Environment Information

System information: Windows
Tools involved: Visual studio , x64dbg
Note: This is a translation of the article previously written into English version, if you can not see the message I improve the translation
Test code.

C:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include <stdio.h>
int main()
{
    int a;
    printf("Please input a number:\n");
    int x = scanf_s("%d", &a);               // This is not to assign the value of a to x, but to determine
    // this is to define an integer variable x, scanf_s is to enter a value a, when you enter an integer value, you get x = 1 (judged to be true); and when you key in a character or other unqualified content, you get x = 0 (judged to be false)

    printf("%d\n", x);
     if (a % 5 == 0 && a % 7 == 0 && a >1 && a <200)                        /* Determine if the number is divisible by both 5 and 7 and a is greater than 1 and less than 200*/
            printf("yes\n");                                /* output yes if you can*/
    else
            printf("no\n");                                    /* if not, output no*/
    return 0;
}

Game rules

Enter a value so that its terminal returns the following information.

Code:

1
2
1
yes

Note: Normal input of 140 will satisfy the requirement

Break the rules

Enter something that does not match the condition to satisfy the requirement

图片

Example idea:

After the program runs, a string will be entered

图片

After that, the user starts to input, and then returns some content after judging.

The normal flow of the output string code will be before the judgment code, and most likely in a region, you can test to locate the judgment code region according to this string.

Verification:

The following settings will break at the Enyry Breakpoint

图片

Click the Run button to let the program continue to run

图片

At this point, return to the x64dbg interface and search for the string information loaded by the program

图片

Result

图片

Double click the left mouse button to enter, at this time see some judgment process

图片

Mouse wheel slide up to see the entry point of this function area (sub)

There are multiple int3 on sub, determine this is the address of the call

图片

Next breakpoint

图片

Reload the program

图片

Run to the place where the breakpoint is placed

图片

Breakpoints under Call and Judgment instructions are used for analysis

图片

lea instruction: take offset address 7FF7D3DA2260 and send to register RCX

图片

图片

Run it in a single step and see that the terminal outputs the following string after this call

图片

After this call, the terminal can enter the value

图片

After confirming

图片

Call register information

图片

Return 1 after Call

图片

Rerun, enter the value that does not meet the condition and compare

Call register information

图片

Return 0 after Call

图片

Difference

RAX is different

Rerun and enter the value that does not meet the condition and change the rax information to 1

Select RAX or the corresponding value and right click

图片

Modify

图片

Call runs and sees that 1 has been returned and a rule has been broken

图片

Continue to run and see the following judgments

图片

Judgment: according to the displayed instruction execution flow judgment, if the two jne instructions do not jump and jbe jump can return yes

Right click to edit the instruction so that it does not work

图片

图片

Modify the instructions

图片

图片

After modifying

图片

Run to verify

图片

This article, this is the end, have the fate to meet again.