HDCTF double_code

分析

首先放入IDA看不出是干什么，然后去看有些什么字符串，看到写入进程然后交叉进去看一下

这里写入进程前就一定是加载进程模块，于是点进去看一下

进去这个sub_14001F000函数，可能是shellcode，就想办法dump出来

然后进去HEX界面，将其复制到010或winhex中保存下来就能看到了

dump内容

就是简单的switch-case结构，写脚本

脚本

#include<stdio.h>
#include<string.h>

int main ()
{
	int opcode[]={1,5,2,4,3};
	unsigned char flag[]={
		0x48,0x67,0x45,0x51,0x42,0x7b,0x70,0x6a,0x30,0x68,
		0x6c,0x60,0x32,0x61,0x61,0x5f,0x42,0x70,0x61,0x5b,
		0x30,0x53,0x65,0x6c,0x60,0x65,0x7c,0x63,0x69,0x2d,
		0x5f,0x46,0x35,0x70,0x75,0x7d,0
	};
	for(int i = 0 ; i < strlen((char *)flag) ; i ++ )
	{
		int tmp = i%5;
		if(tmp == 1)
		{
			flag[i] ^= 0x23;
		}
		else if(tmp == 2)
		{
			flag[i] -= 2;
		}
		else if(tmp == 3)
		{
			flag[i] +=3;
		}
		else if (tmp == 4)
		{
			flag[i] +=4;
		}
		else if(tmp == 5)
		{
			flag[i]+=25;
		}
		printf("%c",flag[i]);
	}
}//HDCTF{Sh3llC0de_and_0pcode_al1_e3sy}