用 DIE 打开,是一个 dll
用 ida 打开,简单分析一下,是一个记录键盘按键的程序。里面的每个虚拟键码都有一个函数返回字符串
那么 flag 在哪里呢?看到左边函数窗口里看到有一个 DialogFunc,按 X 查找交叉引用,最后找到按下 "m" 对应的函数
执行 sub_10001240 的条件是 dword_100194FC > 0。
dword_100194FC 的初始值是 0,再找 dword_100194FC 的交叉引用,看看哪里把它改成了 1,最后找到了 "o" 对应的函数
按照这个方法,逐步追溯每个变量改变的条件,所有按键对应的的字符连起来就是 flag
import idautils
import idaapi
import idc
import copytarget_var_ea = 0x100194FC
target_var_value = 1
asc_string = 'm'init_func_ea = 0x10001060print("*********************************")def get_initial_status(func_ea):status = dict()for ea in idautils.FuncItems(func_ea):insn = idaapi.insn_t()idaapi.decode_insn(insn, ea)if insn.itype == idaapi.NN_mov and insn.ops[0].type == idaapi.o_mem and insn.ops[1].type == idaapi.o_imm:status[insn.ops[0].addr] = insn.ops[1].valuereturn statusinit_status = get_initial_status(init_func_ea)
current_staus = copy.deepcopy(init_status)def get_target_status(func, target_ea):status = dict()flowchart = idaapi.FlowChart(func)target_block = None# 找到目标地址所在的块for block in flowchart:if block.start_ea <= target_ea < block.end_ea:target_block = blockbreak# 获取函数返回值mov_eax_addr = idc.prev_head( # mov eax, immidc.prev_head( # pop ebpidc.prev_head( # retfunc.end_ea)))insn = idaapi.insn_t()idaapi.decode_insn(insn, mov_eax_addr)asc_addr = 0if insn.itype == idaapi.NN_mov and insn.ops[0].type == idaapi.o_reg and insn.ops[1].type == idaapi.o_imm:asc_addr = insn.ops[1].valueelse:raise Exception("not \"mov eax, imm\"")# 反向遍历块,获取运行到目标地址所需要的所有条件while True:pre_blocks = target_block.preds()pre_count = 0for block in pre_blocks:pre_count += 1if pre_count > 1:raise Exception("too many preds")cmp = idaapi.insn_t()idaapi.decode_insn(cmp, idc.prev_head(idc.prev_head(block.end_ea)))jcc = idaapi.insn_t()idaapi.decode_insn(jcc, idc.prev_head(block.end_ea))if cmp.itype == idaapi.NN_cmp and cmp.ops[0].type == idaapi.o_mem and cmp.ops[1].type == idaapi.o_imm and cmp.ops[1].value == 0 and jcc.itype == idaapi.NN_jle:if jcc.ops[0].addr == target_block.start_ea:status[cmp.ops[0].addr] = 0else:status[cmp.ops[0].addr] = 1else:raise Exception("not \"cmp mem, 0\" and \"jle addr\"")target_block = blockif pre_count == 0:break# 返回结果return status, asc_addrstart_at = 0
while start_at == 0:# 遍历所有引用目标变量的地方target_count = 0for xref in idautils.XrefsTo(target_var_ea):insn = idaapi.insn_t()idaapi.decode_insn(insn, xref.frm)# 找到达到目标状态的 movif insn.itype == idaapi.NN_mov and insn.ops[1].type == idaapi.o_imm and insn.ops[1].value == target_var_value:target_count += 1if target_count > 1:raise Exception("too many targets")func = idaapi.get_func(xref.frm)status, asc_addr = get_target_status(func, xref.frm)print(status)print(idc.get_strlit_contents(asc_addr))asc_string = idc.get_strlit_contents(asc_addr).decode() + asc_string# 对比初始状态,找到变化的量change_count = 0for addr in status:if addr in init_status:if init_status[addr] != status[addr]:change_count += 1if change_count > 1:# raise Exception("too many changes")breakprint(f'change: {addr:x} -> {status[addr]}')target_var_ea = addrtarget_var_value = status[addr]else:raise Exception("uninitialzed var")if change_count == 0:start_at = func.start_eaprint(f'start at {start_at:x} ({idc.get_func_name(start_at)})')print(asc_string)
l0ggingdoturdot5tr0ke5atflaredashondotcom
l0gging.ur.5tr0ke5@flare-on.com
提交,都不对。
上网搜一下,答案是 l0gging.Ur.5tr0ke5@flare-on.com
这里只是通过虚拟键码判断,没有区分大小写,也没有处理 Shift 和 CapsLock,所以没弄清楚为什么 U 会是大写……
