h] BYREFint v8; // [esp+10h] [ebp-20028h]int v9; // [esp+14h] [ebp-20024h]int v10; // [esp+18h] [ebp-20020h]int v11; // [esp+1Ch] [ebp-2001Ch]int v12; // [esp+20h] [ebp-20018h]int v13; // [esp+24h] [ebp-20014h]int v14; // [esp+28h] [ebp-20010h]int v15; // [esp+2Ch] [ebp-2000Ch]int v16; // [esp+30h] [ebp-20008h]CHAR String[65536]; // [esp+34h] [ebp-20004h] BYREFchar v18[65536]; // [esp+10034h] [ebp-10004h] BYREF//以上都是变量的声明if ( a2 == 272 )return 1;if ( a2 != 273 )return 0;if ( (_WORD)a3 == 1001 ){memset(String, 0, 0xFFFFu);//初始化字符串,全为0GetDlgItemTextA(hDlg, 1000, String, 0xFFFF);//获得对话框中控件的文本赋值给Stringif ( strlen(String) == 8 ){v7[0] = 90;v7[1] = 74;v8 = 83;v9 = 69;v10 = 67;v11 = 97;v12 = 78;v13 = 72;v14 = 51;v15 = 110;v16 = 103;//以上是对变量的赋值//跟进sub_4010F0,代码说明在下方sub_4010F0(v7, 0, 10);memset(v18, 0, 0xFFFFu);v18[0] = String[5];v18[2] = String[7];v18[1] = String[6];v4 = (const char *)sub_401000(v18, strlen(v18));memset(v18, 0, 0xFFFFu);v18[1] = String[3];v18[0] = String[2];v18[2] = String[4];v5 = (const char *)sub_401000(v18, strlen(v18));if ( String[0] == v7[0] + 34&& String[1] == v10&& 4 * String[2] - 141 == 3 * v8&& String[3] / 4 == 2 * (v13 / 9)&& !strcmp(v4, "ak1w")&& !strcmp(v5, "V1Ax") ){MessageBoxA(hDlg, "U g3t 1T!", "@_@", 0);}}return 0;}if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 )return 0;EndDialog(hDlg, (unsigned __int16)a3);return 1;
}
下面是sub_4010F0的代码
sub_4010F0(v7, 0, 10)
int __cdecl sub_4010F0(int a1, int a2, int a3)
{int result; int i; int v5; int v6; result = a3;for ( i = a2; i <= a3; a2 = i ){v5 = 4 * i;v6 = *(_DWORD *)(4 * i + a1);if ( a2 < result && i < result ){do{if ( v6 > *(_DWORD *)(a1 + 4 * result) ){if ( i >= result )break;++i;*(_DWORD *)(v5 + a1) = *(_DWORD *)(a1 + 4 * result);if ( i >= result )break;while ( *(_DWORD *)(a1 + 4 * i) <= v6 ){if ( ++i >= result )goto LABEL_13;}if ( i >= result )break;v5 = 4 * i;*(_DWORD *)(a1 + 4 * result) = *(_DWORD *)(4 * i + a1);}--result;}while ( i < result );}
LABEL_13:*(_DWORD *)(a1 + 4 * result) = v6;sub_4010F0(a1, a2, i - 1);result = a3;++i;}return result;
}
复制粘贴进行修改后可以得到c代码
int __cdecl sub_4010F0(int a1[], int a2, int a3)
{int result; // eaxint i; // esiint v5; // ecxint v6; // edxresult = a3;for ( i = a2; i <= a3; a2 = i ){v5 = i;v6 = a1[i];if ( a2 < result && i < result ){do{if ( v6 > a1[result] ){if ( i >= result )break;++i;a1[v5] = a1[result];if ( i >= result )break;while (a1[i] <= v6 ){if ( ++i >= result )goto LABEL_13;}if ( i >= result )break;v5 = 4 * i;a1[result] = a1[i];}--result;}while ( i < result );}LABEL_13:a1[result] = v6;sub_4010F0(a1, a2, i - 1);result = a3;++i;}return result;
}
然后写个主程序跑一下
int main()
{int a[11]={90,74,83,69,67,97,78,72,51,110,103};cout<<"sub_4010F0"<<endl;sub_4010F0(a,0,10);for (int i=0;i<11;i++){cout<<"a["<<i+7<<"] "<<char(a[i])<<" "<<int(a[i])<<endl;}return 0;
}
数组里的数值就是从ida里取出来的
运行结果
对应一下ida里的变量就是
经过了sub_4010F0,跟进sub_401000继续往下看
在sub_401000里发现byte_407830
查看byte_407830发现里面存放的是
此处可证明是base64编码
回到主程序对这俩base64解码
得到
v4=jMp
v5=WP1
最后计算这几位
前面已经得到了
String[0]=51+34=85变成字符后就是U
String[1]=78变成字符后就是N
String[2]=(3*83+141)/4=97变成字符后就是a
String[3]=(90/9)24=80变成字符后就是P
连起来就是UNaP
我知道和别人的wp不一样,但这个锅我不背
别人的ida
我的ida
ida显示的也和别人的不一样
这个锅ida背!
这篇关于buu逆向-刮开有奖的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
