reversing.kr四道Easy题解题攻略


开篇废话

Nebula的level11做的有点头大,这时大神Jack又发来了逆向的题目,让我赶紧练练。虽然我负责比赛中逆向类的题目,但逆向题一般都比较难,先放出来的题基本都是其他类别,所以我就彻底成了打(跑)辅(龙)助(套)的角色~~~

这次这套题目来自reversing.kr,棒子的逆向挑战网站。话说棒子的Hacking能力还是挺强的,据说是个什么棒子的优选计划搞出来的成果。

本篇就记录一下4道名称是Easy开头题目,分别是Easy Crack、Easy Keygen、Easy Unpack和Easy ELF。这四题难度非常低,熟练地话掌握好节奏感可以蹭蹭蹭的秒题……

Easy Crack

程序启动后输入任意字符会显示一个MessageBox的Incorrect Password。打开OllyDbg,载入程序后查找到目标字符串Incorrect Password,之后转到程序,字符串前后代码如下:

00401080  /$  83EC 64       sub esp,64
00401083  |.  57            push edi
00401084  |.  B9 18000000   mov ecx,18
00401089  |.  33C0          xor eax,eax
0040108B  |.  8D7C24 05     lea edi,dword ptr ss:[esp+5]
0040108F  |.  C64424 04 00  mov byte ptr ss:[esp+4],0
00401094  |.  6A 64         push 64                                  ; /Count = 64 (100.)
00401096  |.  F3:AB         rep stos dword ptr es:[edi]              ; |
00401098  |.  66:AB         stos word ptr es:[edi]                   ; |
0040109A  |.  AA            stos byte ptr es:[edi]                   ; |
0040109B  |.  8B7C24 70     mov edi,dword ptr ss:[esp+70]            ; |
0040109F  |.  8D4424 08     lea eax,dword ptr ss:[esp+8]             ; |
004010A3  |.  50            push eax                                 ; |Buffer
004010A4  |.  68 E8030000   push 3E8                                 ; |ControlID = 3E8 (1000.)
004010A9  |.  57            push edi                                 ; |hWnd
004010AA  |.  FF15 9C504000 call dword ptr ds:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA

...

00401114  |.  6A 40         push 40                                  ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401116  |.  68 58604000   push Easy_Cra.00406058                   ; |EasyCrackMe
0040111B  |.  68 44604000   push Easy_Cra.00406044                   ; |Congratulation !!
00401120  |.  57            push edi                                 ; |hOwner
00401121  |.  FF15 A0504000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00401127  |.  6A 00         push 0                                   ; /Result = 0
00401129  |.  57            push edi                                 ; |hWnd
0040112A  |.  FF15 A4504000 call dword ptr ds:[<&USER32.EndDialog>]  ; \EndDialog
00401130  |.  5F            pop edi
00401131  |.  83C4 64       add esp,64
00401134  |.  C3            retn
00401135  |>  6A 10         push 10                                  ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401137  |.  68 58604000   push Easy_Cra.00406058                   ; |EasyCrackMe
0040113C  |.  68 30604000   push Easy_Cra.00406030                   ; |Incorrect Password
00401141  |.  57            push edi                                 ; |hOwner
00401142  |.  FF15 A0504000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00401148  |.  5F            pop edi
00401149  |.  83C4 64       add esp,64
0040114C  \.  C3            retn

程序通过GetDlgItemTextA获取输入字符串,之后经过一段算法判定对错。下面分析算法:

004010B0  |.  807C24 05 61  cmp byte ptr ss:[esp+5],61
004010B5  |.  75 7E         jnz short Easy_Cra.00401135

首先确定esp+5位置字符为0x61,即a。

004010B7  |.  6A 02         push 2
004010B9  |.  8D4C24 0A     lea ecx,dword ptr ss:[esp+A]
004010BD  |.  68 78604000   push Easy_Cra.00406078                   ;  5y
004010C2  |.  51            push ecx
004010C3  |.  E8 88000000   call Easy_Cra.00401150                   ;  strcmp
004010C8  |.  83C4 0C       add esp,0C
004010CB  |.  85C0          test eax,eax
004010CD  |.  75 66         jnz short Easy_Cra.00401135

