BUU[FlareOn6]Overlong

分析

查壳,发现32位,然后去IDA去看看在干嘛

image-20220424194407971

MessageBoxA看见之后就想到了OD,之前做creakeme的消息盒

然后去看一下unk_402008这个函数

image-20220424194559284

然后去看看sub_401160函数

image-20220424194652105

这里可以看到unk_402008这个数组的成员远远不止28位

但是这里再累加,就会发现这里会溢出来,于是就去OD看看

image-20220424195054826

方法一

这个地方是设定2008这个数组的大小的,我们将它改成对应的位置,image-20220424195227391

(AF对应10进制数为175)

然后保存后去运行一下

image-20220424195412478

得到了flag

方法二

去看看sub_401000函数

image-20220424194723718

然后发现,好像不缺什么只要把这个Text输出就OK了于是就写脚本

#include <stdio.h>
#include <string.h>
#include<stdint.h>
unsigned char dword_402008[]={
0xE0,0x81,0x89,0xC0,0xA0,0xC1,0xAE,0xE0,0x81,0xA5,
0xC1,0xB6,0xF0,0x80,0x81,0xA5,0xE0,0x81,0xB2,0xF0,
0x80,0x80,0xA0,0xE0,0x81,0xA2,0x72,0x6F,0xC1,0xAB,
0x65,0xE0,0x80,0xA0,0xE0,0x81,0xB4,0xE0,0x81,0xA8,
0xC1,0xA5,0x20,0xC1,0xA5,0xE0,0x81,0xAE,0x63,0xC1,
0xAF,0xE0,0x81,0xA4,0xF0,0x80,0x81,0xA9,0x6E,0xC1,
0xA7,0xC0,0xBA,0x20,0x49,0xF0,0x80,0x81,0x9F,0xC1,
0xA1,0xC1,0x9F,0xC1,0x8D,0xE0,0x81,0x9F,0xC1,0xB4,
0xF0,0x80,0x81,0x9F,0xF0,0x80,0x81,0xA8,0xC1,0x9F,
0xF0,0x80,0x81,0xA5,0xE0,0x81,0x9F,0xC1,0xA5,0xE0,
0x81,0x9F,0xF0,0x80,0x81,0xAE,0xC1,0x9F,0xF0,0x80,
0x81,0x83,0xC1,0x9F,0xE0,0x81,0xAF,0xE0,0x81,0x9F,
0xC1,0x84,0x5F,0xE0,0x81,0xA9,0xF0,0x80,0x81,0x9F,
0x6E,0xE0,0x81,0x9F,0xE0,0x81,0xA7,0xE0,0x81,0x80,
0xF0,0x80,0x81,0xA6,0xF0,0x80,0x81,0xAC,0xE0,0x81,
0xA1,0xC1,0xB2,0xC1,0xA5,0xF0,0x80,0x80,0xAD,0xF0,
0x80,0x81,0xAF,0x6E,0xC0,0xAE,0xF0,0x80,0x81,0xA3,
0x6F,0xF0,0x80,0x81,0xAD};

int sub_401000(unsigned char* a1, unsigned char *a2)
{
	int v3; // [esp+0h] [ebp-8h]
	char v4; // [esp+4h] [ebp-4h]
	
	if ( *a2 >> 3 == 30 )
	{
		v4 = a2[3] & 0x3F | ((a2[2] & 0x3F) << 6) | ((a2[1] & 0x3F) << 12) | ((*a2 & 7) << 18);
		v3 = 4;
	}
	else if ( *a2 >> 4 == 14 )
	{
		v4 = a2[2] & 0x3F | ((a2[1] & 0x3F) << 6) | ((*a2 & 0xF) << 12);
		v3 = 3;
	}
	else if ( *a2 >> 5 == 6 )
	{
		v4 = a2[1] & 0x3F | ((*a2 & 0x1F) << 6);
		v3 = 2;
	}
	else
	{
		v4 = a2[0];
		v3 = 1;
	}
	*a1 = v4;
	return v3;
}

int sub_401160(unsigned char *a1,unsigned char *a2, unsigned int a3)
{
	int v3; // ST08_4
	int i; // [esp+4h] [ebp-4h]
	
	for ( i = 0; i < a3; ++i )
	{
		a2 += sub_401000(a1, a2);
		v3 = *a1++;
		if ( !v3 )
		  break;
	}
	return i;
}

int main(){
	int i;
	unsigned int v4; 
	int len=strlen((char *)dword_402008);
	unsigned char Text[128]={0};
	unsigned char *s=dword_402008;
	v4 = sub_401160(Text, s, len);
	Text[v4] = 0;
	printf("%s \n",Text);
	return 0;
}

得到flag

I_a_M_t_h_e_e_n_C_o_D_i_n_g@flare-on.com
总结

题目做出来的方法有很多,善于观察,比如overlong就提示了这里是过长的意思,往题目方向去想。OD查找对应位置需要对应IDA一起来看。