首页
社区
课程
招聘
[原创]第一题 Helllo-CTF-简析
发表于: 2017-10-24 14:20 1737

[原创]第一题 Helllo-CTF-简析

2017-10-24 14:20
1737
首先,试玩一下,随便输入密码:1111111111111,点验证,发现弹窗:加油!
消息窗口:MessageBoxA/W
然后程序直接退出了~~!



直接截入OD,下断MessageBox断点
75088830 > 8BFF MOV EDI, EDI ; //MessageBoxA断在这
75088832 55 PUSH EBP
75088833 8BEC MOV EBP, ESP
75088835 6A 00 PUSH 0x0
75088837 FF75 14 PUSH DWORD PTR SS:[EBP+0x14]
7508883A FF75 10 PUSH DWORD PTR SS:[EBP+0x10]
7508883D FF75 0C PUSH DWORD PTR SS:[EBP+0xC]
75088840 FF75 08 PUSH DWORD PTR SS:[EBP+0x8]
75088843 E8 18000000 CALL MessageBoxExA
75088848 5D POP EBP
75088849 C2 1000 RETN 0x10

看堆栈返回到hello主程序领空:
004017B0 /$ 55 PUSH EBP ; //段首下断
004017B1 |. 8BEC MOV EBP, ESP
004017B3 |. 83EC 44 SUB ESP, 0x44
004017B6 |. 53 PUSH EBX
004017B7 |. 56 PUSH ESI
004017B8 |. 57 PUSH EDI
004017B9 |. 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL
004017BB |. 68 78354000 PUSH 00403578 ; |Title = "错了!"
004017C0 |. 68 70354000 PUSH 00403570 ; |Text = "加油!"
004017C5 |. 6A 00 PUSH 0x0 ; |hOwner = NULL
004017C7 |. FF15 00324000 CALL NEAR DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
004017CD |. FF15 0C304000 CALL NEAR DWORD PTR DS:[<&KERNEL32.GetCurrentProcess>] ; [//从堆栈,返回到这里

段首下断,重新载入程序,输入密码:1111111111111,点验证,断在刚刚的段首,看堆栈:
0019F43C 00401875 返回到 hello.00401875 来自 hello.004017B0 ;//反汇编窗口跟随
0019F440 0019FE38
0019F444 5B283020 mfc42.#?messageMap@CDialog@@1UAFX_MSGMAP@@B_4234
0019F448 00000001

反汇编窗口跟随或直接回车,返回到关键点:
00401875 |> \5F POP EDI ; //从堆栈返回到这里
00401876 |. 5E POP ESI
00401877 |. 5B POP EBX
00401878 |. 8BE5 MOV ESP, EBP
0040187A |. 5D POP EBP
0040187B \. C3 RETN

然后在此段首下断:
004017F0 /. 55 PUSH EBP ; //段首下断
004017F1 |. 8BEC MOV EBP, ESP
004017F3 |. 83EC 48 SUB ESP, 0x48
004017F6 |. 53 PUSH EBX
004017F7 |. 56 PUSH ESI
004017F8 |. 57 PUSH EDI
004017F9 |. 894D FC MOV DWORD PTR SS:[EBP-0x4], ECX
004017FC |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-0x4]
004017FF |. 83C0 64 ADD EAX, 0x64
00401802 |. 50 PUSH EAX
00401803 |. 68 EA030000 PUSH 0x3EA
00401808 |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
0040180B |. E8 14060000 CALL <JMP.&MFC42.#?GetDlgItem@CWnd@@QBEPAV1@H@Z_3092>
00401810 |. 8BC8 MOV ECX, EAX
00401812 |. E8 07060000 CALL <JMP.&MFC42.#?GetWindowTextA@CWnd@@QBEXAAVCString@@@Z>; //GetWindowTextA取输入的密码
00401817 |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
0040181A |. 83C1 64 ADD ECX, 0x64
0040181D |. E8 AE000000 CALL 004018D0
00401822 |. 50 PUSH EAX
00401823 |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
00401826 |. 83C1 64 ADD ECX, 0x64
00401829 |. E8 EA050000 CALL <JMP.&MFC42.#?GetBuffer@CString@@QAEPADH@Z_2915>
0040182E |. 8945 F8 MOV DWORD PTR SS:[EBP-0x8], EAX
00401831 |. 8B4D F8 MOV ECX, DWORD PTR SS:[EBP-0x8]
00401834 |. 51 PUSH ECX ; /s
00401835 |. E8 5C060000 CALL <JMP.&MSVCRT.strlen> ; \//strlen 输入密码长度
0040183A |. 83C4 04 ADD ESP, 0x4
0040183D |. 85C0 TEST EAX, EAX ; //密码是否为空,为空则提示输入密码
0040183F |. 75 13 JNZ SHORT 00401854 ; //密码不为空,则跳
00401841 |. 6A 00 PUSH 0x0
00401843 |. 6A 00 PUSH 0x0
00401845 |. 68 98354000 PUSH 00403598 ; ASCII "请输入pass!"
0040184A |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
0040184D |. E8 C0050000 CALL <JMP.&MFC42.#?MessageBoxA@CWnd@@QAEHPBD0I@Z_4224>
00401852 |. EB 21 JMP SHORT 00401875
00401854 |> 68 80354000 PUSH 00403580 ; /s2 = "WelcomeToKanXueCtf2017"
00401859 |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-0x8] ; |//输入的密码
0040185C |. 52 PUSH EDX ; |s1
0040185D |. E8 2E060000 CALL <JMP.&MSVCRT.strcmp> ; \//strcmp字符串比较
00401862 |. 83C4 08 ADD ESP, 0x8
00401865 |. 85C0 TEST EAX, EAX
00401867 |. 75 07 JNZ SHORT 00401870 ; //爆破点
00401869 |. E8 02FFFFFF CALL 00401770 ; //pass通过
0040186E |. EB 05 JMP SHORT 00401875
00401870 |> E8 3BFFFFFF CALL 004017B0 ; //密码错误
00401875 |> 5F POP EDI ; //从堆栈返回到这里

以上关键代码 可以看出密码是常量字符串:WelcomeToKanXueCtf2017
验证一下无误,哈哈通过:pass!

BTW:感谢看雪~~!



[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//