思路:繞過判斷,直接跳轉到算flag的函式**
1.找到計算flag的函式在**,記住 "0075e940",這是入口
2.找到乙個現成的跳轉指令,修改它:
3.重新執行一遍,得到flag:
後記:其實一開始是打算走ida,無奈沒找到第二個陣列orz,求師傅教教趴o(tヘto)
sub_45a7be("done!!! the flag is ");
v59 = 18;
v60 = 64;
v61 = 98;
v62 = 5;
v63 = 2;
v64 = 4;
v65 = 6;
v66 = 3;
v67 = 6;
v68 = 48;
v69 = 49;
v70 = 65;
v71 = 32;
v72 = 12;
v73 = 48;
v74 = 65;
v75 = 31;
v76 = 78;
v77 = 62;
v78 = 32;
v79 = 49;
v80 = 32;
v81 = 1;
v82 = 57;
v83 = 96;
v84 = 3;
v85 = 21;
v86 = 9;
v87 = 4;
v88 = 62;
v89 = 3;
v90 = 5;
v91 = 4;
v92 = 1;
v93 = 2;
v94 = 3;
v95 = 44;
v96 = 65;
v97 = 78;
v98 = 32;
v99 = 16;
v100 = 97;
v101 = 54;
v102 = 16;
v103 = 44;
v104 = 52;
v105 = 32;
v106 = 64;
v107 = 89;
v108 = 45;
v109 = 32;
v110 = 65;
v111 = 15;
v112 = 34;
v113 = 18;
v114 = 16;
v115 = 0;
v2 = 123;
v3 = 32;
v4 = 18;
v5 = 98;
v6 = 119;
v7 = 108;
v8 = 65;
v9 = 41;
v10 = 124;
v11 = 80;
v12 = 125;
v13 = 38;
v14 = 124;
v15 = 111;
v16 = 74;
v17 = 49;
v18 = 83;
v19 = 108;
v20 = 94;
v21 = 108;
v22 = 84;
v23 = 6;
v24 = 96;
v25 = 83;
v26 = 44;
v27 = 121;
v28 = 104;
v29 = 110;
v30 = 32;
v31 = 95;
v32 = 117;
v33 = 101;
v34 = 99;
v35 = 123;
v36 = 127;
v37 = 119;
v38 = 96;
v39 = 48;
v40 = 107;
v41 = 71;
v42 = 92;
v43 = 29;
v44 = 81;
v45 = 107;
v46 = 90;
v47 = 85;
v48 = 64;
v49 = 12;
v50 = 43;
v51 = 76;
v52 = 86;
v53 = 13;
v54 = 114;
v55 = 1;
v56 = 117;
v57 = 126;
v58 = 0;
for ( i = 0; i < 56; ++i )
return sub_45a7be("%s\n");
}
BugkuCTF 遊戲過關 writeup
至於怎麼玩,我到現在都沒弄懂 不多說,直接拖入ollydbg 搜尋分析了一下字串,發現有乙個顯示flag的字串 雙擊過去看看,發現類似於乙個函式。接下來的思路就很簡單了,分析程式輸入數字後怎麼判斷的,在到跳轉點上修改跳轉到這個flag的函式裡面去 經過反覆斷點除錯 最終找到了輸入 d 在此處下乙個斷...
遊戲過關 逆向分析
雖然這道題我用了5分鐘就搞定了這個遊戲,得出了正確的flag,但是我依然想逆向分析看看能不能不依靠正常流程得到flag,畢竟萬一其它情況下題目難了呢?首先ida進行靜態分析 這個程式的意思大致就是讓我們點亮8個字元,但是每點亮乙個燈,其它燈會關掉乙個。據說別人12345678就直接通關,我沒試過。1...
bugku 成績查詢
典型的sql聯合注入,用bp進行爆破。step1 聯合注入要求查詢列數相同,姓名 語數外一共四個資料,因此select 1,2,3,4 令id a 是為了使前乙個查詢無效而回顯第二個查詢 也可以使用其他字元,只要保證union前的查詢無效即可 id a union select 1,2,3,4 st...