BUU初次做题 4题（reverse）

链接：https://pan.baidu.com/s/1Xwb0pfiRjo-V2_x0044pdQ
提取码：l1jz
四道题的exe
1.easyre
这是最基础的逆向题，使用ida打开
找到主函数后

F5查看伪代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int b; // [rsp+28h] [rbp-8h]
  int a; // [rsp+2Ch] [rbp-4h]

  _main();
  scanf("%d%d", &a, &b);
  if ( a == b )
    printf("flag{this_Is_a_EaSyRe}");
  else
    printf("sorry,you can't get flag");
  return 0;
}

找到flag{this_Is_a_EaSyRe}
2.reverse1
ida运行，找到主函数，查看伪代码，不断跟进

uintptr_t sub_140013E50()
{
  uintptr_t result; // rax
  uintptr_t v1; // [rsp+20h] [rbp-28h]
  struct _FILETIME SystemTimeAsFileTime; // [rsp+28h] [rbp-20h]
  LARGE_INTEGER PerformanceCount; // [rsp+30h] [rbp-18h]

  SystemTimeAsFileTime = 0i64;
  if ( _security_cookie == 47936899621426i64 )
  {
    GetSystemTimeAsFileTime(&SystemTimeAsFileTime);
    v1 = (uintptr_t)SystemTimeAsFileTime;
    v1 ^= GetCurrentThreadId();
    v1 ^= GetCurrentProcessId();
    QueryPerformanceCounter(&PerformanceCount);
    v1 ^= PerformanceCount.QuadPart ^ ((unsigned __int64)PerformanceCount.LowPart << 32);
    v1 ^= (unsigned __int64)&v1;
    v1 &= 0xFFFFFFFFFFFFui64;
    if ( v1 == 47936899621426i64 )
      v1 = 47936899621427i64;
    _security_cookie = v1;
    result = ~v1;
    qword_14001C018 = ~v1;
  }
  else
  {
    result = ~_security_cookie;
    qword_14001C018 = ~_security_cookie;
  }
  return result;
}

在这里看到代码很复杂，查看字符串shift+F12，看到flag
找到函数

F5查看伪代码，发现在与str2比较，跟进，看到

又根据伪代码，ASC中111对应o，48对应0，替换

flag{hell0_w0rld}
3.reverse2
这个题跟1相似
打开后直接F5查看伪代码，找到后面的flag跟进

之后根据ASC 105-i,114-r,49-1

flag{hack1ng_fo1_fun}
4.内涵的软件
这个先试了一下64位的ida，不行。又用32位的ida打开
找到关键函数，使用F5查看伪代码

int main_0()
{
  int result; // eax
  char v1; // [esp+4Ch] [ebp-Ch]
  const char *v2; // [esp+50h] [ebp-8h]
  int v3; // [esp+54h] [ebp-4h]

  v3 = 5;
  v2 = "DBAPP{49d3c93df25caad81232130f3d2ebfad}";
  while ( v3 >= 0 )
  {
    printf(&byte_4250EC, v3);
    sub_40100A();
    --v3;
  }
  printf(asc_425088);
  v1 = 1;
  scanf("%c", &v1);
  if ( v1 == 89 )
  {
    printf(aOd);
    result = sub_40100A();
  }
  else
  {
    if ( v1 == 78 )
      printf(&byte_425034);
    else
      printf(&byte_42501C);
    result = sub_40100A();
  }
  return result;
}

对比一下，发现与程序正常打开，v2完全没有用处，直接
flag{v2大括号内数据}答案正确
flag{49d3c93df25caad81232130f3d2ebfad}