Like this RE-title to see the first reaction should be to find out its information about what it is under the system files, 32-bit or 64-bit machine files
My approach is to use the virtual machine to view its information
You can see that it is a file under a 32-bit machine under the Windows system
Next, open the EXE file under Windows system
After the run, it lets you enter the password, if not the check faild!
Next, open the program with 32-bit IDA and find that there are many callable functions, 5,499
You can then query the disassembly string directly with SHIFT + F12
Can see a syc{%s}, this is the key place we are looking for, after the point to reach the data segment, and then click the up arrow next to the key function of the stack area
And then F5, you can see its rough function.
The discovery just needs to follow its requirements in the positive sequence to do the line, this time need to see the V the address of these variables and find byte_52e000 this array is what
Point open the above a string of variables, and found that the address of v16–v23 is connected, and V8–v15 's address is attached
After you open the byte_52e000, you can see its data segment, you can see its data
Now I'm trying to get this part of the data out, I'm using notepad++.
In notepad++, with Alt + mouse selected, you can remove part of the same as
And then a little bit of data becomes a column of vertical bar, and then use Python to turn the number into 10, and "\ n" replaced with ', '
And finally, the code is running forward.
#include <stdio.h>intMain () {intv16[8] = {7,3,1,8,7,2,3,2}, v8[8] = { -, +, -,1, the, -, -, One}; intm[ A] = { -, the, -,108, $, $, $,117,111, the, the, the, -, the, -, -, the,102, the,101, the, +}; for(inti =0; I <8; i++) { intV7 =M[v16[i]]; M[v16[i]]=M[v8[i]]; M[v8[i]]=V7; } m[ +] =0; for(inti =0; I < A; i++) printf ("%c", M[i]); return 0; }
Done by Vangelis
2017-Pole Guest RE Windows_3