测试文件:https://www.lanzous.com/ib50fkb
文件分析
IDA打开后,在Function Window里面找到ques()函数就是输出我们的flag。我们可以通过调试修改EIP地址到ques函数(0x00401520)输出flag
int ques() { int v0; // edx int result; // eax int v2[50]; // [esp+20h] [ebp-128h] int v3; // [esp+E8h] [ebp-60h] int v4; // [esp+ECh] [ebp-5Ch] int v5; // [esp+F0h] [ebp-58h] int v6; // [esp+F4h] [ebp-54h] int v7; // [esp+F8h] [ebp-50h] int v8; // [esp+FCh] [ebp-4Ch] int v9; // [esp+100h] [ebp-48h] int v10; // [esp+104h] [ebp-44h] int v11; // [esp+108h] [ebp-40h] int v12; // [esp+10Ch] [ebp-3Ch] int j; // [esp+114h] [ebp-34h] __int64 v14; // [esp+118h] [ebp-30h] int v15; // [esp+124h] [ebp-24h] int v16; // [esp+128h] [ebp-20h] int i; // [esp+12Ch] [ebp-1Ch] v3 = 2147122737; v4 = 140540; v5 = -2008399303; v6 = 141956; v7 = 139457077; v8 = 262023; v9 = -2008923597; v10 = 143749; v11 = 2118271985; v12 = 143868; for ( i = 0; i <= 4; ++i ) { memset(v2, 0, sizeof(v2)); v16 = 0; v15 = 0; v0 = *(&v4 + 2 * i); LODWORD(v14) = *(&v3 + 2 * i); HIDWORD(v14) = v0; while ( SHIDWORD(v14) > 0 || v14 >= 0 && (_DWORD)v14 ) { v2[v16++] = ((SHIDWORD(v14) >> 31) ^ (((unsigned __int8)(SHIDWORD(v14) >> 31) ^ (unsigned __int8)v14) - (unsigned __int8)(SHIDWORD(v14) >> 31)) & 1) - (SHIDWORD(v14) >> 31); v14 /= 2LL; } for ( j = 50; j >= 0; --j ) { if ( v2[j] ) { if ( v2[j] == 1 ) { putchar(42); ++v15; } } else { putchar(32); ++v15; } if ( !(v15 % 5) ) putchar(32); } result = putchar(10); } return result; }
get flag!
flag{HACKIT4FUN}