1. sn输入(g_buf)
二进制像是ollvm处理过的, 直接跳到字符串提示的地方
.text:0040BFF3 lea eax, a2018D0D ; "看雪2018国庆题:叹息之墙\n\n正确的序列号由不超过%d整数构成,每个整数"...
...
.text:0040C039 sub esp, 0Ch
.text:0040C03C mov [esp], eax
.text:0040C03F mov dword ptr [esp+4], 9
.text:0040C047 mov dword ptr [esp+8], 15Fh
...
.text:0040C061 call x_printf
.text:0040C066 add esp, 0Ch
.text:0040C069 lea ecx, aXX0x1x23x45x67 ; "请按照顺序输入数字,用字符'x'隔开,用字符'X'结尾\n例如:0x1x23x"...
.text:0040C06F sub esp, 4
.text:0040C072 mov [esp], ecx
...
.text:0040C07B call x_printf
.text:0040C080 add esp, 4
.text:0040C083 lea ecx, a1000s ; "%1000s"
.text:0040C089 lea edx, g_buf
.text:0040C08F mov edi, 400h
.text:0040C094 sub esp, 0Ch
.text:0040C097 mov [esp], ecx
.text:0040C09A mov [esp+4], edx
.text:0040C09E mov dword ptr [esp+8], 400h
...
.text:0040C0B2 call x_scanf
.text:0040C0B7 add esp, 0Ch
..
.text:0040C0CE lea eax, g_buf
.text:0040C0D4 mov g_pbuf, eax
.text:0040BFF3 lea eax, a2018D0D ; "看雪2018国庆题:叹息之墙\n\n正确的序列号由不超过%d整数构成,每个整数"...
...
.text:0040C039 sub esp, 0Ch
.text:0040C03C mov [esp], eax
.text:0040C03F mov dword ptr [esp+4], 9
.text:0040C047 mov dword ptr [esp+8], 15Fh
...
.text:0040C061 call x_printf
.text:0040C066 add esp, 0Ch
.text:0040C069 lea ecx, aXX0x1x23x45x67 ; "请按照顺序输入数字,用字符'x'隔开,用字符'X'结尾\n例如:0x1x23x"...
.text:0040C06F sub esp, 4
.text:0040C072 mov [esp], ecx
...
.text:0040C07B call x_printf
.text:0040C080 add esp, 4
.text:0040C083 lea ecx, a1000s ; "%1000s"
.text:0040C089 lea edx, g_buf
.text:0040C08F mov edi, 400h
.text:0040C094 sub esp, 0Ch
.text:0040C097 mov [esp], ecx
.text:0040C09A mov [esp+4], edx
.text:0040C09E mov dword ptr [esp+8], 400h
...
.text:0040C0B2 call x_scanf
.text:0040C0B7 add esp, 0Ch
..
.text:0040C0CE lea eax, g_buf
.text:0040C0D4 mov g_pbuf, eax
2. 提取sn中的整数到g_ints[]
输入sn: 11x22x33x44X
因为二进制加了混淆, 看汇编的话太费时,
直接在stdio_common_vsscanf处下断, 观察读取格式
.text:0048A594 ___stdio_common_vsscanf proc near
.text:0048A594 ___stdio_common_vsscanf proc near
断下时的堆栈1
0018C37C 00473EC5 RETURN to 1_nopie.00473EC5 from <1_nopie.stdio_common_vsscanf>
0018C380 00000003
0018C384 00000000
0018C388 004A0624 ASCII "11x22x33x44X" g_buf
0018C38C FFFFFFFF
0018C390 00498207 ASCII "%d%n"
0018C394 00000000
0018C398 0018CEA4 va_list
...
0018CEA4 0049FE40 offset <1_nopie.g_ints>
0018CEA8 0018CEAC
0018C37C 00473EC5 RETURN to 1_nopie.00473EC5 from <1_nopie.stdio_common_vsscanf>
0018C380 00000003
0018C384 00000000
0018C388 004A0624 ASCII "11x22x33x44X" g_buf
0018C38C FFFFFFFF
0018C390 00498207 ASCII "%d%n"
0018C394 00000000
0018C398 0018CEA4 va_list
...
0018CEA4 0049FE40 offset <1_nopie.g_ints>
0018CEA8 0018CEAC
堆栈1
0018C380 00473EC5 RETURN to 1_nopie.00473EC5 from <1_nopie.stdio_common_vsscanf>
0018C384 00000003
0018C388 00000000
0018C38C 004A0626 ASCII "x22x33x44X"
0018C390 FFFFFFFF
0018C394 0049820C ASCII "%c"
0018C398 00000000
0018C39C 0018CEA8
..
0018CEA8 0018CEBC 'x'
0018C380 00473EC5 RETURN to 1_nopie.00473EC5 from <1_nopie.stdio_common_vsscanf>
0018C384 00000003
0018C388 00000000
0018C38C 004A0626 ASCII "x22x33x44X"
0018C390 FFFFFFFF
0018C394 0049820C ASCII "%c"
0018C398 00000000
0018C39C 0018CEA8
..
0018CEA8 0018CEBC 'x'
使用内存访问断点跟踪对0018CEBC的访问
.text:00413644 movzx ebx, byte ptr [ebx]
.text:00413647 mov [esi+3040h], ebx
...
.text:0041450C mov edx, [esi+3040h]
.text:00414512 cmp edx, 'x'
...
