-
-
[原创]CTF第七题简单思路,待补充
-
2017-6-14 11:17 2984
-
简单的流程,要出差了,后续再补吧
这个坑比较多
用异常控制流程,我是把int3的NOP掉,后果是不会到验证流程
断在这里,改条件,运行到下面的getcode
.text:0040E3E5 3B 3D 30 2C 40 00 cmp edi, Msg
.text:0040E3EB 75 22 jnz short loc_40E40F
.text:0040E3ED 8D 45 1C lea eax, [ebp+arg_14]
.text:0040E3F0 C7 45 1C 01 00 00+ mov [ebp+arg_14], 1
.text:0040E3F7 50 push eax
.text:0040E3F8 FF 75 14 push [ebp+arg_C]
.text:0040E3FB 8B CB mov ecx, ebx
.text:0040E3FD 56 push esi
.text:0040E3FE 57 push edi
.text:0040E3FF E8 C9 20 00 00 call s_get_code
跟进转码,用到了smc,密钥是PEDIY,编IDC解码
.text:004104F9 FF 76 04 push dword ptr [esi+4] ; hDlg
.text:004104FC FF 15 28 3E 45 00 call ds:GetDlgItemTextA
.text:00410502 8D 45 80 lea eax, [ebp-80h]
.text:00410505 50 push eax
.text:00410506 8D 8D 68 FF FF FF lea ecx, [ebp-98h]
.text:0041050C E8 1C F8 FF FF call sub_40FD2D
.text:00410511 83 65 FC 00 and dword ptr [ebp-4], 0
.text:00410515 8D 45 E8 lea eax, [ebp-18h]
.text:00410518 6A 05 push 5 ; int
.text:0041051A 50 push eax ; int
.text:0041051B BB AA 01 00 00 mov ebx, 1AAh
.text:00410520 C7 45 E8 50 45 44+ mov dword ptr [ebp-18h], 49444550h
.text:00410527 53 push ebx ; int
.text:00410528 BF 30 1B 41 00 mov edi, offset unk_411B30
.text:0041052D C6 45 EC 59 mov byte ptr [ebp-14h], 59h
.text:00410531 57 push edi ; int
.text:00410532 E8 9F 08 00 00 call s_smc_code
.text:00410537 51 push ecx ; int
.text:00410538 51 push ecx ; int
.text:00410539 8D 85 68 FF FF FF lea eax, [ebp-98h]
.text:0041053F 89 A5 64 FF FF FF mov [ebp-9Ch], esp
.text:00410545 8B CC mov ecx, esp
.text:00410547 50 push eax
.text:00410548 E8 BA F7 FF FF call sub_40FD07
.text:0041054D C6 45 FC 01 mov byte ptr [ebp-4], 1
.text:00410551 C6 45 FC 00 mov byte ptr [ebp-4], 0
.text:00410555 8D 4E 40 lea ecx, [esi+40h]
.text:00410558 E8 D3 15 00 00 call near ptr unk_411B30
.text:0041055D 6A 05 push 5
.text:0041055F 8D 45 E8 lea eax, [ebp-18h]
.text:00410562 50 push eax
.text:00410563 53 push ebx
.text:00410564 57 push edi
.text:00410565 E8 6C 08 00 00 call s_smc_code
跟踪时进到411b30, 里面先xor cc , 再用查表,递进index,坑主要在这里,即对应正确结果的key不唯一。经过循环对key再次变换。
再次转码call
text:00411CA4 E8 CC F2 FF FF call s_enc_byte_1
再转换成string,对每个字母去对4取商取余,在这里比较,此处无坑,对常数表并未设陷井
.text:00411825 sub_411825 proc near ; CODE XREF: s_get_code+A3p
.text:00411825 6A 18 push 18h
.text:00411827 B8 4A 05 45 00 mov eax, offset loc_45054A
.text:0041182C E8 DD 27 00 00 call s_prelog_1
.text:00411831 89 4D E4 mov [ebp-1Ch], ecx ; code table
.text:00411834 E8 3C 01 00 00 call s_check_code10
.text:00411839 84 C0 test al, al
.text:0041183B 0F 84 D8 00 00 00 jz loc_411919
上面这个跳转不能跳
以下申请内存,用输入的key解码,这是坑的,因为存在多个key可通过验证,但解码只有一个。我是用了asm excel idc脚本,慢慢试出来的。。。。。
帖一下脚本
static main()
{
auto i,j,from,size,fromend,address,len,key,cbyte;
from=0x411a9c; //起始地址
len=0x94;
fromend=from+len;//结束地址
i=0;
while (from<fromend)
{
PatchByte(from,Byte(from)^'B'); //55 1
from++;
PatchByte(from,Byte(from)^'w'); //8b 2
from++;
PatchByte(from,Byte(from)^'n'); //ec 3
from++;
PatchByte(from,Byte(from)^'s'); //6a 4
from++;
PatchByte(from,Byte(from)^'A'); //ff 5
from++;
PatchByte(from,Byte(from)^'t'); // 68
from++;
PatchByte(from,Byte(from)^'P'); //e8
from++;
PatchByte(from,Byte(from)^'e'); //05
from++;
PatchByte(from,Byte(from)^'d'); //45
from++;
if(from>fromend)
break;
PatchByte(from,Byte(from)^'i'); //00
from++;
if(from>fromend)
break;
PatchByte(from,Byte(from)^'y'); //64 mov ax, fs
from++;
PatchByte(from,Byte(from)^'2'); //a1
from++;
PatchByte(from,Byte(from)^'0'); //0
from++;
PatchByte(from,Byte(from)^'1'); //0
from++;
PatchByte(from,Byte(from)^'7'); //0
from++;
PatchByte(from,Byte(from)^'K'); //00
from++;
PatchByte(from,Byte(from)^'X'); //push eax
from++;
PatchByte(from,Byte(from)^'9'); //
from++;
PatchByte(from,Byte(from)^'O'); //
from++;
PatchByte(from,Byte(from)^'k');//
from++;
}
Message("\n" + "OK\n");
正确的key在上面,即 BwnsAtPediy2017KX9Ok
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界