首页
社区
课程
招聘
[原创]CTF第七题简单思路,待补充
发表于: 2017-6-14 11:17 3483

[原创]CTF第七题简单思路,待补充

Fpc 活跃值
4
2017-6-14 11:17
3483

简单的流程,要出差了,后续再补吧


这个坑比较多

用异常控制流程,我是把int3的NOP掉,后果是不会到验证流程

断在这里,改条件,运行到下面的getcode

.text:0040E3E5 3B 3D 30 2C 40 00                 cmp     edi, Msg
.text:0040E3EB 75 22                             jnz     short loc_40E40F
.text:0040E3ED 8D 45 1C                          lea     eax, [ebp+arg_14]
.text:0040E3F0 C7 45 1C 01 00 00+                mov     [ebp+arg_14], 1
.text:0040E3F7 50                                push    eax
.text:0040E3F8 FF 75 14                          push    [ebp+arg_C]
.text:0040E3FB 8B CB                             mov     ecx, ebx
.text:0040E3FD 56                                push    esi
.text:0040E3FE 57                                push    edi
.text:0040E3FF E8 C9 20 00 00                    call    s_get_code


跟进转码,用到了smc,密钥是PEDIY,编IDC解码

.text:004104F9 FF 76 04                          push    dword ptr [esi+4] ; hDlg
.text:004104FC FF 15 28 3E 45 00                 call    ds:GetDlgItemTextA
.text:00410502 8D 45 80                          lea     eax, [ebp-80h]
.text:00410505 50                                push    eax
.text:00410506 8D 8D 68 FF FF FF                 lea     ecx, [ebp-98h]
.text:0041050C E8 1C F8 FF FF                    call    sub_40FD2D
.text:00410511 83 65 FC 00                       and     dword ptr [ebp-4], 0
.text:00410515 8D 45 E8                          lea     eax, [ebp-18h]
.text:00410518 6A 05                             push    5               ; int
.text:0041051A 50                                push    eax             ; int
.text:0041051B BB AA 01 00 00                    mov     ebx, 1AAh
.text:00410520 C7 45 E8 50 45 44+                mov     dword ptr [ebp-18h], 49444550h
.text:00410527 53                                push    ebx             ; int
.text:00410528 BF 30 1B 41 00                    mov     edi, offset unk_411B30
.text:0041052D C6 45 EC 59                       mov     byte ptr [ebp-14h], 59h
.text:00410531 57                                push    edi             ; int
.text:00410532 E8 9F 08 00 00                    call    s_smc_code
.text:00410537 51                                push    ecx             ; int
.text:00410538 51                                push    ecx             ; int
.text:00410539 8D 85 68 FF FF FF                 lea     eax, [ebp-98h]
.text:0041053F 89 A5 64 FF FF FF                 mov     [ebp-9Ch], esp
.text:00410545 8B CC                             mov     ecx, esp
.text:00410547 50                                push    eax
.text:00410548 E8 BA F7 FF FF                    call    sub_40FD07
.text:0041054D C6 45 FC 01                       mov     byte ptr [ebp-4], 1
.text:00410551 C6 45 FC 00                       mov     byte ptr [ebp-4], 0
.text:00410555 8D 4E 40                          lea     ecx, [esi+40h]
.text:00410558 E8 D3 15 00 00                    call    near ptr unk_411B30
.text:0041055D 6A 05                             push    5
.text:0041055F 8D 45 E8                          lea     eax, [ebp-18h]
.text:00410562 50                                push    eax
.text:00410563 53                                push    ebx
.text:00410564 57                                push    edi
.text:00410565 E8 6C 08 00 00                    call    s_smc_code

     

跟踪时进到411b30, 里面先xor cc , 再用查表,递进index,坑主要在这里,即对应正确结果的key不唯一。经过循环对key再次变换。

再次转码call

text:00411CA4 E8 CC F2 FF FF                    call    s_enc_byte_1


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//