之后判断esp+A处字符串是否为5y。 这里由于push 2指令,栈针会上移4byte,因此此时esp=esp-4,所以现在的esp+A相当于上一次的esp-4+A(esp+6),这样就和上一次esp+5成为连续的字符串,也就是3个连续的字符为a5y。

004010CF  |.  53            push ebx
004010D0  |.  56            push esi
004010D1  |.  BE 6C604000   mov esi,Easy_Cra.0040606C                ;  R3versing
004010D6  |.  8D4424 10     lea eax,dword ptr ss:[esp+10]
004010DA  |>  8A10          /mov dl,byte ptr ds:[eax]
004010DC  |.  8A1E          |mov bl,byte ptr ds:[esi]
004010DE  |.  8ACA          |mov cl,dl
004010E0  |.  3AD3          |cmp dl,bl
004010E2  |.  75 1E         |jnz short Easy_Cra.00401102
004010E4  |.  84C9          |test cl,cl
004010E6  |.  74 16         |je short Easy_Cra.004010FE
004010E8  |.  8A50 01       |mov dl,byte ptr ds:[eax+1]
004010EB  |.  8A5E 01       |mov bl,byte ptr ds:[esi+1]
004010EE  |.  8ACA          |mov cl,dl
004010F0  |.  3AD3          |cmp dl,bl
004010F2  |.  75 0E         |jnz short Easy_Cra.00401102
004010F4  |.  83C0 02       |add eax,2
004010F7  |.  83C6 02       |add esi,2
004010FA  |.  84C9          |test cl,cl
004010FC  |.^ 75 DC         \jnz short Easy_Cra.004010DA
004010FE  |>  33C0          xor eax,eax
00401100  |.  EB 05         jmp short Easy_Cra.00401107
00401102  |>  1BC0          sbb eax,eax
00401104  |.  83D8 FF       sbb eax,-1
00401107  |>  5E            pop esi
00401108  |.  5B            pop ebx
00401109  |.  85C0          test eax,eax
0040110B  |.  75 28         jnz short Easy_Cra.00401135
0040110D  |.  807C24 04 45  cmp byte ptr ss:[esp+4],45
00401112  |.  75 21         jnz short Easy_Cra.00401135

之后匹配字符串R3versing,并在字符串头部(esp+4处)添加字符为E。因此答案为Ea5yR3versing。

这里算法由于涉及到esp的改变,因此OD跟踪起来比IDA静态分析更加简单。可以直接将程序跑起来,当程序碰到相关判断的地方(一般是cmp)会改变标志位(一般是ZF),只需要改变标志位寄存器的值让它按照你要的逻辑执行下去即可,当然你需要同时记录这些让逻辑保持正确的字符,你可以直接在栈(或数据区)中作出修改。之后当程序跑完之后,你的栈(或数据区)中就是一个正确的值。本程序栈的结构如下:

OD

Easy Keygen

注册机题,readme要求Find the Name when the Serial is 5B134977135E7D13。程序跑起来,要求输入名字和序列号,测试了一下Name为abcde和随机的序列号,提示错误:

C:\Users\GreatYYX>"F:\Crack\reversingkr\Easy_KeygenMe\Easy Keygen.exe"

Input Name: abcde
Input Serial: 12345
Wrong

开OD跟着跑一下,下断点在InputName和InputSerial处,可以看到判定对错函数如下:

