从一道非常简单的题目开始了解 IDA

叁歲伎倆 2023-07-05 11:48 30阅读 0赞

[flag.exe][]

本次操作是来源于 ddctf 的一道入门题目!

下载`flag.exe`程序并打开分析输出的有用信息

![format_png][]

然后用 ida 32 位打开

![format_png 1][]

![format_png 2][]

![format_png 3][]

在菜单栏上的`View`\->`Open subviews`\->`Strings`, 或者直接使用快捷键`Shift+F12`打开`Strings`窗口, 一键找出所有的字符串（定位中文）

![format_png 4][]

![format_png 5][]

然后找一下`flag`字眼

![format_png 6][]

双击`flag get`字符串进入`IDA View-A`图标架构, 这里可以查看程序的逻辑树形图, 把程序的结构更人性化地显示出来, 方便我们的分析. 将光标放在`.rdata:00413E80`

![format_png 7][]

然后选择`Jump`\->`Jump to xref to operand...` 或者快捷键`Ctrl+X`查看**交叉引用**

![format_png 8][]

![format_png 9][]

![format_png 10][]

如果对汇编不熟悉, 直接`View`\->`Open subviews`\->`Generate pseudocode`或者快捷键`F5`查看伪代码

![format_png 11][]

![format_png 12][]

分析:

*  `_mm_load_si128`：加载128位值, `_mm_store_si128`：存储128位值
 *  `strcmp`函数是string compare(字符串比较)的缩写, 用于比较两个字符串并根据比较结果返回整数. 基本形式为`strcmp(str1,str2)`, 若str1=str2, 则返回零；若str1<str2, 则返回负数；若str1>str2, 则返回正数.
 *  v9是随意输入的值, v5是是函数`xmmword_413E34`赋值的, 所以找到函数`xmmword_413E34`的值就可以了.

int __cdecl main(int argc, const char **argv, const char **envp)
    {
        
      int v3; // eax
      __int128 v5; // [esp+0h] [ebp-44h]
      __int64 v6; // [esp+10h] [ebp-34h]
      int v7; // [esp+18h] [ebp-2Ch]
      __int16 v8; // [esp+1Ch] [ebp-28h]
      char v9; // [esp+20h] [ebp-24h]
    
      // 将 xmmword_413E34 函数的值存放在 v5变量
      _mm_storeu_si128((__m128i *)&v5, _mm_loadu_si128((const __m128i *)&xmmword_413E34));
      v7 = 0;
      v6 = qword_413E44;
      v8 = 0;
      printf("欢迎来到DUTCTF呦\n");
      printf("这是一道很可爱很简单的逆向题呦\n");
      printf("输入flag吧:");
      scanf("%s", &v9);
      // 比较 v5 和输入的 v9
      v3 = strcmp((const char *)&v5, &v9);
      if ( v3 )
        v3 = -(v3 < 0) | 1;
      if ( v3 )
        printf("flag不太对呦，再试试呗，加油呦\n");
      else
        printf((const char *)&unk_413E90);
      system("pause");
      return 0;
    }

双击函数`xmmword_413E34`, 可以发现其值后转成字符串.

![format_png 13][]

![format_png 14][]

![format_png 15][]

![format_png 16][]

ok, 得到 flag, 运行 flag.exe, 将 flag的值输入即可

![format_png 17][]  
最后: 欢迎大家访问我的博客: https://fengwenhua.top , 虽然博客上面没啥东西!

[flag.exe]: https://fengwenhua.top/upload/2020/2/flag-c452c28a4fdc4bf8a29f808b9e75d760.exe
[format_png]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzMzOTRfMjAyMDAyMTMxOTE4NDg2MjdfMjQzNzM3NzMxLnBuZw?x-oss-process=image/format,png
[format_png 1]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDhfMjAyMDAyMTQxNzM1NDg4OTBfMTk3MDgxMDM3NS5wbmc?x-oss-process=image/format,png
[format_png 2]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MTBfMjAyMDAyMTQxNzM2MDQ1NjBfNjIyMjAxMjk3LnBuZw?x-oss-process=image/format,png
[format_png 3]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MTBfMjAyMDAyMTQxNzM2MjY3NTRfMTIzOTMyMTQzNi5wbmc?x-oss-process=image/format,png
[format_png 4]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzMzOTdfMjAyMDAyMTMxOTIwMzEwNzJfMTI0ODczMDA4OC5wbmc?x-oss-process=image/format,png
[format_png 5]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzMzOThfMjAyMDAyMTMxOTI1NDkyOTVfNDg5MDY4ODUucG5n?x-oss-process=image/format,png
[format_png 6]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDBfMjAyMDAyMTMxOTI3Mzg3MjZfMTAyNjIyMjcyNC5wbmc?x-oss-process=image/format,png
[format_png 7]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDFfMjAyMDAyMTMxOTMwMjA1NTlfMTYwMDgyMzQwMy5wbmc?x-oss-process=image/format,png
[format_png 8]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDJfMjAyMDAyMTMxOTMxMjA1OThfMTM2MzgwNDYwNS5wbmc?x-oss-process=image/format,png
[format_png 9]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDRfMjAyMDAyMTMxOTMxMzUxMjVfMTM3MTAzMTgwNC5wbmc?x-oss-process=image/format,png
[format_png 10]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDRfMjAyMDAyMTMxOTMxNDk5MzFfNDMxOTk3NTE4LnBuZw?x-oss-process=image/format,png
[format_png 11]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDVfMjAyMDAyMTMxOTMzMDQ0MTlfMjA4NzU1ODE2Ni5wbmc?x-oss-process=image/format,png
[format_png 12]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDVfMjAyMDAyMTMxOTMzNTIxNDlfMjI3MTI3Ni5wbmc?x-oss-process=image/format,png
[format_png 13]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDZfMjAyMDAyMTMxOTUxMjExNTdfMTY2NjExMzczMy5wbmc?x-oss-process=image/format,png
[format_png 14]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDdfMjAyMDAyMTMxOTUxNDc0OTFfMTMzNDIzNzI5OC5wbmc?x-oss-process=image/format,png
[format_png 15]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MTFfMjAyMDAyMTQxNzQyMjg3NjFfODMxNDgyNTk5LnBuZw?x-oss-process=image/format,png
[format_png 16]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDdfMjAyMDAyMTMxOTUxNTk0ODZfNTAyMDI1NTEyLnBuZw?x-oss-process=image/format,png
[format_png 17]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9naXRlZS5jb20vZmVuZ3dlbmh1YS9JbWFnZUJlZC9yYXcvbWFzdGVyLzE1ODE2NzM0MDhfMjAyMDAyMTMxOTUzMTg3NTJfOTQ0NzIyMjEzLnBuZw?x-oss-process=image/format,png