2017-Pole Guest RE Windows_3

Like this RE-title to see the first reaction should be to find out its information about what it is under the system files, 32-bit or 64-bit machine files

My approach is to use the virtual machine to view its information

You can see that it is a file under a 32-bit machine under the Windows system

Next, open the EXE file under Windows system

After the run, it lets you enter the password, if not the check faild!

Next, open the program with 32-bit IDA and find that there are many callable functions, 5,499

You can then query the disassembly string directly with SHIFT + F12

Can see a syc{%s}, this is the key place we are looking for, after the point to reach the data segment, and then click the up arrow next to the key function of the stack area

And then F5, you can see its rough function.

The discovery just needs to follow its requirements in the positive sequence to do the line, this time need to see the V the address of these variables and find byte_52e000 this array is what

Point open the above a string of variables, and found that the address of v16–v23 is connected, and V8–v15 's address is attached

After you open the byte_52e000, you can see its data segment, you can see its data

Now I'm trying to get this part of the data out, I'm using notepad++.

In notepad++, with Alt + mouse selected, you can remove part of the same as

And then a little bit of data becomes a column of vertical bar, and then use Python to turn the number into 10, and "\ n" replaced with ', '

And finally, the code is running forward.

#include <stdio.h>intMain () {intv16[8] = {7,3,1,8,7,2,3,2}, v8[8] = { -, +, -,1, the, -, -, One}; intm[ A] = { -, the, -,108, $, $, $,117,111, the, the, the, -, the, -, -, the,102, the,101, the, +};  for(inti =0; I <8; i++)    {        intV7 =M[v16[i]]; M[v16[i]]=M[v8[i]]; M[v8[i]]=V7; } m[ +] =0;  for(inti =0; I < A; i++) printf ("%c", M[i]); return 0; } 

Done by Vangelis

2017-Pole Guest RE Windows_3