00401000  /$  81EC 30010000 sub esp,130
00401006  |.  55            push ebp
00401007  |.  56            push esi
00401008  |.  57            push edi
00401009  |.  B9 18000000   mov ecx,18
0040100E  |.  33C0          xor eax,eax
00401010  |.  8D7C24 11     lea edi,dword ptr ss:[esp+11]
00401014  |.  C64424 10 00  mov byte ptr ss:[esp+10],0
00401019  |.  C64424 74 00  mov byte ptr ss:[esp+74],0
0040101E  |.  F3:AB         rep stos dword ptr es:[edi]
00401020  |.  66:AB         stos word ptr es:[edi]
00401022  |.  AA            stos byte ptr es:[edi]
00401023  |.  B9 31000000   mov ecx,31
00401028  |.  33C0          xor eax,eax
0040102A  |.  8D7C24 75     lea edi,dword ptr ss:[esp+75]
0040102E  |.  68 60804000   push Easy_Key.00408060                   ;  Input Name:
00401033  |.  F3:AB         rep stos dword ptr es:[edi]
00401035  |.  66:AB         stos word ptr es:[edi]
00401037  |.  AA            stos byte ptr es:[edi]
00401038  |.  C64424 10 10  mov byte ptr ss:[esp+10],10              ;  array, 3 bytes
0040103D  |.  C64424 11 20  mov byte ptr ss:[esp+11],20
00401042  |.  C64424 12 30  mov byte ptr ss:[esp+12],30
00401047  |.  E8 6D010000   call Easy_Key.004011B9
0040104C  |.  83C4 04       add esp,4
0040104F  |.  8D4424 10     lea eax,dword ptr ss:[esp+10]
00401053  |.  50            push eax
00401054  |.  68 5C804000   push Easy_Key.0040805C                   ;  %s
00401059  |.  E8 44010000   call Easy_Key.004011A2                   ;  input function
0040105E  |.  8D7C24 18     lea edi,dword ptr ss:[esp+18]
00401062  |.  83C9 FF       or ecx,FFFFFFFF
00401065  |.  33C0          xor eax,eax
00401067  |.  83C4 08       add esp,8
0040106A  |.  33ED          xor ebp,ebp
0040106C  |.  33F6          xor esi,esi
0040106E  |.  F2:AE         repne scas byte ptr es:[edi]
00401070  |.  F7D1          not ecx
00401072  |.  49            dec ecx
00401073  |.  85C9          test ecx,ecx
00401075  |.  7E 3F         jle short Easy_Key.004010B6
00401077  |>  83FE 03       /cmp esi,3
0040107A  |.  7C 02         |jl short Easy_Key.0040107E
0040107C  |.  33F6          |xor esi,esi
0040107E  |>  0FBE4C34 0C   |movsx ecx,byte ptr ss:[esp+esi+C]
00401083  |.  0FBE542C 10   |movsx edx,byte ptr ss:[esp+ebp+10]
00401088  |.  33CA          |xor ecx,edx
0040108A  |.  8D4424 74     |lea eax,dword ptr ss:[esp+74]
0040108E  |.  51            |push ecx
0040108F  |.  50            |push eax
00401090  |.  8D4C24 7C     |lea ecx,dword ptr ss:[esp+7C]
00401094  |.  68 54804000   |push Easy_Key.00408054                  ;  %s%02X
00401099  |.  51            |push ecx
0040109A  |.  E8 B1000000   |call Easy_Key.00401150
0040109F  |.  83C4 10       |add esp,10
004010A2  |.  45            |inc ebp
004010A3  |.  8D7C24 10     |lea edi,dword ptr ss:[esp+10]
004010A7  |.  83C9 FF       |or ecx,FFFFFFFF
004010AA  |.  33C0          |xor eax,eax
004010AC  |.  46            |inc esi
004010AD  |.  F2:AE         |repne scas byte ptr es:[edi]
004010AF  |.  F7D1          |not ecx
004010B1  |.  49            |dec ecx
004010B2  |.  3BE9          |cmp ebp,ecx
004010B4  |.^ 7C C1         \jl short Easy_Key.00401077
004010B6  |>  B9 19000000   mov ecx,19
004010BB  |.  33C0          xor eax,eax
004010BD  |.  8D7C24 10     lea edi,dword ptr ss:[esp+10]
004010C1  |.  68 44804000   push Easy_Key.00408044                   ;  Input Serial:
004010C6  |.  F3:AB         rep stos dword ptr es:[edi]

...

