[原创]看雪CTF2016 第五题-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]看雪CTF2016 第五题

发表于: 2016-11-10 14:20 2197

[原创]看雪CTF2016 第五题

sinianluoye 活跃值

2016-11-10 14:20

2197

对SendMessage下断直接到读取key的位置

00401164   .  50            PUSH EAX                                 ; /lParam
00401165   .  68 FF000000   PUSH 0xFF                                ; |wParam = FF
0040116A   .  6A 0D         PUSH 0xD                                 ; |Message = WM_GETTEXT
0040116C   .  68 E9030000   PUSH 0x3E9                               ; |/ControlID = 3E9 (1001.)
00401171   .  56            PUSH ESI                                 ; ||hWnd
00401172   .  FFD3          CALL EBX                                 ; |\GetDlgItem
00401174   .  8B2D A4504000 MOV EBP, DWORD PTR DS:[<&USER32.SendMess>; |user32.SendMessageA
0040117A   .  50            PUSH EAX                                 ; |hWnd
0040117B   .  FFD5          CALL EBP                                 ; \SendMessageA
0040117D   .  33C9          XOR ECX, ECX                             ;  [esp+0x20]=key
0040117F   .  85C0          TEST EAX, EAX                            ;  eax=strlen(key)
00401181   .  76 17         JBE SHORT CrackMe.0040119A
00401183   >  8A540C 20     MOV DL, BYTE PTR SS:[ESP+ECX+0x20]
00401187   .  80FA 30       CMP DL, 0x30
0040118A   .  7C 0C         JL SHORT CrackMe.00401198
0040118C   .  80FA 39       CMP DL, 0x39
0040118F   .  7F 07         JG SHORT CrackMe.00401198                ;  if(isdigit(dl))
00401191   .  41            INC ECX
00401192   .  3BC8          CMP ECX, EAX
00401194   .^ 72 ED         JB SHORT CrackMe.00401183
00401196   .  EB 02         JMP SHORT CrackMe.0040119A
00401198   >  33FF          XOR EDI, EDI
0040119A   >  83F8 06       CMP EAX, 0x6
0040119D   .  75 56         JNZ SHORT CrackMe.004011F5
0040119F   .  85FF          TEST EDI, EDI
004011A1   .  74 52         JE SHORT CrackMe.004011F5                ;  以上Key长度为6且只含有数字
004011A3      8D4C24 20     LEA ECX, DWORD PTR SS:[ESP+0x20]
004011A7      50            PUSH EAX
004011A8   .  51            PUSH ECX
004011A9   .  E8 52FEFFFF   CALL CrackMe.00401000                    ;  _cdecl func1(char* key,int length)
004011AE   .  83C4 08       ADD ESP, 0x8
004011B1   .  E8 0AFFFFFF   CALL CrackMe.004010C0                    ;  验证
004011B6   .  85C0          TEST EAX, EAX
004011B8   .  74 2C         JE SHORT CrackMe.004011E6

401181到4011a1判断是否是一个6位数字然后调用401000和4010c0验证

验证失败跳到4011e6

004011E6   > \8D4424 20     LEA EAX, DWORD PTR SS:[ESP+0x20]
004011EA   .  6A 06         PUSH 0x6
004011EC   .  50            PUSH EAX
004011ED   .  E8 0EFEFFFF   CALL CrackMe.00401000
004011F2   .  83C4 08       ADD ESP, 0x8
004011F5   >  5F            POP EDI                                  ;  Default case of switch 0040110A
004011F6   .  5E            POP ESI
004011F7   .  5D            POP EBP
004011F8   .  33C0          XOR EAX, EAX
004011FA   .  5B            POP EBX
004011FB   .  81C4 10010000 ADD ESP, 0x110
00401201   .  C2 1000       RETN 0x10

其中再次调用401000

key可能的范围只有0~999999 直接枚举破解枚举代码如下

TestFunc:
MOV DWORD PTR [ESP+0X20],0x30303030
MOV WORD PTR [ESP+0x24],0x3030
LEA ESI,DWORD PTR [ESP+0X20]

LABEL:
{
	PUSH 6
	PUSH ESI
	call 0x401000
	ADD ESP,0x8
	CALL 0X4010C0
	TEST EAX,EAX
	JNZ ANS
	PUSH 6
	PUSH ESI
	call 0x401000
	ADD ESP,0x8
	PUSH ECX
	MOV ECX,0
add1:
	ADD BYTE PTR [esi+ecx],1
	CMP BYTE PTR [esi+ecx],0x40
	JNZ next
	MOV BYTE PTR [esi+ecx],0x30
	INC ECX
	
	jmp add1
next:	
	POP ECX
	JMP LABEL
}

ANS:
PUSH 0
PUSH ESI
PUSH ESI
PUSH 0
CALL MessageBoxA
PUSH 0
CALL ExitProcess

在004011A3处直接jmp到TestFunc 保存文件运行随便输入一个6位数点击 MessageBox出现
771535

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上传的附件：

QQ截图20161110141640.jpg （8.28kb，1次下载）

收藏・0

免费・0

支持