程序刚一进来就是在初始化数组可以看到大小为0x20*sizeof(DWORD)的大小最后在128的位置进行了填写0
应该是一个字符串用0结尾(猜的)
在控制台输出了Your flag is:
接下来可以发现add esp,8这句话所以有两个参数,一个是数组的首地址,还有一个是0x93B9ACA00h
分析MyMul函数,进入函数可以先看到,一个检测栈溢出的东东,不用管这是自动生成的。
然后就是初始化变量了可以看到每一个块都初始化了一个变量
var_14=*arg_0var_C=arg_0var_10=arg_4var_1C=-1var_8=0var_C=*arg_0 *arg_4
下面是一个 while循环比较的是arg4==0则循环结束
然后又初始化了一些变量,看完循环可以发现有些定义的变量又会重新赋值,没啥意义后面的操作
主要看传入MyAdd函数的参数一个var8的地址和*arg0
MyAdd我们等下再观看,先看下后面的操作
由于var1c的值是FFFFFFFF,再看到后面的代码只有arg0被使用到,循环里面arg0是一直加1,要加FFFFFFFF次,
所以等于arg0-1但是loc_4011F6到loc_4011FB又加了1,所以这里的值不变,然后var8的值写入arg0里面,
arg0是个指针,往他指向的空间里面写值,返回值就是arg0的值,也就是指向的地址,所以这里最主要的还是需要查看MyAdd这个函数嘿嘿
对于上面的话理解不了的话可以F5看下画红框的就等于啥也没干-1+1只是为了给我们运行程序加时间而已
来到MyAdd函数模式是差不多的就不多讲,看看主要部分首先确定循环的次数
v18=0-arg4
循环内部就是一直在-1减了0-arg4次,减的是负数,所以是等于
*arg0=arg4+*arg0
再回到上一个函数MyMul我们知道传入的局部变量var8的值是0那么循环arg4次
第一次: 0+*arg0
第二次:0+*arg0 +*arg0
...
推导下去就是
*arg0 =arg4*(*arg0 )
不能理解就看下F5的图吧
再看减法的和加法一模一样所以就不再解释,就是sub换成add了
最后解题的方法我是在函数的内部修改汇编代码,改成+ - *就OK了
运行完就有答案了
另外一种解法
int *__cdecl sub_401100(int *a1, int a2)//a1 * a2{*a1 = *a1 * a2;return a1;}int *__cdecl sub_401000(int *a1, int a2)//a1 + a2{*a1 = *a1 + a2;return a1;}int *__cdecl sub_401220(int *a1, int a2)//实际上就是a1 - a2{*a1 = *a1 -a2;return a1;}int __cdecl main(int argc, const char **argv, const char **envp){int *v3; // eaxint *v4; // eaxint *v5; // eaxint *v6; // eaxint *v7; // eaxint *v8; // eaxint *v9; // eaxint *v10; // eaxint *v11; // eaxint *v12; // eaxint *v13; // eaxint *v14; // eaxint *v15; // eaxint *v16; // eaxint *v17; // eaxint *v18; // eaxint *v19; // eaxint *v20; // eaxint *v21; // eaxint *v22; // eaxint *v23; // eaxint *v24; // eaxint *v25; // eaxint *v26; // eaxint *v27; // eaxint *v28; // eaxint *v29; // eaxint *v30; // eaxint *v31; // eaxint *v32; // eaxint *v33; // eaxint *v34; // eaxint *v35; // eaxint *v36; // eaxint *v37; // eaxint *v38; // eaxint *v39; // eaxint *v40; // eaxint *v41; // eaxint *v42; // eaxint *v43; // eaxint *v44; // eaxint *v45; // eaxint *v46; // eaxint *v47; // eaxint *v48; // eaxint *v49; // eaxint *v50; // eaxint *v51; // eaxint *v52; // eaxint *v53; // eaxint *v54; // eaxint *v55; // eaxint *v56; // eaxint *v57; // eaxint *v58; // eaxint *v59; // eaxint *v60; // eaxint *v61; // eaxint *v62; // eaxint *v63; // eaxint *v64; // eaxint *v65; // eaxint *v66; // eaxint *v67; // eaxint *v68; // eaxint *v69; // eaxint *v70; // eaxint *v71; // eaxint *v72; // eaxint *v73; // eaxint *v74; // eaxint *v75; // eaxint *v76; // eaxint *v77; // eaxint *v78; // eaxint *v79; // eaxint *v80; // eaxint *v81; // eaxint *v82; // eaxint *v83; // eaxint *v84; // eaxint *v85; // eaxint *v86; // eaxint *v87; // eaxint *v88; // eaxint *v89; // eaxint *v90; // eaxint *v91; // eaxint *v92; // eaxint *v93; // eaxint *v94; // eaxint *v95; // eaxint *v96; // eaxint *v97; // eaxint *v98; // eaxint *v99; // eaxint *v100; // eaxint *v101; // eaxint *v102; // eaxint *v103; // eaxint *v104; // eaxint *v105; // eaxint *v106; // eaxint *v107; // eaxint *v108; // eaxint v109; // ST1C_4int *v110; // eaxint *v111; // eaxint v112; // ST20_4int *v113; // eaxint *v114; // eaxint v115; // ST20_4int *v116; // eaxsigned int i; // [esp+4h] [ebp-90h]signed int j; // [esp+8h] [ebp-8Ch]int v120[32]; // [esp+Ch] [ebp-88h]int v121; // [esp+8Ch] [ebp-8h]for (i = 0; i < 32; ++i)v120[i] = 1;v121 = 0;puts("Your flag is:");v3 = sub_401100(v120, 1000000000);v4 = sub_401220(v3, 999999950);sub_401100(v4, 2);v5 = sub_401000(&v120[1], 5000000);v6 = sub_401220(v5, 6666666);v7 = sub_401000(v6, 1666666);v8 = sub_401000(v7, 45);v9 = sub_401100(v8, 2);sub_401000(v9, 5);v10 = sub_401100(&v120[2], 1000000000);v11 = sub_401220(v10, 999999950);v12 = sub_401100(v11, 2);sub_401000(v12, 2);v13 = sub_401000(&v120[3], 55);v14 = sub_401220(v13, 3);v15 = sub_401000(v14, 4);sub_401220(v15, 1);v16 = sub_401100(&v120[4], 100000000);v17 = sub_401220(v16, 99999950);v18 = sub_401100(v17, 2);sub_401000(v18, 2);v19 = sub_401220(&v120[5], 1);v20 = sub_401100(v19, 1000000000);v21 = sub_401000(v20, 55);sub_401220(v21, 3);v22 = sub_401100(&v120[6], 1000000);v23 = sub_401220(v22, 999975);sub_401100(v23, 4);v24 = sub_401000(&v120[7], 55);v25 = sub_401220(v24, 33);v26 = sub_401000(v25, 44);sub_401220(v26, 11);v27 = sub_401100(&v120[8], 10);v28 = sub_401220(v27, 5);v29 = sub_401100(v28, 8);sub_401000(v29, 9);v30 = sub_401000(&v120[9], 0);v31 = sub_401220(v30, 0);v32 = sub_401000(v31, 11);v33 = sub_401220(v32, 11);sub_401000(v33, 53);v34 = sub_401000(&v120[10], 49);v35 = sub_401220(v34, 2);v36 = sub_401000(v35, 4);sub_401220(v36, 2);v37 = sub_401100(&v120[11], 1000000);v38 = sub_401220(v37, 999999);v39 = sub_401100(v38, 4);sub_401000(v39, 50);v40 = sub_401000(&v120[12], 1);v41 = sub_401000(v40, 1);v42 = sub_401000(v41, 1);v43 = sub_401000(v42, 1);v44 = sub_401000(v43, 1);v45 = sub_401000(v44, 1);v46 = sub_401000(v45, 10);sub_401000(v46, 32);v47 = sub_401100(&v120[13], 10);v48 = sub_401220(v47, 5);v49 = sub_401100(v48, 8);v50 = sub_401000(v49, 9);sub_401000(v50, 48);v51 = sub_401220(&v120[14], 1);v52 = sub_401100(v51, -294967296);v53 = sub_401000(v52, 55);sub_401220(v53, 3);v54 = sub_401000(&v120[15], 1);v55 = sub_401000(v54, 2);v56 = sub_401000(v55, 3);v57 = sub_401000(v56, 4);v58 = sub_401000(v57, 5);v59 = sub_401000(v58, 6);v60 = sub_401000(v59, 7);sub_401000(v60, 20);v61 = sub_401100(&v120[16], 10);v62 = sub_401220(v61, 5);v63 = sub_401100(v62, 8);v64 = sub_401000(v63, 9);sub_401000(v64, 48);v65 = sub_401000(&v120[17], 7);v66 = sub_401000(v65, 6);v67 = sub_401000(v66, 5);v68 = sub_401000(v67, 4);v69 = sub_401000(v68, 3);v70 = sub_401000(v69, 2);v71 = sub_401000(v70, 1);sub_401000(v71, 20);v72 = sub_401000(&v120[18], 7);v73 = sub_401000(v72, 2);v74 = sub_401000(v73, 4);v75 = sub_401000(v74, 3);v76 = sub_401000(v75, 6);v77 = sub_401000(v76, 5);v78 = sub_401000(v77, 1);sub_401000(v78, 20);v79 = sub_401100(&v120[19], 1000000);v80 = sub_401220(v79, 999999);v81 = sub_401100(v80, 4);v82 = sub_401000(v81, 50);sub_401220(v82, 1);v83 = sub_401220(&v120[20], 1);v84 = sub_401100(v83, -294967296);v85 = sub_401000(v84, 49);sub_401220(v85, 1);v86 = sub_401220(&v120[21], 1);v87 = sub_401100(v86, 1000000000);v88 = sub_401000(v87, 54);v89 = sub_401220(v88, 1);v90 = sub_401000(v89, 1000000000);sub_401220(v90, 1000000000);v91 = sub_401000(&v120[22], 49);v92 = sub_401220(v91, 1);v93 = sub_401000(v92, 2);sub_401220(v93, 1);v94 = sub_401100(&v120[23], 10);v95 = sub_401220(v94, 5);v96 = sub_401100(v95, 8);v97 = sub_401000(v96, 9);sub_401000(v97, 48);v98 = sub_401000(&v120[24], 1);v99 = sub_401000(v98, 3);v100 = sub_401000(v99, 3);v101 = sub_401000(v100, 3);v102 = sub_401000(v101, 6);v103 = sub_401000(v102, 6);v104 = sub_401000(v103, 6);sub_401000(v104, 20);v105 = sub_401000(&v120[25], 55);v106 = sub_401220(v105, 33);v107 = sub_401000(v106, 44);v108 = sub_401220(v107, 11);sub_401000(v108, 42);sub_401000(&v120[26], v120[25]);sub_401000(&v120[27], v120[12]);v109 = v120[27];v110 = sub_401220(&v120[28], 1);v111 = sub_401000(v110, v109);sub_401220(v111, 1);v112 = v120[23];v113 = sub_401220(&v120[29], 1);v114 = sub_401100(v113, 1000000);sub_401000(v114, v112);v115 = v120[27];v116 = sub_401000(&v120[30], 1);sub_401100(v116, v115);sub_401000(&v120[31], v120[30]);printf("CTF{");for (j = 0; j < 32; ++j)printf("%c", (v120[j]));printf("}n");system("pause");return 0;}
end
本文始发于微信公众号(雷石安全实验室):Newbie_calculations(等价替换)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论