0040111A  |.  68 38804000   push Easy_Key.00408038                   ;  Correct!\n
0040111F  |.  E8 95000000   call Easy_Key.004011B9
00401124  |.  83C4 04       add esp,4
00401127  |.  33C0          xor eax,eax
00401129  |.  81C4 30010000 add esp,130
0040112F  |.  C3            retn
00401130  |>  68 30804000   push Easy_Key.00408030                   ;  Wrong\n
00401135  |.  E8 7F000000   call Easy_Key.004011B9
0040113A  |.  83C4 04       add esp,4
0040113D  |.  33C0          xor eax,eax
0040113F  |.  81C4 30010000 add esp,130
00401145  \.  C3            retn

00401059即InputFunction处输入测试用的Name:abcde,并回车。之后程序跑到004010C1即InputSerial处,查看栈数据:

0018FDEC   00000005
0018FDF0   0018FF88
0018FDF4   004011B5  Easy_Key.004011B5
0018FDF8   00000004
0018FDFC   0040109F  Easy_Key.0040109F
0018FE00   0018FE84  ASCII "7142537445"
0018FE04   00408054  ASCII "%s%02X"
0018FE08   0018FE84  ASCII "7142537445"
0018FE0C   00000045
0018FE10   00000000

可以看到当Name为abcde的时候,栈在InputSerial前有数据ASCII "7142537445"出现。通过InputSerial之后程序逻辑可以看出,这段字符串就是根据abcde算出的序列号,并用这个序列号和输入的序列号做对比。因此序列号算法在输入名字后、输入序列号之前(0040105E-004010B4)。

这段程序还原成C++代码后基本如下:

#include <iostream>
#include <string>
using namespace std;

void main(void)
{
    char num[3] = {0x10, 0x20, 0x30};
    char* name = "abcde";
    int len = strlen(name) * 2 + 1;
    char* serial = new char[len];
    memset(serial, 0, len);

    for(int i = 0, j = 0; j < strlen(name); i++, j++)
    {
        if(i >= 3)
            i = 0;
        sprintf(serial, "%s%02x", serial, *(name + j) ^ num[i]);
    }

    cout<<serial<<endl;
}

因此可以写出反函数:

#include <iostream>
#include <string>
using namespace std;

void main(void)
{
    char num[3] = {0x10, 0x20, 0x30};
    char* serial = "7142537445";
    int len = strlen(serial) / 2 + 1;
    char* name = new char[len];
    memset(name, 0, len);

    for(int i = 0, j = 0; j < strlen(serial); i++, j = j + 2)
    {
        if(i >= 3)
            i = 0;

        char serial_str[3];
        serial_str[0] = *(serial + j);
        serial_str[1] = *(serial + j + 1);
        serial_str[2] = '\0';

        sprintf(name, "%s%c", name, strtol(serial_str, NULL, 16) ^ num[i]);
    }

    cout<<name<<endl;
}

把serial用5B134977135E7D13带入跑出来Name为K3yg3nm3。

Easy Unpack

readme说需要找OEP,也就是不用脱壳,只需要找入口点。PEiD看一下,壳类型为ARVID's TDR file [Overlay] *。才疏学浅,没看到过……不过既然是Easy Unpack,料着也不会难倒哪里去。

打开OD,载入程序,忽略各种错误。程序开始载入kernel32之后用了LoadLibrary、GetModuleHandle和FreeLibrary,典型的包装了IAT的壳。

0040A04B >  68 00A04000     push Easy_Unp.0040A000                   ; ASCII "kernel32.dll"
0040A050    FF15 0DA04000   call dword ptr ds:[<&kernel32.LoadLibrar>; kernel32.LoadLibraryA
0040A056    A3 44A64000     mov dword ptr ds:[40A644],eax
0040A05B    68 18A64000     push Easy_Unp.0040A618                   ; ASCII "GetModuleHandleA"
0040A060    50              push eax
0040A061    FF15 11A04000   call dword ptr ds:[<&kernel32.GetProcAdd>; apphelp.7054FFF6
0040A067    A3 48A64000     mov dword ptr ds:[40A648],eax
0040A06C    68 29A64000     push Easy_Unp.0040A629                   ; ASCII "FreeLibrary"
0040A071    FF35 44A64000   push dword ptr ds:[40A644]
0040A077    FF15 11A04000   call dword ptr ds:[<&kernel32.GetProcAdd>; apphelp.7054FFF6
0040A07D    A3 4CA64000     mov dword ptr ds:[40A64C],eax

