动态调试初探

做题

[MTCTF 2021]Random

动态调试

第二个rand()处下断点,rand()的返回值存入EAX,然后取AL进行XOR。F9调试,div处被0除忽略。F9运行到断点,F8步过,得每次rand()即为EAX低8位。

1
2
3
4
5
6
7
random=[0x58,0xa1,0xCB,0xE9,0xED,0x2C,0xEC,0xFB,0xE9,0xC4,0x16,0x97,0x99,0xb1,0xa4,0xe9,0xc3,0xc6,0x80,0xBF,0x3e,0x44,0x18,0x2e,0x73,0x56,0x52,0xB8,0x5B,0x66,0xED,0xBC,0x8a,0xd8,0x36,0x8f,0xe6,0xd3,0xb1,0x51,0xb9,0x59,0xd3,0x5a]
ans=[0x3E, 0xCD, 0xAA, 0x8E, 0x96, 0x1F, 0x89, 0xCD, 0xDB, 0xF1, 0x70, 0xF2, 0xA9, 0x9C, 0xC2, 0x8B, 0xF2, 0xFE, 0xAD, 0x8B, 0x58, 0x7C, 0x2F, 0x03, 0x4A, 0x65, 0x31, 0x89, 0x76, 0x57, 0x88, 0xDF, 0xB8, 0xE9, 0x01, 0xE9, 0xDE, 0xE5, 0x86, 0x68, 0x8F, 0x24, 0xD3, 0x5A]
flag=[]
for i in range(len(ans)):
    flag.append(chr(random[i]^ans[i]))
ot="".join(flag)
print(ot)

[HNCTF 2022 WEEK2]getflag

动态调试 把99999999patch成1,F9运行

[BJDCTF 2020]Easy

flag在_ques里面,感觉_time没啥用,patch成_ques动调…

[NTACTF2023]不会动调的不是好逆向选手

用OD打开,找到_vbavartsteq函数为字符串比较函数,正确的和输入的在edx和eax中,分别查看。在栈中查找找到”BoBo”和”A6D3A6D3”

[HNCTF 2022 WEEK2]Try2Bebug_Plus

kali远程调试,sleep()patch成0s,直接读v3

[watevrCTF 2019]esreveR

很复杂的加密,直接找到比较函数。断点设到该函数第一行,动调,发现参数被压入栈中。函数前6个寄存器为rdi、rsi、rdx、rcx、r8、r9,提取flag前缀。剩下的内容从栈中找。Shift+E导出直接输出。

1
2
3
enc=[123,101,115,114,101,118,101,114,95,114,101,118,101,114,115,101,100,95,121,111,117,116,117,98,101,46,99,111,109,47,119,97,116,99,104,63,118,61,73,56,105,106,98,52,90,101,101,53,69,125,192]
for i in enc:
    print(chr(i),end='')

[NISACTF 2022]tears_confusion

动调追了很久,发现在0x4022C7处直接原文比较。flag存在eax中,多次F8,得到flag。exp不是自己写的。

1
2
3
4
flag = [0x66, 0x33, 0x37, 0x39, 0x10, 0x65, 0x61, 0x66, 0x33, 0x63, 0x38, 0x33, 0x31, 0x62, 0x30, 0x34, 0x64, 0x65, 0x31, 0x35, 0x33, 0x34, 0x36, 0x39, 0x64, 0x31, 0x62, 0x65, 0x63, 0x33, 0x34, 0x35, 0x65]
for i in flag:
    print(chr(i), end="")
print("}", end="")

[HGAME 2022 week4]WOW

打热补丁,发现复杂加密,但是下面有解密部分,将Buf改为enc,即可解密。《猫中毒》好评。

[SWPUCTF 2023 秋季新生赛]Redirect

一种方法直接改控制流,另一种硬杠加密算法:

1
2
3
4
5
6
from Crypto.Cipher import ARC4
enc=bytes([0x4F,0x11,0x28,0x6A,0x51,0x8C,0x30,0xA1,0x1D,0xAD,0xA3,0x73,0xE9,0x79,0xDE,0x78,0x2F,0xB3,0x1D,0x10,0x18,0x50,0x6E,0x68,0x6A,0x20,0x5A,0x51,0x82,0x82,0x9C,0xDB,0xE1,0xA7,0xEE,0xA4,0x4C,0xD3,0x0B,0x68,0xE6,0xD8,0x2B,0x6C,0xDF,0x76,0xE3,0x1B,0x52,0x89,0xCE,0x4B,0x47,0x4F,0x42,0x83,0x72,0x9B,0xB6,0x94,0x19,0x32,0x85,0xE1])
key=b'nSsCtf2023'
m=ARC4.new(key)
flag=m.decrypt(enc)
print(flag)

[SWPUCTF 2023 秋季新生赛]IDA动态调试

进入ff1函数,步过Flag::set和ssss,v2为地址,找堆。

[MoeCTF 2021]time2go

把俩time_sleep函数patch掉,动调得前半flag,后半在main_fun2中找。