-
-
题目为breakpoint的elf逆向问题
-
发表于:
2015-2-11 03:05
6613
-
小生找的一道小练习题。题目为breakpoint的crack题,需要得到正确的flag,flag格式为:wctf{}
文件链接:http://pan.baidu.com/s/1pJyUYEZ
说说小生遇到的问题,程序执行流程还是很简单的,一个while循环+一系列的判断跳转
f4成c代码(不完全,一些变量声明未写上):
printf("%s\nPlease input your flag:", g8049900);
__isoc99_scanf("%s", 0x8049908);
ebx1 = g8049900;
eax2 = (uint32_t)ebx1 - (uint32_t)sub_80483B0;
if ((uint32_t)ebx1 > (uint32_t)sub_80483B0) {
edx3 = (signed char*)sub_80483B0;
do {
++edx3;
eax2 = eax2 << 5 ^ (uint32_t)((int32_t)eax2 >> 27) ^ (uint32_t)(unsigned char)*edx3;
} while (edx3 != ebx1);
}
edx4 = eax2;
v5 = eax2;
if ((*(unsigned char*)&edx4 ^ g8049908) != g80498f0 || ((edx6 = (uint32_t)(unsigned char)*((signed char*)&v5 + 1), ecx7 = edx6, (*(unsigned char*)&ecx7 ^ g8049909) != g80498f1) || ((ecx8 = (uint32_t)(unsigned char)*((signed char*)&v5 + 2), ebx9 = ecx8, (*(unsigned char*)&ebx9 ^ g804990a) != g80498f2) || ((edi10 = (uint32_t)(unsigned char)*((signed char*)&v5 + 3), ebx11 = (uint32_t)(unsigned char)g804990b ^ edi10, *(signed char*)&ebx11 != g80498f3) || ((ebx12 = (uint32_t)(unsigned char)g804990c ^ eax2, *(signed char*)&ebx12 != g80498f4) || ((ebx13 = (uint32_t)(unsigned char)g804990d ^ edx6, *(signed char*)&ebx13 != g80498f5) || ((ebx14 = (uint32_t)(unsigned char)g804990e ^ ecx8, *(signed char*)&ebx14 != g80498f6) || ((ebx15 = (uint32_t)(unsigned char)g804990f ^ edi10, *(signed char*)&ebx15 != g80498f7) || ((ebx16 = (uint32_t)(unsigned char)g8049910 ^ eax2, *(signed char*)&ebx16 != g80498f8) || ((ebx17 = (uint32_t)(unsigned char)g8049911 ^ edx6, *(signed char*)&ebx17 != g80498f9) || ((ebx18 = (uint32_t)(unsigned char)g8049912 ^ ecx8, *(signed char*)&ebx18 != g80498fa) || ((ebx19 = (uint32_t)(unsigned char)g8049913 ^ edi10, *(signed char*)&ebx19 != g80498fb) || ((eax20 = eax2 ^ g8049914, *(signed char*)&eax20 != g80498fc) || ((*(unsigned char*)&edx6 ^ *((unsigned char*)&g8049914 + 1)) != g80498fd || ((*(unsigned char*)&ecx8 ^ *((unsigned char*)&g8049914 + 2)) != g80498fe || (ebx21 = edi10, (*(unsigned char*)&ebx21 ^ *((unsigned char*)&g8049914 + 3)) != g80498ff)))))))))))))))) {
puts("You are wrong", 0x8049908);
} else {
puts("You are right", 0x8049908);
}
while循环中的反汇编代码:
根据opcode循环计算,结果保存在eax中,下面就是一系列的比较跳转。按我的理解可能是应该在循环结束出下断,根据得到的eax值,再往下推出flag,毕竟我的理解eax应该是个固定的值,但比较奇怪的是,调试发现eax的值并不是固定的。
我想换个角度入手,从惯性答案的格式wctf{}入手,先倒退出正确的eax结果,再推flag,但还是失败了。
小生问两个问题:
1. 下断eax值为什么总是会变呢?
2. 大大指点pass这题:)
谢谢
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!