当前位置：首页 > news >正文

企业网站带后台什么网比较好

news 2026/4/9 20:16:45

企业网站带后台,什么网比较好,网站开发的体会,杭州网站建设培训分析直接在IDA中打开#xff0c;找到 main 函数程序一开始需要我们输入一串 10 位长的密码#xff0c;然后拼接字符串成 “flag-****.txt” 的形式#xff0c;然后打开这个文件#xff0c;读入数据到内存。实际上这个就是 flag 文件#xff0c;只有当满足后续条件时找到 main 函数程序一开始需要我们输入一串 10 位长的密码然后拼接字符串成 “flag-****.txt” 的形式然后打开这个文件读入数据到内存。实际上这个就是 flag 文件只有当满足后续条件时程序就会打印出来。这个条件就是输入一段passcode让程序输出 “Binggo” 。大致看上去后面的这几个函数是与虚拟机有关的。作者自己编写了一套简易的虚拟机用户输入的 passcode 就是虚拟机执行的代码。我已经重定义了部分函数名现在重点关注Dispatcher 这个函数。这是虚拟机的分派函数主要工作就是根据输入的操作码跳转到对应的操作函数里执行。观察第二个 for 循环可以猜测出一共有 9 种操作函数。现在我们想要知道哪一种字符对应哪一种操作。先动态调试然后找出 *(a1 *(a1 4 * (j 72LL) 8) 408) j 从 0 变化到 8 的所有数据然后再找到所有满足条件的 v2 的取值。这一步的 IDC脚本为 auto j;auto a10x18d8440;for(j0;j8;j){Message(0x%x,,Byte(a1Byte(a14*(j72)8)408));}再将 byte_603900 的数据也 dump 下来转用python处理。 python脚本为 data[0x2,0x0,0x0,0xe,0x16,0x54,0x20,0x18,0x11,0x45,0x50,0x59,0x58,0x53,0x0,0x8,0x44,0x2d,0x46,0x39,0x0,0x54,0x42,0x1,0x3c,0xf,0x0,0x7,0x17,0x0,0x56,0x21,0x0,0x37,0x6d,0x2b,0x2a,0x6e,0x59,0x5d,0x47,0x3a,0x4a,0x34,0x44,0x48,0x43,0x6c,0x3f,0x59,0x25,0x33,0x55,0x2f,0x31,0x68,0x27,0x34,0x7c,0x28,0x67,0x59,0x0,0x52,0x0,0x26,0x0,0x3e,0x56,0x4e,0x33,0x21,0x45,0x6d,0x60,0x39,0x46,0x72,0x6d,0x4d,0x54,0x40,0x0,0x74,0x57,0x73,0x72,0x7a,0x47,0x45,0x0,0x71,0x0,0x4a,0x35,0x70,0x3b,0x36,0x2e,0x26,0x2c,0x6c,0x4a,0x0,0x7c,0x63,0x35,0x57,0x4d,0x41,0x43,0x62,0x0,0x68,0x37,0x0,0x5a,0x6a,0x6b,0x7c,0x29,0x69,0x4c,0x70,0x50,0x71,0x26,0x36,0x3c,0x6,0x1b,0x0,0x3c,0x30,0x0,0x0,0x0,0x4c,0xb,0x4b,0x48,0x8,0x54,0x47,0x12,0x9,0x24,0x0,0x0,0x24,0x40,0xd,0x39,0x6,0x5c,0x2c,0x1a,0x2d,0xa,0x38,0x35,0x37,0x16,0x3b,0x0,0x24,0x48,0x0,0x49,0x0,0x37,0x8,0x1f,0x24,0x45,0x1d,0x11,0x40,0x2f,0x4a,0x8,0x15,0x0,0x11,0x0,0x1a,0x22,0x41,0x52,0x5b,0xb,0x45,0x31,0x19,0x43,0x19,0x1e,0xa,0x21,0x5,0x4d,0x59,0x38,0x34,0x9,0x36,0x2f,0x43,0x2,0x53,0x12,0x2f,0x4c,0x21,0xd,0x3c,0x31,0x2e,0x37,0x8,0x30,0x29,0x32,0x2f,0x0,0x1a,0x14,0x41,0x53,0x15,0x21,0x0,0x8,0x13,0x38,0x5c,0x36,0x3b,0x50,0x0,0x2f,0x1e,0x57,0x0,0x30,0x2e,0xc,0x2e,0x37,0x52,0x1c,0x33,0x34,0x11,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0]inpt[0x2a,0x27,0x3e,0x5a,0x3f,0x4e,0x6a,0x2b,0x28]indx[]for