hgame2022re week1
作者:互联网
easyasm
16位的汇编,最后看里面的逻辑
附件在这里:链接:https://pan.baidu.com/s/12Sk92AvtXV0rzaRmiBoKFA 提取码:h0r1
ida pro打开
通过分析这张图,我们可以知道在1处进行对比后若正确则走3处直接输出,若没有比对成功就走2处,由此循环直到si==1Ch,所以我们只需要分析2处是怎么处理的
seg003:0000 public start
seg003:0000 start proc near
seg003:0000 mov ax, seg dseg
seg003:0003 mov ds, ax
seg003:0005 assume ds:dseg
seg003:0005 mov ax, seg seg001
seg003:0008 mov es, ax
seg003:000A assume es:seg001
seg003:000A mov si, 0
seg003:000D
seg003:000D loc_100DD: ; CODE XREF: start+38↓j
seg003:000D cmp si, 1Ch
seg003:0010 jz short loc_10135
seg003:0012 xor ax, ax
seg003:0014 mov al, [si]
seg003:0016 shl al, 1
seg003:0018 shl al, 1
seg003:001A shl al, 1
seg003:001C shl al, 1
seg003:001E push ax
seg003:001F xor ax, ax
seg003:0021 mov al, [si]
seg003:0023 shr al, 1
seg003:0025 shr al, 1
seg003:0027 shr al, 1
seg003:0029 shr al, 1
seg003:002B pop bx
seg003:002C add ax, bx
seg003:002E xor ax, 17h
seg003:0031 add si, 1
seg003:0034 cmp al, es:[si-1]
seg003:0038 jz short loc_100DD
seg003:003A mov ax, 0B800h
seg003:003D mov es, ax
seg003:003F assume es:nothing
seg003:003F mov byte ptr es:0, 77h ; 'w'
seg003:0045 mov byte ptr es:2, 72h ; 'r'
seg003:004B mov byte ptr es:4, 6Fh ; 'o'
seg003:0051 mov byte ptr es:6, 6Eh ; 'n'
seg003:0057 mov byte ptr es:8, 67h ; 'g'
seg003:005D mov byte ptr es:0Ah, 21h ; '!'
seg003:0063结合对汇编语言的分析我的结论如下:
seg003:0000 public start
seg003:0000 start proc near
seg003:0000 mov ax, seg dseg
seg003:0003 mov ds, ax
seg003:0005 assume ds:dseg
seg003:0005 mov ax, seg seg001 //将seg中的东西传到ax
seg003:0008 mov es, ax //ax传给es
seg003:000A assume es:seg001
seg003:000A mov si, 0 // 将si置零
seg003:000D
seg003:000D loc_100DD: ; CODE XREF: start+38↓j
seg003:000D cmp si, 1Ch //将si和1Ch对比,这里也是一个减法
seg003:0010 jz short loc_10135 //为零则跳转,输出right
seg003:0012 xor ax, ax //将ax异或,相当于将ax置零
seg003:0014 mov al, [si] // 这里si我们可以认为是es:[si]
seg003:0016 shl al, 1 //将al逻辑左移,总共移动四位
seg003:0018 shl al, 1
seg003:001A shl al, 1
seg003:001C shl al, 1
seg003:001E push ax // 将ax压入栈
seg003:001F xor ax, ax // 重新置零ax
seg003:0021 mov al, [si]
seg003:0023 shr al, 1 //将al逻辑右移,总共移动四位
seg003:0025 shr al, 1
seg003:0027 shr al, 1
seg003:0029 shr al, 1
seg003:002B pop bx //取出栈顶数据
seg003:002C add ax, bx //将其与现在的ax按位相加,也就相当于或操作
seg003:002E xor ax, 17h //最后异或17
seg003:0031 add si, 1 //si加一位,怀疑相当于一个数组移位
seg003:0034 cmp al, es:[si-1] //这一步我不太理解
seg003:0038 jz short loc_100DD //回到开头
seg003:003A mov ax, 0B800h
seg003:003D mov es, ax
seg003:003F assume es:nothing
seg003:003F mov byte ptr es:0, 77h ; 'w'
seg003:0045 mov byte ptr es:2, 72h ; 'r'
seg003:004B mov byte ptr es:4, 6Fh ; 'o'
seg003:0051 mov byte ptr es:6, 6Eh ; 'n'
seg003:0057 mov byte ptr es:8, 67h ; 'g'
seg003:005D mov byte ptr es:0Ah, 21h ; '!'
结合这些推测我们找到seg
seg001:0000 assume es:nothing, ss:nothing, ds:dseg, fs:nothing, gs:nothing
seg001:0000 db 91h
seg001:0001 db 61h ; a
seg001:0002 db 1
seg001:0003 db 0C1h
seg001:0004 db 41h ; A
seg001:0005 db 0A0h
seg001:0006 db 60h ; `
seg001:0007 db 41h ; A
seg001:0008 db 0D1h
seg001:0009 db 21h ; !
seg001:000A db 14h
seg001:000B db 0C1h
seg001:000C db 41h ; A
seg001:000D db 0E2h
seg001:000E db 50h ; P
seg001:000F db 0E1h
seg001:0010 db 0E2h
seg001:0011 db 54h ; T
seg001:0012 db 20h
seg001:0013 db 0C1h
seg001:0014 db 0E2h
seg001:0015 db 60h ; `
seg001:0016 db 14h
seg001:0017 db 30h ; 0
seg001:0018 db 0D1h
seg001:0019 db 51h ; Q
seg001:001A db 0C0h
seg001:001B db 17h
seg001:001C db 0
seg001:001D db 0
seg001:001E db 0
seg001:001F db 0
seg001:001F seg001 ends在hex窗口提取这些数据
xx=[0x91, 0x61, 0x01, 0xC1, 0x41, 0xA0, 0x60, 0x41, 0xD1, 0x21,0x14, 0xC1, 0x41, 0xE2,0x50, 0xE1, 0xE2, 0x54, 0x20, 0xC1,0xE2, 0x60, 0x14, 0x30, 0xD1, 0x51, 0xC0, 0x17]
flag=''
for i in xx:
i^=0x17
a=(i<<4)&0xff #与0xff为了保留后八位
b=(i>>4)
i=a|b
flag+=chr(i)
print(flag)
得flag:hgame{welc0me_to_4sm_w0rld}
标签:db,mov,seg003,seg001,week1,ax,hgame2022re,es 来源: https://blog.csdn.net/m0_58348028/article/details/122785131