之后是很长一段外壳操作,直到一个长jmp

0040A082    6A 00           push 0
0040A084    FF15 48A64000   call dword ptr ds:[40A648]
0040A08A    A3 50A64000     mov dword ptr ds:[40A650],eax
0040A08F    B9 00904000     mov ecx,Easy_Unp.00409000
0040A094    BA EE944000     mov edx,Easy_Unp.004094EE
0040A099    3BCA            cmp ecx,edx
0040A09B    74 26           je short Easy_Unp.0040A0C3
0040A09D    8031 10         xor byte ptr ds:[ecx],10
0040A0A0    41              inc ecx
0040A0A1    3BCA            cmp ecx,edx
0040A0A3    74 1E           je short Easy_Unp.0040A0C3

...

0040A1ED    8031 40         xor byte ptr ds:[ecx],40
0040A1F0    41              inc ecx
0040A1F1    3BCA            cmp ecx,edx
0040A1F3    74 06           je short Easy_Unp.0040A1FB
0040A1F5    8031 50         xor byte ptr ds:[ecx],50
0040A1F8    41              inc ecx
0040A1F9  ^ EB D6           jmp short Easy_Unp.0040A1D1
0040A1FB  - E9 506FFFFF     jmp Easy_Unp.00401150

程序单步到0040A1FB之后,长跳到00401150,发现二进制数据是55,条件反射push ebp,函数入口,于是Ctrl+A强制汇编数据,熟悉的入口结构来了~~

00401150  /.  55            push ebp
00401151  |.  8BEC          mov ebp,esp
00401153  |.  6A FF         push -1
00401155  |.  68 D0504000   push Easy_Unp.004050D0
0040115A  |.  68 1C1E4000   push Easy_Unp.00401E1C                   ;  Entry address; SE 处理程序安装
0040115F  |.  64:A1 0000000>mov eax,dword ptr fs:[0]
00401165  |.  50            push eax
00401166  |.  64:8925 00000>mov dword ptr fs:[0],esp
0040116D  |.  83EC 58       sub esp,58

...

004011BC  |>  8975 FC       mov [local.1],esi
004011BF  |.  E8 E1070000   call Easy_Unp.004019A5
004011C4  |.  FF15 38504000 call dword ptr ds:[405038]               ; [GetCommandLineA

...

004011EE  |.  50            push eax                                 ; /pStartupinfo
004011EF  |.  FF15 34504000 call dword ptr ds:[405034]               ; \GetStartupInfoA
004011F5  |.  E8 1B030000   call Easy_Unp.00401515

...

0040120C  |>  50            push eax
0040120D  |.  FF75 9C       push [local.25]
00401210  |.  56            push esi
00401211  |.  56            push esi                                 ; /pModule
00401212  |.  FF15 30504000 call dword ptr ds:[405030]               ; \GetModuleHandleA

因此OEP为00401150。确实非常简单~~

Easy ELF

三道Windows之后来了一道Linux,不过无所谓啦。拖到Linux里面,看一下文件类型。

root@YYX-Kali:~/upload# file Easy_ELF 
Easy_ELF: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x409edb8e3182380a2f58d49c7323dd895c74e1b7, stripped

基本信息就是ELF32位可执行文件,链接动态库,去符号表。

运行一下程序,随便输入一点,提示Wrong后直接退出。反复试了一些数字、字母之类的组合,都是一个结果。

打开IDA(Windows下),拖入,开始逆向分析。直接Shift+F12打开字符串窗口找到找到Wrong,之后利用交叉引用跳回到调用函数,稍微向上翻一点就能看到关键函数了:

