buu_ re_ crackMe

This topic mainly focuses on simple bypass anti debugging , Evaluation combined with dynamic debugging .

Check the shell

Shell less 32 position

ida analysis

Enter your username and password .

Find out Flower instruction , Can't decompile .

  take jbe and aaa That line nop fall , These data will also be generated nop fall .

Finally get this .

  Select all the addresses marked red on the left , Press p Declared as a function , Open the function and find Congratulations, And then Please try again, And back to result The value is 1, therefore v3==1.（ The following picture is incomplete ）

  analysis sub_401830 function

  I found that there are many anti debugging things , There are probably four .

  Because of these things , If we go straight debug Can't get the right result .

Bypass anti debugging

First position the cursor on the line with anti debugging pseudo code , Press Tab key , Right click after jump and select Text view, In this way, the assembly instructions can be modified , So as to remove the interference of anti debugging code .

Put... In the picture above jz The order was changed to jmp Instructions ,jmp The corresponding operation code is 0xE8. Empathy , Change the other places too . Finally, don't forget patch into file！！！

  After completion, you can review the execution flow , Found that the anti debugging code disappeared , Bypass all .

Dynamic debugging  byte_416050 Array

The following figure shows the lower breakpoint . The first one is the position of the array we are looking for , It is also the key code ; In Chapter 2, we find that this array is stored in ecx To carry out exclusive or , When debugging, only watch ecx The content in .

  We know the user name , So type , Enter a random set of strings for the password .

  then F8 Single step , observe ecx Value .

  Finally get byte_416050 The value is 0x2a, 0xd7, 0x92, 0xe9, 0x53, 0xe2, 0xc4, 0xcd

EXP

byte_C26050 = [0x2a, 0xd7, 0x92, 0xe9, 0x53, 0xe2, 0xc4, 0xcd]
v17 = 'dbappsec'
flag=''

for i in range(len(byte_C26050)):
    flag += hex(byte_C26050[i] ^ ord(v17[i]))[2:]

print(flag)
#4eb5f3992391a1ae

Carry out the results according to the topic MD5 encryption , obtain flag.

flag{d2be2981b84f2a905669995873d6a36c} 

For details, please refer to the blogger's wp, It's well written and more specific .

​​​​​​BUUCTF crackMe Answer key .