-
-
[原创]看雪CTF2016第十题分析
-
2016-11-21 08:49
-
[软件名称]: 10-liuwan.rar
[软件大小[: 73.0 KB (74,770 字节)
[下载地址]: http://ctf.pediy.com/?game-fight-11.htm
[使用工具]: IDA6.6+OD1.1
[操作平台]: WinXP
关键函数为sub_4020A0,通过IDA+F5,整个流程还是非常清晰的,
首先判断输入序列号的前7位是否等于“TrustMe”,
不相等则会跳转提示“error!”,
相等则会进入到函数sub_401FE0对序列号剩余部分进行判断,调用strtol函数将序列号剩余位转换为长整型,判断数值是否等于0x133A1FA(“20161018”),
因此正确的序列号就是上面2部分的组合:“TrustMe20161018”。
int sub_4020A0()
{
const char *v0; // esi@1
HMODULE v1; // eax@3
FARPROC v2; // esi@3
HANDLE v3; // eax@3
HMODULE v4; // eax@3
FARPROC v5; // esi@3
HANDLE v6; // eax@3
int v7; // eax@6
int v8; // ecx@6
int v9; // eax@6
int v11; // [sp+0h] [bp-34h]@0
int v12; // [sp+4h] [bp-30h]@0
int v13; // [sp+8h] [bp-2Ch]@0
int v14; // [sp+Ch] [bp-28h]@0
char v15[4]; // [sp+10h] [bp-24h]@1
int v16; // [sp+14h] [bp-20h]@3
int v17; // [sp+18h] [bp-1Ch]@3
CPPEH_RECORD ms_exc; // [sp+1Ch] [bp-18h]@3
((void (*)(void))loc_401F60)();
v0 = (const char *)sub_401D90();
strcpy(v15, "TrustMe");
if ( !strstr(v0, v15) ) ;判断序列号前7位是否等于“TrustMe”
sub_401E90(v0); ;不是,则提示“error”
v1 = LoadLibraryW(L"ntdll.dll");
v2 = GetProcAddress(v1, "ZwSetInformationThread");
v3 = GetCurrentThread();
((void (__stdcall *)(HANDLE, signed int, _DWORD, _DWORD, int))v2)(v3, 17, 0, 0, v11);
dword_428C4C = (int)MessageBeep;
ms_exc.registration.TryLevel = -2;
v4 = LoadLibraryW(L"ntdll.dll");
v5 = GetProcAddress(v4, "ZwSetInformationThread");
v6 = GetCurrentThread();
((void (__stdcall *)(HANDLE, signed int, _DWORD, _DWORD, signed int, int, int, int, _DWORD, int, int, DWORD, EXCEPTION_POINTERS *, struct _EH3_EXCEPTION_REGISTRATION *, PVOID, PSCOPETABLE_ENTRY, DWORD))v5)(
v6,
17,
0,
0,
4202834,
v12,
v13,
v14,
*(_DWORD *)v15,
v16,
v17,
ms_exc.old_esp,
ms_exc.exc_ptr,
ms_exc.registration.Next,
ms_exc.registration.ExceptionHandler,
ms_exc.registration.ScopeTable,
ms_exc.registration.TryLevel);
if ( (int (__stdcall *)(HWND, LPCWSTR, LPCWSTR, UINT))dword_428C4C == MessageBoxW )
ExitProcess(0);
if ( sub_401FE0() ) ;对序列号剩余部分进行判断
{
v7 = sub_40529F();
*(_DWORD *)v7 = 'ccus';
*(_DWORD *)(v7 + 4) = '!sse';
*(_BYTE *)(v7 + 8) = 0;
v9 = sub_403490(v8, v7);
sub_403980(v9, 9);
sub_4061B0("pause");
}
return 0;
}
int sub_401FE0()
{
bool v0; // zf@1
size_t v1; // ecx@2
int v2; // esi@6
void *v4; // [sp+8h] [bp-1Ch]@1
int v5; // [sp+18h] [bp-Ch]@1
unsigned int v6; // [sp+1Ch] [bp-8h]@1
v6 = 15;
v5 = 0;
v0 = *(_BYTE *)dword_428C58 == 0;
LOBYTE(v4) = 0;
if ( v0 )
v1 = 0;
else
v1 = strlen((const char *)dword_428C58);
sub_4027F0((int)&v4, dword_428C58, v1);
v2 = 0;
if ( v5 == 15 )
{
dword_428C58 = (char *)dword_428C58 + 7; ;序列号偏移7,过掉“TrustMe”
if ( sub_406193((char *)dword_428C58) == 20161018 ) ;通过strtol转换为长整后判断是否等于0x133A1FA(“20161018”)
v2 = 1;
}
if ( v6 >= 0x10 )
j__free(v4);
return v2;
}
另外,在做第9题时,直接输入了23个0,然后就验证成功了.......
