-
-
[原创]看雪CTF2017 第一题
-
发表于:
2017-6-1 18:05
2173
-
用IDA打开文件,并查看字符串,发现提示成功的字符串,在0x004012B4处引
.data:00408048 aRegistrationSu db 'Registration successful !',0 ; DATA XREF: .text:004012B4�
查看0x004012B4处代码,往上面翻查看流程发现GetDlgItemTextA。从此处开始分析
.text:004011F4 push ebp
.text:004011F5 mov ebp, esp
.text:004011F7 sub esp, 1Ch
.text:004011FA lea eax, [ebp-1Ch]
.text:004011FD push 15h
.text:004011FF push eax ;buffer
.text:00401200 push 3E9h
.text:00401205 push hDlg
.text:0040120B call ds:GetDlgItemTextA ;获取输入的字符串,返回在buffer中
.text:00401211 push 1F4h
.text:00401216 call ds:Sleep
.text:0040121C lea eax, [ebp-1Ch]
.text:0040121F push eax
.text:00401220 call _strlen ;获取输入字符串的长度
.text:00401225 cmp eax, 4 ;输入长度必须为4位
.text:00401228 pop ecx
.text:00401229 jnz error
.text:0040122F push 30h
.text:00401231 pop ecx ;ecx=0x30
.text:00401232 cmp [ebp-1Ch], cl ;字符串中不能带有"0"
.text:00401235 jz error
.text:0040123B cmp [ebp-1Bh], cl
.text:0040123E jz short error
.text:00401240 cmp [ebp-1Ah], cl
.text:00401243 jz short error
.text:00401245 cmp [ebp-19h], cl
.text:00401248 jz short error
.text:0040124A jz short loc_40124F
.text:0040124C jnz short loc_40124F
.text:0040124F mov ax, 8
.text:00401253 xor ax, 7
.text:00401257 movsx eax, byte ptr [ebp-1Ah] ;第3个字符减去0x30
.text:0040125B sub eax, ecx
.text:0040125D mov [ebp-4], eax
.text:00401260 movsx eax, byte ptr [ebp-1Ch]
.text:00401264 fild dword ptr [ebp-4] ;将ASCII_3 - 0x30压入FPU
.text:00401267 sub eax, ecx ;第1个字符减去0x030
.text:00401269 mov [ebp-4], eax
.text:0040126C movsx eax, byte ptr [ebp-1Bh]
.text:00401270 fild dword ptr [ebp-4] ;将ASCII_1 - 0x30压入FP
.text:00401273 sub eax, ecx ;第2个字符减去0x030
.text:00401275 mov [ebp-4], eax
.text:00401278 fidiv dword ptr [ebp-4] ;st(0) = (ASCII_1 - 0x30) / (ASCII_2 - 0x30)
.text:0040127B movsx eax, byte ptr [ebp-19h]
.text:0040127F sub eax, ecx ;第4个字符减去0x30
.text:00401281 mov [ebp-4], eax
.text:00401284 fsubp st(1), st ;st(0)=st(1)-st(0) st(1)=ASCII_3-0x30
.text:00401286 fimul dword ptr [ebp-4] ;st(0) = st(0) * (ASCII_4 - 0x30)
.text:00401289 fmul ds:flt_40711C ;st(0) = st(0)*16
.text:0040128F fstp dword ptr [ebp-4]
.text:00401292 jz short loc_401297
.text:00401294 jnz short loc_40129
.text:00401297
.text:00401297 loc_401297:
.text:00401297
.text:00401297 mov ax, 8
.text:0040129B xor ax, 7
.text:0040129F fld dword ptr [ebp-4]
.text:004012A2 fcomp ds:flt_407118 ;将st(0)比较384 相等的话提示成功
.text:004012A8 push 0
.text:004012AA push offset aCrackme2017Ctf ;"CrackMe 2017 CTF"
.text:004012AF fnstsw ax
.text:004012B1 sahf
.text:004012B2 jnz short loc_4012C2
.text:004012B4 push offset aRegistrationSu ;"Registration successful !"
.text:004012B9 jmp short loc_4012C7
总结: 长度为4,不能带"0", (ASCII_3-0x30 - (ASCII_1 - 0x30) / (ASCII_2 - 0x30) ) * (ASCII_4 - 0x30) = 384/16
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
