Algorithm analysis | Reversing x64ELF-100

1. Download the shell check

64 no shell

2. Drag into IDA for specific analysis

(1) Shift +F12 find if there is a key string

The key string “Nice! As a rule of thumb, this is the tip after successful verification

(2) Find the reference key character function

(3) Read the code to know the process: The user is required to input a string and store it in S, and send the S address as a parameter to sub_4006FD. The return value of sub_4006FD is used as the if judgment condition for calling sub_4006FD function. If the return value is non-zero, “Incorrect password! , so let sub_4006FD return 0

(4) Follow up sub_4006FD function

If you read the code, you can see that it only returns a non-zero 1 if the if condition in for is true, but what we want is a return, so we’re going to have to make the if condition not true 11 times in this loop, so look at the condition

*(char *)(v3[i % 3] + 2 * (i / 3)) – *(char *)(i + a1) ! = 1

Take the address of the array v3 plus 2 times (I / 3) for each loop

Minus values for each of the (I + a1) address, whether the result of the subtraction is 1, 1 would not continue to cycle, can return 1 to 1, then we will just make it circulation after 11 returns 0, see here a1 is our we input in the main function of discrepancy in the address of the string value, so the key to the, Our goal is otherwise if condition is true, then we can write this as

*(char *)(v3[i % 3] + 2 * (i / 3)) – *(char *)(i + a1) == 1

That’s the correct value for the address of (I + a1)

Write the script

#include int main() { int i; // [rsp+14h] [rbp-24h] int n = 0; __int64 v3[4]; // [rsp+18h] [rbp-20h] int a1[11] = {1}; v3[0] = (__int64)"Dufhbmf"; v3[1] = (__int64)"pG`imos"; v3[2] = (__int64)"ewUglpt"; for (i = 0; i <= 11; ++i) { for (size_t n = 0; n < 222; n++) { if (*(char*)(v3[i % 3] + 2 * (i / 3)) - n == 1) a1[i] = n; } } for (size_t i = 0; i < 15; i++) { printf("%c",a1[i] ); }}Copy the code

Define a variable n as the ASCLL code value for each character we input. Let the maximum ASCLL code value of n be 200)(v3[i % 3] + 2(I / 3)) -n == 1 to store n satisfying the condition into our correct array of flags

Results 3.

Algorithm analysis | Reversing x64ELF-100

1. Download the shell check

64 no shell

2. Drag into IDA for specific analysis

(1) Shift +F12 find if there is a key string

The key string “Nice! As a rule of thumb, this is the tip after successful verification

(2) Find the reference key character function

(4) Follow up sub_4006FD function

If you read the code, you can see that it only returns a non-zero 1 if the if condition in for is true, but what we want is a return, so we’re going to have to make the if condition not true 11 times in this loop, so look at the condition

Take the address of the array v3 plus 2 times (I / 3) for each loop

That’s the correct value for the address of (I + a1)

Write the script

Define a variable n as the ASCLL code value for each character we input. Let the maximum ASCLL code value of n be 200)(v3[i % 3] + 2(I / 3)) -n == 1 to store n satisfying the condition into our correct array of flags

Results 3.

Related Posts

Quick start Markdown

Success also resume, failure also resume

Leetcode_693 Alternate binary number