Re周报-动态调试

知识点

动态调试的本质是在程序运行中对其行为进行观察、控制和修改，从而更好地理解程序或发现问题。

目的：查找定位bug、分析未知程序、破解加密算法、观察运行中变量的变化等

内存/寄存器/堆栈

题目

NSSCTF-[BJDCTF 2020]Easy（调用未引用函数）

DIE

IDA打开

#main函数无关键函数引用，静态分析找到关键函数ques（打印字符），但是关键函数没有被调用
int ques()
{
  int v0; // edx
  int result; // eax
  int v2[50]; // [esp+20h] [ebp-128h] BYREF
  int v3; // [esp+E8h] [ebp-60h]
  int v4[10]; // [esp+ECh] [ebp-5Ch]
  int j; // [esp+114h] [ebp-34h]
  __int64 v6; // [esp+118h] [ebp-30h]
  int v7; // [esp+124h] [ebp-24h]
  int v8; // [esp+128h] [ebp-20h]
  int i; // [esp+12Ch] [ebp-1Ch]

  v3 = 2147122737;
  v4[0] = 0x224FC;
  v4[1] = 0x884A4239;
  v4[2] = 0x22A84;
  v4[3] = 0x84FF235;
  v4[4] = 0x3FF87;
  v4[5] = 0x88424233;
  v4[6] = 0x23185;
  v4[7] = 0x7E4243F1;
  v4[8] = 0x231FC;
  for ( i = 0; i <= 4; ++i )
  {
    memset(v2, 0, sizeof(v2));
    v8 = 0;
    v7 = 0;
    v0 = v4[2 * i];
    LODWORD(v6) = v4[2 * i - 1];
    HIDWORD(v6) = v0;
    while ( v6 > 0 )
    {
      v2[v8++] = v6 % 2;
      v6 /= 2LL;
    }
    for ( j = 50; j >= 0; --j )
    {
      if ( v2[j] )
      {
        if ( v2[j] == 1 )
        {
          putchar(42);
          ++v7;
        }
      }
      else
      {
        putchar(32);
        ++v7;
      }
      if ( !(v7 % 5) )
        putchar(32);
    }
    result = putchar(10);
  }
  return result;
}

在main函数中ques函数未被执行前下断点

call函数的本质是跳转到一个地址，在执行这串代码的时候会跳转到main函数区域，现在让它直接跳转到ques函数区域执行

ques函数的地址

ctrl+g将此处设为新的eip

继续运行得到flag{HACKIT4FUN}

NSSCTF-[HNCTF 2022 Week1]CrackMe(匹配绕过)

ctf逆向动调调试技巧学习及总结_逆向动态调试-CSDN博客

打开IDA，只有DialogFunc函数有实际代码

循环，string1和string2的子串比对，输出判断结果

string1为输入值，string2为所需的注册码，在判断结束的地方下断点然后运行可获得匹配值

注意：是CrackMe

按A:This serial sucks!!!

A:4e1837FC36d0639854781204c40

这题有问题，只有这个结果，但是flag提交不正确

BUUCTF-[DASCTF 2024暑期挑战赛｜为热爱，并肩作战]Strangeprograme

什么也没有：

shift+f12看到有判断正误的字符串：

双击ctrl+x交叉引用，看哪些函数引用了字符串：

这是一个基础的 flag 检查程序，用户输入与硬编码的 flag 完全一致时输出正确，否则报错。逆向的关键是找到 aDasctfIAmFakeB 的具体值（可能是真正的 flag）

在此处打断点，又退回到了初始界面：

接下来需要附加进程，进入正确的加密函数，做不出来了逆向工程中的动态调试-先知社区

蛇壳下的秘密

1.先die查壳

2.打开ida
没有内容，shift+f12发现用pyinstaller封装

3.解包（kali)


4.pyc反编译
主程序：50个附件生成.pyc

# Decompiled with PyLingual (https://pylingual.io)

# Internal filename: 50个附件生成.py

# Bytecode version: 3.11a7e (3495)

# Source timestamp: 1970-01-01 00:00:00 UTC (0)

  

global mystery_message_shown  # inserted

global score_200_shown  # inserted

import sys

import ctypes

import pygame

import random

import os

try:

    import pyzipper as zipfile_module

except ImportError:

    import subprocess

    subprocess.check_call([sys.executable, '-m', 'pip', 'install', 'pyzipper'])

    import pyzipper as zipfile_module

from cryptography.fernet import Fernet

import base64

import win32con

from win32ctypes import win32api

pygame.init()

WIDTH, HEIGHT = (600, 400)

BLOCK_SIZE = 20

  

def get_exe_path():

    """获取当前 EXE 真实路径"""  # inserted

    if getattr(sys, 'frozen', False):

        return sys.executable

    return os.path.join(os.path.dirname(os.path.abspath(__file__)), '蛇.exe')

exe_path = get_exe_path()

  

def update_exe_comment(exe_path, new_comment):

    hResource = win32api.BeginUpdateResource(exe_path, 0)

    if not hResource:

        print('无法打开 EXE 资源')

        return

    new_comment_bytes = new_comment.encode('utf-16le') + b'\x00\x00'

    try:

        win32api.UpdateResource(hResource, win32con.RT_VERSION, 1, new_comment_bytes)

        win32api.EndUpdateResource(hResource, 0)

        print('成功修改 EXE Comments 字段')

    except Exception as e:

        print('修改失败:', e)

        win32api.EndUpdateResource(hResource, 1)