.text:080484F7 ; =============== S U B R O U T I N E =======================================
.text:080484F7
.text:080484F7 ; Attributes: bp-based frame
.text:080484F7
.text:080484F7 sub_80484F7     proc near               ; CODE XREF: sub_804851B+34p
.text:080484F7                 push    ebp
.text:080484F8                 mov     ebp, esp
.text:080484FA                 sub     esp, 18h
.text:080484FD                 mov     dword ptr [esp+8], 9 ; n
.text:08048505                 mov     dword ptr [esp+4], offset aCorrect ; "Correct!\n"
.text:0804850D                 mov     dword ptr [esp], 1 ; fd
.text:08048514                 call    _write
.text:08048519                 leave
.text:0804851A                 retn
.text:0804851A sub_80484F7     endp
.text:0804851A
.text:0804851B
.text:0804851B ; =============== S U B R O U T I N E =======================================
.text:0804851B
.text:0804851B ; Attributes: bp-based frame
.text:0804851B
.text:0804851B sub_804851B     proc near               ; DATA XREF: start+17o
.text:0804851B                 push    ebp
.text:0804851C                 mov     ebp, esp
.text:0804851E                 and     esp, 0FFFFFFF0h
.text:08048521                 sub     esp, 10h
.text:08048524                 mov     dword ptr [esp+8], 17h ; n
.text:0804852C                 mov     dword ptr [esp+4], offset aReversing_krEa ; "Reversing.Kr Easy ELF\n\n"
.text:08048534                 mov     dword ptr [esp], 1 ; fd
.text:0804853B                 call    _write
.text:08048540                 call    sub_8048434              ; scanf
.text:08048545                 call    sub_8048451              ; main algorithm
.text:0804854A                 cmp     eax, 1
.text:0804854D                 jnz     short loc_804855B
.text:0804854F                 call    sub_80484F7              ; correct
.text:08048554                 mov     eax, 0
.text:08048559                 jmp     short locret_804857C
.text:0804855B ; ---------------------------------------------------------------------------
.text:0804855B
.text:0804855B loc_804855B:                            ; CODE XREF: sub_804851B+32j
.text:0804855B                 mov     dword ptr [esp+8], 6 ; n
.text:08048563                 mov     dword ptr [esp+4], offset aWrong ; "Wrong\n"
.text:0804856B                 mov     dword ptr [esp], 1 ; fd
.text:08048572                 call    _write
.text:08048577                 mov     eax, 0
.text:0804857C
.text:0804857C locret_804857C:                         ; CODE XREF: sub_804851B+3Ej
.text:0804857C                 leave
.text:0804857D                 retn
.text:0804857D sub_804851B     endp
.text:0804857D
.text:0804857D ; ---------------------------------------------------------------------------

sub_804851B函数是提示正确与错误的分支函数,其中四个call,write识别出来了,其他函数跟进去看一下(我已经注释),发现是scanf、主算法函数和返回Correct字符串的函数,其中当主算法函数返回1时判为正确。

然后就重点来看sub_8048451。转到图形视图,一组连续判断,只要逻辑沿着右边下来即可走通(最后eax为1,符合上面的判对条件)。

IDA

之后大致扫描了一下程序体,发现反复调用ds段寄存器指向的段内的一些byte,点进去看一下数据区布局(在.bss段,全局变量)。

.bss:0804A020 byte_804A020    db ?                    ; DATA XREF: sub_8048434+Bo
.bss:0804A020                                         ; sub_8048451:loc_8048469r ...
.bss:0804A021 byte_804A021    db ?                    ; DATA XREF: sub_8048451+3r
.bss:0804A022 byte_804A022    db ?                    ; DATA XREF: sub_8048451+27r
.bss:0804A022                                         ; sub_8048451+31w ...
.bss:0804A023 byte_804A023    db ?                    ; DATA XREF: sub_8048451+36r
.bss:0804A023                                         ; sub_8048451+40w ...
.bss:0804A024 byte_804A024    db ?                    ; DATA XREF: sub_8048451+45r
.bss:0804A025 byte_804A025    db ?                    ; DATA XREF: sub_8048451:loc_80484A8r