.text:0041452D mov edx, [esi+3040h]
.text:00414533 cmp edx, 'x'
...
.text:0041454E mov edx, [esi+3040h]
.text:00414554 cmp edx, 'X'
.text:00413644 movzx ebx, byte ptr [ebx]
.text:00413647 mov [esi+3040h], ebx
...
.text:0041450C mov edx, [esi+3040h]
.text:00414512 cmp edx, 'x'
...
.text:0041452D mov edx, [esi+3040h]
.text:00414533 cmp edx, 'x'
...
.text:0041454E mov edx, [esi+3040h]
.text:00414554 cmp edx, 'X'
3. 格式化g_ints[]到g_formatted_buf
查找g_ints的引用, 定位到格式化的地方
g_formatted_buf = fmt("%d", g_ints[0]) + fmt("x%d", g_ints[1:]) + "X"
.text:0042E1D3 lea eax, aD ; "%d"
.text:0042E1D9 lea ecx, g_formatted_buf
...
.text:0042E2B4 call x_snprintf
.text:0042E9CA lea eax, aXD ; "x%d"
.text:0042E9D0 lea ecx, g_formatted_buf
...
.text:0042EAC7 call x_snprintf
.text:00432A70 lea eax, asc_498216 ; "X"
.text:00432A76 lea ecx, g_formatted_buf
...
.text:00432B8D call x_snprintf
g_formatted_buf = fmt("%d", g_ints[0]) + fmt("x%d", g_ints[1:]) + "X"
.text:0042E1D3 lea eax, aD ; "%d"
.text:0042E1D9 lea ecx, g_formatted_buf
...
.text:0042E2B4 call x_snprintf
.text:0042E9CA lea eax, aXD ; "x%d"
.text:0042E9D0 lea ecx, g_formatted_buf
...
.text:0042EAC7 call x_snprintf
.text:00432A70 lea eax, asc_498216 ; "X"
.text:00432A76 lea ecx, g_formatted_buf
...
.text:00432B8D call x_snprintf
4. 验证sn格式是否正确
.text:00432BCF sub esp, 8
...
.text:00432BD8 mov eax, esp
.text:00432BDA mov dword ptr [eax+4], offset g_buf
.text:00432BE1 mov dword ptr [eax], offset g_formatted_buf
...
.text:00432BFF call _strcmp
.text:00432C04 add esp, 8
.text:00432C07 cmp eax, 0
.text:00432BCF sub esp, 8
...
.text:00432BD8 mov eax, esp
.text:00432BDA mov dword ptr [eax+4], offset g_buf
.text:00432BE1 mov dword ptr [eax], offset g_formatted_buf
...
.text:00432BFF call _strcmp
.text:00432C04 add esp, 8
.text:00432C07 cmp eax, 0
5. 验证sn中的整数是否从小到大排列
.text:0044028D mov ebx, g_ints[ebx*4]
...
.text:004402F1 add eax, 1
...
.text:00440326 cmp ebx, g_ints[eax*4]
.text:0044032D setnl dh
.text:0044028D mov ebx, g_ints[ebx*4]
...
.text:004402F1 add eax, 1
...
.text:00440326 cmp ebx, g_ints[eax*4]
.text:0044032D setnl dh
6. 计算sum(g_data_table[g_ints[n]])
在结果处下内存访问断点
.text:0044C19D mov eax, g_ints[eax*4]
.text:0044C1A4 mov eax, g_data_table[eax*4]
.text:0044C1AB mov ecx, [esi+3024h]
.text:0044C1B1 mov edx, [ecx]
.text:0044C1B3 mov ecx, [ecx+4]
.text:0044C1B6 add edx, eax
.text:0044C1B8 adc ecx, 0
.text:0044C1BB mov eax, [esi+3024h]
.text:0044C1C1 mov [eax], edx
.text:0044C1C3 mov [eax+4], ecx
.text:0044C19D mov eax, g_ints[eax*4]
.text:0044C1A4 mov eax, g_data_table[eax*4]
.text:0044C1AB mov ecx, [esi+3024h]
.text:0044C1B1 mov edx, [ecx]
.text:0044C1B3 mov ecx, [ecx+4]
.text:0044C1B6 add edx, eax
.text:0044C1B8 adc ecx, 0
.text:0044C1BB mov eax, [esi+3024h]
.text:0044C1C1 mov [eax], edx
.text:0044C1C3 mov [eax+4], ecx
7. 验证0x65757832 ^ sum % 0xFFA1CF8F == 0x6E616B34
.text:0044D176 mov ecx, [eax]
.text:0044D178 mov eax, [eax+4]
.text:0044D17B xor edx, edx
.text:0044D17D mov edi, dword ptr a2xue4kan ; "2xue4kan"
.text:0044D183 sub esp, 10h
.text:0044D186 mov ebx, esp
.text:0044D188 mov [ebx+0Ch], eax
.text:0044D18B mov [ebx+8], ecx
.text:0044D18E mov [ebx+4], edx
.text:0044D191 mov [ebx], edi
.text:0044D193 call x_powmod
.text:0044D198 add esp, 10h
.text:0044D19B mov ecx, 0B571D678h
.text:0044D1A0 mov edx, 0E7210A91h
.text:0044D1A5 mov bl, 1
.text:0044D1A7 xor edi, edi
.text:0044D1A9 cmp eax, dword ptr a2xue4kan+4 ; "4kan"
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2018-9-29 22:37
被风间仁编辑
,原因:
