-
-
[原创]第一题 Helllo-CTF
-
发表于: 2017-10-24 14:01
-
1.启动程序,输入任意注册码,如下图
2.开启windbg,按F6附加到hello.exe程序,输入~*k命令,查看所有线程的调用堆栈。
0 Id: 3930.2730 Suspend: 1 Teb: 002e7000 Unfrozen
ChildEBP RetAddr
0019f148 74d4d20f win32u!NtUserWaitMessage+0xc
0019f188 74d5eb3c USER32!DialogBox2+0x102
0019f1b8 74daed29 USER32!InternalDialogBox+0xd1
0019f26c 7403390c USER32!SoftModalMessageBox+0xb99
0019f274 74dadf18 win32u!NtUserModifyUserStartupInfoFlags+0xc
0019f4b0 004017cd USER32!MessageBoxWorker+0x29a
0019f518 00401875 hello+0x17cd
0019f574 66f46015 hello+0x1875
0019f57c 66f3eceb MFC42!Mfc42CfgThunk0+0x15
0019f590 66f414ba MFC42!_AfxDispatchCmdMsg+0x7b
0019f5c8 66f73707 MFC42!CCmdTarget::OnCmdMsg+0xba
0019f5f0 66f3dd67 MFC42!CPropertySheet::OnCmdMsg+0x27
0019f6a0 66f3dfb0 MFC42!CWnd::OnCommand+0x1d7
0019f738 66f3e5c0 MFC42!CWnd::OnWndMsg+0x1b0
0019f764 66f39508 MFC42!CWnd::WindowProc+0x40
0019f7e4 66f393d1 MFC42!AfxCallWndProc+0x108
0019f828 74d72f8b MFC42!AfxWndProcBase+0xf1
0019f854 74d65443 USER32!_InternalCallWinProc+0x2b
0019f93c 74d50bec USER32!UserCallWinProcCheckWow+0x2d3
0019f9a0 74d5090f USER32!SendMessageWorker+0x26c
0019f9d8 74d8f0b2 USER32!SendMessageW+0x13f
0019fa00 74d8ea03 USER32!xxxButtonNotifyParent+0x66
0019fa28 74d8de86 USER32!xxxBNReleaseCapture+0x150
0019fac4 74d8d322 USER32!ButtonWndProcWorker+0xad6
0019faf0 74d72f8b USER32!ButtonWndProcA+0x52
0019fb1c 74d65443 USER32!_InternalCallWinProc+0x2b
0019fc04 74d64dd2 USER32!UserCallWinProcCheckWow+0x2d3
0019fc78 74d4d42b USER32!DispatchMessageWorker+0x222
0019fca8 74d4a65e USER32!IsDialogMessageW+0xeb
0019fcd4 66f7c80b USER32!IsDialogMessageA+0x4e
0019fcf0 66f604ce MFC42!CWnd::IsDialogMessageA+0x4b
0019fd00 66f73a24 MFC42!CWnd::PreTranslateInput+0x2e
0019fd14 66f352fd MFC42!CDialog::PreTranslateMessage+0x94
0019fd48 66f35403 MFC42!CWinThread::PreTranslateMessage+0xdd
0019fd64 66f605ed MFC42!CWinThread::PumpMessage+0x43
0019fd90 66f7343d MFC42!CWnd::RunModalLoop+0x10d
0019fddc 004011a8 MFC42!CDialog::DoModal+0xed
0019feb4 66f43e95 hello+0x11a8
0019fed0 00402043 MFC42!AfxWinMain+0x75
0019ff80 76c98744 hello+0x2043
0019ff94 76ff582d KERNEL32!BaseThreadInitThunk+0x24
0019ffdc 76ff57fd ntdll!__RtlUserThreadStart+0x2f
0019ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
0019f518 00401875 hello+0x17cd
0019f574 66f46015 hello+0x1875 这两处即hello.exe中调用MessageBox的地方,
0019f574 66f46015 hello+0x1875 这两处即hello.exe中调用MessageBox的地方,
即004017cd ,00401875
3.开启IDA,打开Hello.exe ,按 键盘 g,定位到 004017cd ,00401875
SHfffjsho.text:00401854 ; ---------------------------------------------------------------------------
.text:00401854
.text:00401854 loc_401854: ; CODE XREF: sub_4017F0+4F↑j
.text:00401854 push offset Str2 ; "WelcomeToKanXueCtf2017"
.text:00401859 mov edx, [ebp+Str]
.text:0040185C push edx ; Str1
.text:0040185D call strcmp
.text:00401862 add esp, 8
.text:00401865 test eax, eax
.text:00401867 jnz short loc_401870
.text:00401869 call ShowSuccMsgsub_401770
.text:0040186E jmp short loc_401875
.text:00401870 ; ---------------------------------------------------------------------------
.text:00401870
.text:00401870 loc_401870: ; CODE XREF: sub_4017F0+77↑j
.text:00401870 call ShowErrMsgsub_4017B0
.text:00401875
.text:00401875 loc_401875: ; CODE XREF: sub_4017F0+62↑j
.text:00401875 ; sub_4017F0+7E↑j
.text:00401875 pop edi
.text:00401876 pop esi
.text:00401877 pop ebx
.text:00401878 mov esp, ebp
.text:0040187A pop ebp
.text:0040187B retn
.text:0040187B sub_4017F0 endp
分析以上代码发现程序对比字符串 WelcomeToKanXueCtf2017,一致即弹出成功对话框。
总结:windbg 快速定位弹框。
