1. Tools
1.IDA
2. UPX shelling tool
2. Problem-solving ideas
Loading IDA found that UPX was used
Just use unpacking software to unpack, and then load IDA after unpacking.
I found that there is nothing critical in the start and _main functions, so continue to look for it.
Finally, I found that this function is the key function
Go into StartAddress and take a look
It is found that the stack is unbalanced, press G to jump to the address
Result after checking
You can see that the green one at the bottom is a negative number. Let’s modify the stack to make it balanced. On the line above -04, 000, hold down alt + k.
In this way, the sub_411940 function can be entered.
off_418000: QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm
It’s not clear yet what this code does, so I’ll go back and analyze other functions.
off_418004 = TOiZiZtOrYaToUwPnToBsOaOapsyS
It can be seen that the string of flag after being encrypted by two threads is TOiZiZtOrYaToUwPnToBsOaOapsyS
In fact, I don’t quite understand the thread one code myself. After looking at the correct flag, I deduced it like this: extract the character from the couece, then find the same character in QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm, and extract the subscript of the character in QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm , if the character taken out is uppercase, find the character corresponding to the [subscript – 38] value in ASCII and replace the character in couece. Similarly, for lowercase, subtract 96
It is not difficult to find that as long as it is converted to lowercase, it will become uppercase, and after conversion, it will become lowercase. Therefore, in the reverse process, uppercase + 96; lowercase + 38
There is another point, which is in the thread.
You will find that thread 2 does not operate on the string, only thread 1 does, and they will be suspended for a period of time after execution, indicating that the two threads are executed alternately, one is executed and the other is executed, and dword_418008 The value is 1D (29), and it is -1 every time the thread is executed. We can boldly guess that if the subscript is an odd number (even number), encryption will be performed, otherwise the original character will be output.
Next we write code to verify our conjecture:
#include <Stdio.h>
#include <String.h>
//Parameter one: target character; parameter two: target string
int find(char yuan,char Aim_array[]){
for(int i = 0;i < strlen(Aim_array);i + + ){
if(Aim_array[i] == yuan)
return i;
}
}
int main(){
char source[] = "TOiZiZtOrYaToUwPnToBsOaOapsyS"; //flag encrypted result
char off_418000[] = "QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm"; //Replacement table
//Find the same character as source[i] in off_418000, take out the subscript, and perform addition and subtraction operations with 96 or 38
char flag[29] = "";
\t
for(int i = 0;i < 29;i + + ){
//We don’t know which thread to execute first, so we try them both (i % 2 == 1) or (i % 2 == 0)
if(i % 2 == 1){
if(source[i] >= 'A' & amp; & amp; source[i] <= 'Z'){
//Execute in uppercase
//Because the original lowercase characters have become uppercase after execution, they cannot be like the code in IDA
flag[i] = find(source[i],off_418000) + 96;
}else{
//lowercase execution
flag[i] = find(source[i],off_418000) + 38;
}
}else{
flag[i] = source[i];
}
}
\t
for(int i = 0;i < 29;i + + ){
printf("%c",flag[i]);
}
\t
return 0;
}
i % 2 == 1 in the code is to verify this conjecture. I tried i % 2 == 1 but it didn’t work. It means that if the subscript (starting from 0) is an odd number, encryption will be performed.
result
ThisisthreadofwindowshahaIsES
However, the result is wrong. After careful observation, I found that
Only 29 people were verified
The operation on strings operates on 30 bits (0 to 29), so the last bit may require us to guess and put each letter into
Guess it once (can be written in code, using string splicing function)
Final flag:
flag{ThisisthreadofwindowshahaIsESE}
Thread related knowledge
A program occupies the entire process when running. A process can create multiple threads, and these threads can run in parallel.
Threads are divided into: “Peer thread“, “Detached thread“, “Main thread“
- When a processor encounters a slow system call (such as sleep) while processing a thread that takes more time to process the request, control is switched to another peer thread.
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Algorithm skill tree Home page Overview 57357 people are learning the system