32位,无壳
main函数按下F5反汇编,编译失败,直接看汇编
观察并动调验证了一下,byte_2D12C0中存储的就是输入字符串,上述代码就是关键部分
将输入的字符串与cl异或,然后与已经存储好的字符串byte_2CEA08进行比较,如果都相同就是正确的字符串
获取存储好的数据byte_2CEA08
0x4d,0x53,0x41,0x57,0x42,0x7e,0x46,0x58,0x5a,0x3a,0x4a,0x3a,0x60,0x74,0x51,0x4a,0x22,0x4e,0x40,0x20,0x62,0x70,0x64,0x64,0x7d,0x38,0x67
与输入的flag进行异或的是eax寄存器的低八位,观察看出
xor eax, eax
将eax清空了然后开始循环,每次循环
inc eax
eax自增1
可以知道每次与flag异或的数据是0,1,2,3,4......(个数为flag长度)
编写WP
data=[0x4d,0x53,0x41,0x57,0x42,0x7e,0x46,0x58,0x5a,0x3a,0x4a,0x3a,0x60,0x74,0x51,0x4a,0x22,0x4e,0x40,0x20,0x62,0x70,0x64,0x64,0x7d,0x38,0x67] flag="" for i in range(0,len(data)): flag+=chr(data[i]^i) print(flag)
