[原创]CTF第十题解题分析-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]CTF第十题解题分析

发表于: 2016-11-20 13:08 2378

[原创]CTF第十题解题分析

不死神鸟

2016-11-20 13:08

2378

004020A0 $  55          push ebp
004020A1 .  8BEC       mov    ebp, esp
004020A3 .  6A FE       push -2
004020A5 .  68 40444200 push 00424440
004020AA .  68 F0D64000 push 0040D6F0
004020AF .  64:A1 0000000>mov    eax, dword ptr fs:[0]
004020B5 .  50          push eax
004020B6 .  83EC 14    sub    esp, 14
004020B9 .  A1 DC654200 mov    eax, dword ptr [4265DC]
004020BE .  3145 F8    xor    dword ptr [ebp-8], eax
004020C1 .  33C5       xor    eax, ebp
004020C3 .  8945 E4    mov    dword ptr [ebp-1C], eax
004020C6 .  53          push ebx
004020C7 .  56          push esi
004020C8 .  57          push edi
004020C9 .  50          push eax
004020CA .  8D45 F0    lea    eax, dword ptr [ebp-10]
004020CD .  64:A3 0000000>mov    dword ptr fs:[0], eax
004020D3 .  E8 88FEFFFF call 00401F60                      ;  退出OD
004020D8 .  3BF4       cmp    esi, esp
004020DA .  E8 B1FCFFFF call 00401D90
004020DF .  8BF0       mov    esi, eax
004020E1 .  3BF5       cmp    esi, ebp
004020E3 .  C745 DC 54727>mov    dword ptr [ebp-24], 73757254
004020EA .  C745 E0 744D6>mov    dword ptr [ebp-20], 654D74
004020F1 .  8D45 DC    lea    eax, dword ptr [ebp-24]       ;  注册码前半段TrustMe给EAX
004020F4 .  50          push eax                            ;  注册码前半段TrustMe
004020F5 .  56          push esi                            ;  假码
004020F6 .  E8 353E0000 call 00405F30                      ;  检测假码中是否包含TrustMe字符串
004020FB .  83C4 08    add    esp, 8
004020FE .  85C0       test eax, eax
00402100 .  75 07       jnz    short 00402109                ;  必须跳
00402102 .  8BCE       mov    ecx, esi                      ;  不跳就说明注册码格式错误
00402104 .  E8 87FDFFFF call 00401E90
00402109 >  68 24384200 push 00423824                      ; /ZwSetInformationThread
0040210E .  68 3C384200 push 0042383C                      ; |/n
00402113 .  8B3D 20D04100 mov    edi, dword ptr [<&KERNEL32.LoadL>; ||kernel32.LoadLibraryW
00402119 .  FFD7       call edi                            ; |\LoadLibraryW
0040211B .  50          push eax                            ; |hModule
0040211C .  8B1D 24D04100 mov    ebx, dword ptr [<&KERNEL32.GetPr>; |kernel32.GetProcAddress
00402122 .  FFD3       call ebx                            ; \GetProcAddress
00402124 .  8BF0       mov    esi, eax
00402126 .  6A 00       push 0
00402128 .  6A 00       push 0
0040212A .  6A 11       push 11
0040212C .  FF15 1CD04100 call dword ptr [<&KERNEL32.GetCurrent>; [GetCurrentThread
00402132 .  50          push eax
00402133 .  FFD6       call esi
00402135 .  C745 FC 00000>mov    dword ptr [ebp-4], 0
0040213C .  A1 38D14100 mov    eax, dword ptr [<&USER32.Message>
00402141 .  A3 4C8C4200 mov    dword ptr [428C4C], eax
00402146 .  C745 FC FEFFF>mov    dword ptr [ebp-4], -2
0040214D .  E8 21000000 call 00402173
00402152 .  A1 4C8C4200 mov    eax, dword ptr [428C4C]
00402157 .  3B05 40D14100 cmp    eax, dword ptr [<&USER32.Message>;  USER32.MessageBoxW
0040215D .  75 35       jnz    short 00402194
0040215F .  6A 00       push 0                               ; /ExitCode = 0
00402161 .  FF15 14D04100 call dword ptr [<&KERNEL32.ExitProces>; \ExitProcess
00402167    8B          db    8B
00402168    1D          db    1D
00402169 .  24D04100    dd    <&KERNEL32.GetProcAddress>
0040216D    8B          db    8B
0040216E    3D          db    3D                            ;  CHAR '='
0040216F .  20D04100    dd    <&KERNEL32.LoadLibraryW>
00402173  /$  68 24384200 push 00423824                      ;  ZwSetInformationThread
00402178  |.  68 3C384200 push 0042383C                      ;  n
0040217D  |.  FFD7       call edi
0040217F  |.  50          push eax
00402180  |.  FFD3       call ebx
00402182  |.  8BF0       mov    esi, eax
00402184  |.  6A 00       push 0
00402186  |.  6A 00       push 0
00402188  |.  6A 11       push 11
0040218A  |.  FF15 1CD04100 call dword ptr [<&KERNEL32.GetCurrent>; [GetCurrentThread
00402190  |.  50          push eax
00402191  |.  FFD6       call esi
00402193  \.  C3          retn
00402194 >  E8 47FEFFFF call 00401FE0                      ;  从00402051这个行代码可以看出20161018转换成16进制的结果是133A1FA，也就是注册码的后半部分
00402199 .  85C0       test eax, eax                      ;  EAX不能为0
0040219B .  74 32       je    short 004021CF                ;  不能跳
0040219D .  6A 09       push 9                               ;  到这里的话就说明注册成功了
0040219F .  E8 FB300000 call 0040529F
004021A4 .  C700 73756363 mov    dword ptr [eax], 63637573       ;  succ
004021AA .  C740 04 65737>mov    dword ptr [eax+4], 21737365    ;  ess！
004021B1 .  C640 08 00 mov    byte ptr [eax+8], 0
004021B5 .  8BD0       mov    edx, eax                      ;  success!
004021B7 .  E8 D4120000 call 00403490
004021BC .  50          push eax
004021BD .  E8 BE170000 call 00403980
004021C2 .  68 50384200 push 00423850                      ;  pause
004021C7 .  E8 E43F0000 call 004061B0
004021CC .  83C4 0C    add    esp, 0C
004021CF >  33C0       xor    eax, eax
004021D1 .  8B4D F0    mov    ecx, dword ptr [ebp-10]
004021D4 .  64:890D 00000>mov    dword ptr fs:[0], ecx
004021DB .  59          pop    ecx
004021DC .  5F          pop    edi
004021DD .  5E          pop    esi
004021DE .  5B          pop    ebx
004021DF .  8B4D E4    mov    ecx, dword ptr [ebp-1C]
004021E2 .  33CD       xor    ecx, ebp
004021E4 .  E8 B6340000 call 0040569F
004021E9 .  8BE5       mov    esp, ebp
004021EB .  5D          pop    ebp
004021EC .  C3          retn

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・0

支持