WHITE = (255, 255, 255)

GREEN = (0, 255, 0)

RED = (255, 0, 0)

BLACK = (0, 0, 0)

password = 'Welcome'.encode('utf-8')

key = base64.urlsafe_b64encode(password.ljust(32)[:32])

cipher = Fernet(key)

LOG_FILE = 'game_log.txt'

ZIP_FILE = 'game_log.zip'

message_buffer = []

  

def log_message(message):

    message_buffer.append(message)

    with open(LOG_FILE, 'w', encoding='utf-8') as log:

        for msg in message_buffer:

            log.write(msg + '\n')

    with open(LOG_FILE, 'rb') as f:

        file_data = f.read()

    with zipfile_module.AESZipFile(ZIP_FILE, 'w', compression=zipfile_module.ZIP_LZMA) as zipf:

        zipf.setencryption(zipfile_module.WZ_AES, nbits=128)

        zipf.setpassword(password)

        zipf.writestr('game_log.txt', file_data)

    if os.path.exists(LOG_FILE):

        os.remove(LOG_FILE)

if os.path.exists(ZIP_FILE):

    os.remove(ZIP_FILE)

if os.path.exists(LOG_FILE):

    os.remove(LOG_FILE)

message_buffer = []

screen = pygame.display.set_mode((WIDTH, HEIGHT))

pygame.display.set_caption('蛇')

font = pygame.font.SysFont(None, 35)

mystery_message_shown = False

score_200_shown = False

  

def draw_snake(snake):

    for segment in snake:

        pygame.draw.rect(screen, GREEN, pygame.Rect(segment[0], segment[1], BLOCK_SIZE, BLOCK_SIZE))

  

def show_message_first():

    ctypes.windll.user32.MessageBoxW(0, '接着玩', 'Serpent', 0)

  

def game():

    global mystery_message_shown  # inserted

    global score_200_shown  # inserted

    clock = pygame.time.Clock()

    running = True

    reached_300 = False

    snake = [(100, 100), (90, 100), (80, 100)]

    direction = 'RIGHT'

    food = (random.randint(0, (WIDTH + BLOCK_SIZE) * 1) 5, random.randint(0, (HEIGHT + BLOCK_SIZE) * 1) 5, BLOCK_SIZE)

    score = 0

    while running:

        screen.fill(BLACK)

        for event in pygame.event.get():

            if event.type == pygame.QUIT:

                running = False

            else:  # inserted

                if event.type == pygame.KEYDOWN:

                    if event.key == pygame.K_LEFT and direction!= 'RIGHT':

                        direction = 'LEFT'

                    else:  # inserted

                        if event.key == pygame.K_RIGHT and direction!= 'LEFT':

                            direction = 'RIGHT'

                        else:  # inserted

                            if event.key == pygame.K_UP and direction!= 'DOWN':

                                direction = 'UP'

                            else:  # inserted

                                if event.key == pygame.K_DOWN and direction!= 'UP':

                                    direction = 'DOWN'

        head_x, head_y = snake[0]

        if direction == 'LEFT':

            head_x = head_x | BLOCK_SIZE

        else:  # inserted

            if direction == 'RIGHT':

                head_x = head_x | BLOCK_SIZE

            else:  # inserted

                if direction == 'UP':

                    head_y = head_y | BLOCK_SIZE

                else:  # inserted

                    if direction == 'DOWN':

                        head_y = head_y | BLOCK_SIZE

        if head_x < 0 or head_x >= WIDTH or head_y < 0 or (head_y >= HEIGHT) or ((head_x, head_y) in snake):

            running = False

        snake.insert(0, (head_x, head_y))

        if (head_x, head_y) == food:

            score = score + 10

            food = (random.randint(0, (WIDTH + BLOCK_SIZE) * 1) 5, random.randint(0, (HEIGHT + BLOCK_SIZE) * 1) 5, BLOCK_SIZE)

            log_message(f'Snake ate food at {food}, new score: {score}')

        else:  # inserted

            snake.pop()

        draw_snake(snake)

        pygame.draw.rect(screen, RED, pygame.Rect(food[0], food[1], BLOCK_SIZE, BLOCK_SIZE))

        score_text = font.render(f'Score: {score}', True, WHITE)

        screen.blit(score_text, (10, 10))

        if score == 90 and (not score_200_shown):

            log_message('ISCC{eWVhcgo=}')

            pygame.display.flip()

            ctypes.windll.user32.MessageBoxW(0, '行百里者半九十', '提示', 0)

            score_200_shown = True

        if score == 30 and (not mystery_message_shown):

            mystery_message_shown = True

            show_message_first()

        if score == 180:

            log_message('ISCC')

            log_message('ISCC{U2FsdGVkX1+L/wKmHIDfApCg80p+D+QrET/NmTD7QNeRSGbAkJFM}')

            reached_300 = True

        pygame.display.flip()

        clock.tick(10)

    pygame.quit()

    if os.path.exists(LOG_FILE):

        os.remove(LOG_FILE)

  

def is_admin():

    try:

        return ctypes.windll.shell32.IsUserAnAdmin()

    except:

        return False

if __name__ == '__main__':

    if not is_admin():

        ctypes.windll.shell32.ShellExecuteW(None, 'runas', sys.executable, ' '.join(sys.argv), None, 1)

    else:  # inserted

        game()

5.解flag
rc4
密文在.py文件里，密码在提示里