考点动态调试查壳无壳进入ida整个程序是byte_402008的前28字节由sub_401160加密后存入Text中最后输出到屏幕上直接运行看能否得到flag显然得不到byte_402008而加密只用了28字节太短了所以显示不出flag方法一静态分析分析sub_591160根据伪代码写出解密脚本题目给Text长度128那就加密128字节看能否输出flag#include stdio.h int __cdecl sub_1A1000(unsigned __int8 *a1, char *a2) { int v3; // [esp0h] [ebp-8h] unsigned __int8 v4; // [esp4h] [ebp-4h] if ( (int)(unsigned __int8)*a2 3 0x1E ) { v4 a2[3] 0x3F | ((a2[2] 0x3F) 6); v3 4; } else if ( (int)(unsigned __int8)*a2 4 0xE ) { v4 a2[2] 0x3F | ((a2[1] 0x3F) 6); v3 3; } else if ( (int)(unsigned __int8)*a2 5 6 ) { v4 a2[1] 0x3F | ((*a2 0x1F) 6); v3 2; } else { v4 *a2; v3 1; } *a1 v4; return v3; } unsigned int __cdecl sub_1A1160(char *a1, char *a2, unsigned int a3) { unsigned int i; // [esp4h] [ebp-4h] for ( i 0; i a3; i ) { a2 sub_1A1000((unsigned __int8 *)a1, a2); //加上(unsigned __int8 *)。sub_1A1000 第一个参数是 unsigned __int8 *传进去的 a1 是 char *类型不匹配会报编译报错只加了个强制类型转换 if ( !*a1 ) break; } return i; } int main() { char ida_chars[176] { 0xE0, 0x81, 0x89, 0xC0, 0xA0, 0xC1, 0xAE, 0xE0, 0x81, 0xA5, 0xC1, 0xB6, 0xF0, 0x80, 0x81, 0xA5, 0xE0, 0x81, 0xB2, 0xF0, 0x80, 0x80, 0xA0, 0xE0, 0x81, 0xA2, 0x72, 0x6F, 0xC1, 0xAB, 0x65, 0xE0, 0x80, 0xA0, 0xE0, 0x81, 0xB4, 0xE0, 0x81, 0xA8, 0xC1, 0xA5, 0x20, 0xC1, 0xA5, 0xE0, 0x81, 0xAE, 0x63, 0xC1, 0xAF, 0xE0, 0x81, 0xA4, 0xF0, 0x80, 0x81, 0xA9, 0x6E, 0xC1, 0xA7, 0xC0, 0xBA, 0x20, 0x49, 0xF0, 0x80, 0x81, 0x9F, 0xC1, 0xA1, 0xC1, 0x9F, 0xC1, 0x8D, 0xE0, 0x81, 0x9F, 0xC1, 0xB4, 0xF0, 0x80, 0x81, 0x9F, 0xF0, 0x80, 0x81, 0xA8, 0xC1, 0x9F, 0xF0, 0x80, 0x81, 0xA5, 0xE0, 0x81, 0x9F, 0xC1, 0xA5, 0xE0, 0x81, 0x9F, 0xF0, 0x80, 0x81, 0xAE, 0xC1, 0x9F, 0xF0, 0x80, 0x81, 0x83, 0xC1, 0x9F, 0xE0, 0x81, 0xAF, 0xE0, 0x81, 0x9F, 0xC1, 0x84, 0x5F, 0xE0, 0x81, 0xA9, 0xF0, 0x80, 0x81, 0x9F, 0x6E, 0xE0, 0x81, 0x9F, 0xE0, 0x81, 0xA7, 0xE0, 0x81, 0x80, 0xF0, 0x80, 0x81, 0xA6, 0xF0, 0x80, 0x81, 0xAC, 0xE0, 0x81, 0xA1, 0xC1, 0xB2, 0xC1, 0xA5, 0xF0, 0x80, 0x80, 0xAD, 0xF0, 0x80, 0x81, 0xAF, 0x6E, 0xC0, 0xAE, 0xF0, 0x80, 0x81, 0xA3, 0x6F, 0xF0, 0x80, 0x81, 0xAD, 0x00 }; char Text[128]{0}; // [esp0h] [ebp-84h] BYREF unsigned int v6; // [esp80h] [ebp-4h] v6 sub_1A1160(Text, ida_chars, 128); Text[v6] 0; printf(%s, Text); return 0; }方法二动态调试将280x1C改为175(0xAF)先在1C处下断点F运行1C改为AFF9运行得到完整flagflag{I_a_M_t_h_e_e_n_C_o_D_i_n_gflare-on.com}