这段都是被引用数据,且是连续的,各1byte,你可以把它们格式化成数组,我比较懒,就不做这步了。基本可以确认数据区为连续的6个byte,即[20][21][22][23][24][25]。

下面进行主算法具体逻辑分析:

.text:08048451 sub_8048451     proc near               ; CODE XREF: sub_804851B+2Ap
.text:08048451                 push    ebp
.text:08048452                 mov     ebp, esp
.text:08048454                 movzx   eax, ds:byte_804A021
.text:0804845B                 cmp     al, 31h
.text:0804845D                 jz      short loc_8048469
.text:0804845F                 mov     eax, 0
.text:08048464                 jmp     loc_80484F5

第一段确定[21]等于0x31,就是'1'。

.text:08048469 loc_8048469:                            ; CODE XREF: sub_8048451+Cj
.text:08048469                 movzx   eax, ds:byte_804A020
.text:08048470                 xor     eax, 34h
.text:08048473                 mov     ds:byte_804A020, al
.text:08048478                 movzx   eax, ds:byte_804A022
.text:0804847F                 xor     eax, 32h
.text:08048482                 mov     ds:byte_804A022, al
.text:08048487                 movzx   eax, ds:byte_804A023
.text:0804848E                 xor     eax, 0FFFFFF88h
.text:08048491                 mov     ds:byte_804A023, al
.text:08048496                 movzx   eax, ds:byte_804A024
.text:0804849D                 cmp     al, 58h
.text:0804849F                 jz      short loc_80484A8
.text:080484A1                 mov     eax, 0
.text:080484A6                 jmp     short loc_80484F5

第二段做了连续异或,[20] xor 0x34, [22] xor 0x32, [23] xor 0x88, 之后判断[23]是不是为0x58,所以[23]为'X'。

.text:080484A8 loc_80484A8:                            ; CODE XREF: sub_8048451+4Ej
.text:080484A8                 movzx   eax, ds:byte_804A025
.text:080484AF                 test    al, al
.text:080484B1                 jz      short loc_80484BA
.text:080484B3                 mov     eax, 0
.text:080484B8                 jmp     short loc_80484F5

第三段要求[25]为0,就是'\0',字符串结尾。

.text:080484BA
.text:080484BA loc_80484BA:                            ; CODE XREF: sub_8048451+60j
.text:080484BA                 movzx   eax, ds:byte_804A022
.text:080484C1                 cmp     al, 7Ch
.text:080484C3                 jz      short loc_80484CC
.text:080484C5                 mov     eax, 0
.text:080484CA                 jmp     short loc_80484F5
.text:080484CC ; ---------------------------------------------------------------------------
.text:080484CC
.text:080484CC loc_80484CC:                            ; CODE XREF: sub_8048451+72j
.text:080484CC                 movzx   eax, ds:byte_804A020
.text:080484D3                 cmp     al, 78h
.text:080484D5                 jz      short loc_80484DE
.text:080484D7                 mov     eax, 0
.text:080484DC                 jmp     short loc_80484F5
.text:080484DE ; ---------------------------------------------------------------------------
.text:080484DE
.text:080484DE loc_80484DE:                            ; CODE XREF: sub_8048451+84j
.text:080484DE                 movzx   eax, ds:byte_804A023
.text:080484E5                 cmp     al, 0DDh
.text:080484E7                 jz      short loc_80484F0
.text:080484E9                 mov     eax, 0
.text:080484EE                 jmp     short loc_80484F5

之后连续三段对刚才异或后的数字进行操作。异或的反函数还是异或,所以直接异或就能得到结果。这里用python计算一下:

>>> chr(0x32 ^ 0x7c)
'N'
>>> chr(0x34 ^ 0x78)
'L'
>>> chr(0x88 ^ 0xdd)
'U'`

所以[20]=L,[22]=N,[23]=U。

最后eax置1并返回。这样可以得到答案为L1NUX