[软件大小[: 73.0 KB (74,770 字节)
[下载地址]: http://ctf.pediy.com/?game-fight-11.htm
[使用工具]: IDA6.6+OD1.1
[操作平台]: WinXP
关键函数为sub_4020A0,通过IDA+F5,整个流程还是非常清晰的,
首先判断输入序列号的前7位是否等于“TrustMe”,
不相等则会跳转提示“error!”,
相等则会进入到函数sub_401FE0对序列号剩余部分进行判断,调用strtol函数将序列号剩余位转换为长整型,判断数值是否等于0x133A1FA(“20161018”),
因此正确的序列号就是上面2部分的组合:“TrustMe20161018”。
int sub_4020A0()
{
const char *v0; // esi@1
HMODULE v1; // eax@3
FARPROC v2; // esi@3
HANDLE v3; // eax@3
HMODULE v4; // eax@3
FARPROC v5; // esi@3
HANDLE v6; // eax@3
int v7; // eax@6
int v8; // ecx@6
int v9; // eax@6
int v11; // [sp+0h] [bp-34h]@0
int v12; // [sp+4h] [bp-30h]@0
int v13; // [sp+8h] [bp-2Ch]@0
int v14; // [sp+Ch] [bp-28h]@0
char v15[4]; // [sp+10h] [bp-24h]@1
int v16; // [sp+14h] [bp-20h]@3
int v17; // [sp+18h] [bp-1Ch]@3
CPPEH_RECORD ms_exc; // [sp+1Ch] [bp-18h]@3
((void (*)(void))loc_401F60)();
v0 = (const char *)sub_401D90();
strcpy(v15, "TrustMe");
if ( !strstr(v0, v15) ) ;判断序列号前7位是否等于“TrustMe”
sub_401E90(v0); ;不是,则提示“error”
v1 = LoadLibraryW(L"ntdll.dll");
v2 = GetProcAddress(v1, "ZwSetInformationThread");
v3 = GetCurrentThread();
((void (__stdcall *)(HANDLE, signed int, _DWORD, _DWORD, int))v2)(v3, 17, 0, 0, v11);
dword_428C4C = (int)MessageBeep;
ms_exc.registration.TryLevel = -2;
v4 = LoadLibraryW(L"ntdll.dll");
v5 = GetProcAddress(v4, "ZwSetInformationThread");
v6 = GetCurrentThread();
((void (__stdcall *)(HANDLE, signed int, _DWORD, _DWORD, signed int, int, int, int, _DWORD, int, int, DWORD, EXCEPTION_POINTERS *, struct _EH3_EXCEPTION_REGISTRATION *, PVOID, PSCOPETABLE_ENTRY, DWORD))v5)(
v6,
17,
0,
0,
4202834,
v12,
v13,
v14,
*(_DWORD *)v15,
v16,
v17,
ms_exc.old_esp,
ms_exc.exc_ptr,
ms_exc.registration.Next,
ms_exc.registration.ExceptionHandler,
ms_exc.registration.ScopeTable,
ms_exc.registration.TryLevel);
if ( (int (__stdcall *)(HWND, LPCWSTR, LPCWSTR, UINT))dword_428C4C == MessageBoxW )
ExitProcess(0);
if ( sub_401FE0() ) ;对序列号剩余部分进行判断
{
v7 = sub_40529F();
*(_DWORD *)v7 = 'ccus';
*(_DWORD *)(v7 + 4) = '!sse';
*(_BYTE *)(v7 + 8) = 0;
v9 = sub_403490(v8, v7);
sub_403980(v9, 9);
sub_4061B0("pause");
}
return 0;
}
int sub_401FE0()
{
bool v0; // zf@1
size_t v1; // ecx@2
int v2; // esi@6
void *v4; // [sp+8h] [bp-1Ch]@1
int v5; // [sp+18h] [bp-Ch]@1
unsigned int v6; // [sp+1Ch] [bp-8h]@1
v6 = 15;
v5 = 0;
v0 = *(_BYTE *)dword_428C58 == 0;
LOBYTE(v4) = 0;
if ( v0 )
v1 = 0;
else
v1 = strlen((const char *)dword_428C58);
sub_4027F0((int)&v4, dword_428C58, v1);
v2 = 0;
if ( v5 == 15 )
{
dword_428C58 = (char *)dword_428C58 + 7; ;序列号偏移7,过掉“TrustMe”
if ( sub_406193((char *)dword_428C58) == 20161018 ) ;通过strtol转换为长整后判断是否等于0x133A1FA(“20161018”)
v2 = 1;
}
if ( v6 >= 0x10 )
j__free(v4);
return v2;
}
另外,在做第9题时,直接输入了23个0,然后就验证成功了.......
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
|
|
|---|---|
