Topic delivery ：Beat our dice game and get the flag

0x00 Check the shell

Use PEiD Make sure the program is not shelled

0x01 OD Dynamic debugging

After opening, I first F7 F8 Debugging for a while , No idea .
The string search method is used to locate .
You can know that this is a dice problem , And throw “3-1-3-3-7” To get Flag.
And this 5 The second roll of dice is written separately , Locate the position of the code according to each dice roll , Find out cmp Follow closely jnz, We can know that this judgment is used to judge whether the thrown value is the same as the value in the program .

0x02 NOP jnz（ success ）

Simply and violently jnz Jump command NOP fall , The program can continue to run ~ sweet ！

0x03 Modify jump （ Failure ）

Of course, the principle is to use string analysis

Pass the last judgment and jump , You can locate the logic of success in the blue box , Is it possible to make the program jump directly to run here ？？？

Jump address 0x004029AD

You can know at the next breakpoint , The program will ask us to enter , But when we modify the assembly directly here to jump , The program crashed before it finished , It may be that the required variables are not declared ？？？

I just want to jump when I make a judgment for the first time , In this way, the variables of the program may have been defined .

But the results flag It's empty. .
Cause analysis ：

1. The jump position is not early enough ,flag Not calculated yet …
2. That the road is blocked ,flag According to the front 5 A function calculates （ We all know about anti crawler encryption , Such as a treasure js Calculate some parameters in a loop all the time , Not following the process is a dead end ）

I thought I could see the logic of the program after the last dice roll .

The seventh mistake jumps to 0040270A
It is found that the last sentence of the code block is to jump to 00402870

Then change the jump address of the first wrong judgment to 00402870

At this time, the prompt … something wrong, Of course there are problems , We just left 1 A function . There is another one at the end cmp. Thinking about this jnz to nop When it's over OK Come on, ha ha ha .

The reality is cruel , Final flag Failed to come out , This shows that , This flag Is from the front 5 Functions are calculated separately ！！！

Just shared ideas , Although this kind of thinking did not succeed flag