新手一枚,如有错误(不足)请指正,谢谢!!
<mark>个人博客:点击进入</mark>

链接: https://pan.baidu.com/s/11oIbMxd2I3-KC5QNxqAZSg 提取码: 2020

EnumFunc()函数,检测窗口名称,反调试,修改代码nop掉10040114B,100401152

挨个函数查看……
找到sub_1004011F6()函数(修改后)


写脚本爆破出来,,,,

#include <stdio.h>
int main()
{
    char data[18] = { 0 }, input[19] = { 0 };
    data[0] = 17;
    data[1] = 8;
    data[2] = 6;
    data[3] = 10;
    data[4] = 15;
    data[5] = 20;
    data[6] = 42;
    data[7] = 59;
    data[8] = 47;
    data[9] = 3;
    data[10] = 47;
    data[11] = 4;
    data[12] = 16;
    data[13] = 72;
    data[14] = 62;
    data[15] = 0;
    data[16] = 7;
    data[17] = 16;
    char temp, str[] = "Rising_Hopper!";
    int i, j;
    for (i = 0; i < 18; i++)
        for (j = 0; j < 256; j++)
        {
            temp = ~(j & str[i % 14]) & (j | str[i % 14]);
            if (data[i] == temp)
                input[i] = j;
        }
    puts(input);
}

然后剩下的就没法搞了,,

sub_100401506()函数,进去后对byte_10040164D进行了VirtualProtect……
而byte_10040164D的代码IDA无法解释成伪代码……
(做完后,经过IDA动调,F8单步会执行到此处,并将byte_10040164D解释成汇编代码,也就是第二关)

先下载了他缺少的cygwin1.dll,破坏掉动调,然后用x64dbg来dump出程序的内存
(也可以一步一步IDA动调,此处代码会自动解释成汇编代码)
然后IDA载入dump程序的内存,这里的代码已经可以F5了
(优化后的代码)

然后将数据提取出来,写脚本

#include <stdio.h>
int main()
{
    int i, j, data0[] = { 2007666,2125764,1909251,2027349,2421009,1653372,2047032,
2184813,2302911,2263545,1909251,2165130,1968300,2243862,
2066715,2322594,1987983,2243862,1869885,2066715,2263545,
1869885,964467,944784,944784,944784,728271,1869885,
2263545,2283228,2243862,2184813,2165130,2027349,1987983,2243862,1869885,2283228,2047032,1909251,
2165130,1869885,2401326,1987983,2243862,2184813,885735,2184813,2165130,1987983,2460375 };
    unsigned int v53, v55;
    v55 = 0x8000000B;
    for (i = 0; i < 51; i++)
    {
        for (j = 0; j < 256; j++)
        {
            v53 = 19683 * j % v55;
            if (v53 == data0[i])
                printf("%c", j);
        }
    }
}


得出flag为flag{Thousandriver_is_1000%_stronger_than_zero-one}