ch in inpt:indx.append(chr(data.index(ch)))print indx得到调用相关操作函数的字符串有 [’$’, ‘8’, ‘C’, ‘t’, ‘0’, ‘E’, ‘u’, ‘#’, ‘;’] 动态调试中发现 *(a1 672) *(a1 8 * (*(a1 4 * (j 72LL) 8) 84LL) 8);(*(a1 672))(a1);先修改函数地址的最低一个字节然后调用该地址。到这里有两种方法可以找出这9个操作函数 1.回到 main 函数中对 correct 变量进行交叉引用就时会来到修改它的函数中再对该函数进行一次交叉引用就来到了函数列表中。 2.重新调试输入上面得到的9个字符动态跟踪也行函数列表结合动态分析可以得出字符与操作函数的对应关系 $-sub_400DC18-sub_400E7AC-sub_400F3At-sub_4010640-sub_4011C9E-sub_40133Du-sub_4012F3#-sub_4014B9;-sub_400CF1审计一下这些函数为了方便阅读。令 a1288indexa1292index_max*(_BYTE *)(*(_QWORD *)(a1 280) *(signed int *)(a1 288) *(_QWORD *)a1)data[index]*(char *)(a1 664)input[i]*(_BYTE *)(a1 665) tmp*(*(a1 8) *(a1 288))data[index]这些都可以通过动态调试得到他们的对应关系这样我们就可以清晰地了解这9个操作函数的作用了分别是 $-sub_400DC1:tmpdata[index]8-sub_400E7A:data[index]tmpC-sub_400F3A:tmpinput[i]-33t-sub_401064:tmp-input[i]330-sub_4011C9:indexE-sub_40133D:checku-sub_4012F3:--index#-sub_4014B9:data[index]input[indexinput[i]-48]-49;-sub_400CF1:for(int j0;jinput[i];j)indexdata[index]input[indexinput[i]-48]-49从 sub_40133D 这个函数中可以知道我们要使程序将 “data[20] ‘PaF0!Prv}H{ojDQ#7v’ ” 变为 “Binggo” 才能得到flag。我是从头开始构造passcode的过程如下首先是 $,使得 tmpdata[index]此时 index0 就会得到 tmp‘P’ 。此时我们观察 P的 ASCII 是 80 B 的 ASCII 是 66 P B 选择 t 操作。此时再来计算一下这个方程 80-input[i]3366 得到 input[i]‘/’ 所以将 P 转为 B 的 passcode$t/80 同理得到 a - i: $C)80F-n:$CI800-g:$CX80!-g:$Cg80-o:$Cj80注意字符串末尾是 NULL 但不能用前面的构造方式因为 sub_400F3A 得到的是不可见字符而 sub_401064 有 NULL 的检查只能选用 sub_4014B9 操作所以完整的passcode如下 $t/80$C)80$CI80$CX80$Cg80$Cj80#J1uuuuuuEs总结 VM 的运作流程分派器dispatcher解析字节码bytecode调用对应的操作函数handler。VM 一般的结构包含寄存器堆栈操作函数字节码逆向 VM 时先要整体感知其结构明确字节码对应的操作以及每个操作都做些什么这常常需要多多调试。所以可见VM 逆向是非常磨人的 orz ヽ(´¬)ノ

查看全文

http://www.w-s-a.com/news/248507/