-
-
[原创]第一题 Helllo-CTF-简析
-
发表于: 2017-10-24 14:20
-
首先,试玩一下,随便输入密码:1111111111111,点验证,发现弹窗:加油!
消息窗口:MessageBoxA/W
然后程序直接退出了~~!
直接截入OD,下断MessageBox断点
看堆栈返回到hello主程序领空:
消息窗口:MessageBoxA/W
然后程序直接退出了~~!
直接截入OD,下断MessageBox断点
75088830 > 8BFF MOV EDI, EDI ; //MessageBoxA断在这
75088832 55 PUSH EBP
75088833 8BEC MOV EBP, ESP
75088835 6A 00 PUSH 0x0
75088837 FF75 14 PUSH DWORD PTR SS:[EBP+0x14]
7508883A FF75 10 PUSH DWORD PTR SS:[EBP+0x10]
7508883D FF75 0C PUSH DWORD PTR SS:[EBP+0xC]
75088840 FF75 08 PUSH DWORD PTR SS:[EBP+0x8]
75088843 E8 18000000 CALL MessageBoxExA
75088848 5D POP EBP
75088849 C2 1000 RETN 0x10
75088832 55 PUSH EBP
75088833 8BEC MOV EBP, ESP
75088835 6A 00 PUSH 0x0
75088837 FF75 14 PUSH DWORD PTR SS:[EBP+0x14]
7508883A FF75 10 PUSH DWORD PTR SS:[EBP+0x10]
7508883D FF75 0C PUSH DWORD PTR SS:[EBP+0xC]
75088840 FF75 08 PUSH DWORD PTR SS:[EBP+0x8]
75088843 E8 18000000 CALL MessageBoxExA
75088848 5D POP EBP
75088849 C2 1000 RETN 0x10
004017B0 /$ 55 PUSH EBP ; //段首下断
004017B1 |. 8BEC MOV EBP, ESP
004017B3 |. 83EC 44 SUB ESP, 0x44
004017B6 |. 53 PUSH EBX
004017B7 |. 56 PUSH ESI
004017B8 |. 57 PUSH EDI
004017B9 |. 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL
004017BB |. 68 78354000 PUSH 00403578 ; |Title = "错了!"
004017C0 |. 68 70354000 PUSH 00403570 ; |Text = "加油!"
004017C5 |. 6A 00 PUSH 0x0 ; |hOwner = NULL
004017C7 |. FF15 00324000 CALL NEAR DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
004017CD |. FF15 0C304000 CALL NEAR DWORD PTR DS:[<&KERNEL32.GetCurrentProcess>] ; [//从堆栈,返回到这里
004017B1 |. 8BEC MOV EBP, ESP
004017B3 |. 83EC 44 SUB ESP, 0x44
004017B6 |. 53 PUSH EBX
004017B7 |. 56 PUSH ESI
004017B8 |. 57 PUSH EDI
004017B9 |. 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL
004017BB |. 68 78354000 PUSH 00403578 ; |Title = "错了!"
004017C0 |. 68 70354000 PUSH 00403570 ; |Text = "加油!"
004017C5 |. 6A 00 PUSH 0x0 ; |hOwner = NULL
004017C7 |. FF15 00324000 CALL NEAR DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
004017CD |. FF15 0C304000 CALL NEAR DWORD PTR DS:[<&KERNEL32.GetCurrentProcess>] ; [//从堆栈,返回到这里
段首下断,重新载入程序,输入密码:1111111111111,点验证,断在刚刚的段首,看堆栈:
0019F43C 00401875 返回到 hello.00401875 来自 hello.004017B0 ;//反汇编窗口跟随
0019F440 0019FE38
0019F444 5B283020 mfc42.#?messageMap@CDialog@@1UAFX_MSGMAP@@B_4234
0019F448 00000001
0019F440 0019FE38
0019F444 5B283020 mfc42.#?messageMap@CDialog@@1UAFX_MSGMAP@@B_4234
0019F448 00000001
反汇编窗口跟随或直接回车,返回到关键点:
00401875 |> \5F POP EDI ; //从堆栈返回到这里
00401876 |. 5E POP ESI
00401877 |. 5B POP EBX
00401878 |. 8BE5 MOV ESP, EBP
0040187A |. 5D POP EBP
0040187B \. C3 RETN
00401876 |. 5E POP ESI
00401877 |. 5B POP EBX
00401878 |. 8BE5 MOV ESP, EBP
0040187A |. 5D POP EBP
0040187B \. C3 RETN
然后在此段首下断:
004017F0 /. 55 PUSH EBP ; //段首下断
004017F1 |. 8BEC MOV EBP, ESP
004017F3 |. 83EC 48 SUB ESP, 0x48
004017F6 |. 53 PUSH EBX
004017F7 |. 56 PUSH ESI
004017F8 |. 57 PUSH EDI
004017F9 |. 894D FC MOV DWORD PTR SS:[EBP-0x4], ECX
004017FC |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-0x4]
004017FF |. 83C0 64 ADD EAX, 0x64
00401802 |. 50 PUSH EAX
00401803 |. 68 EA030000 PUSH 0x3EA
00401808 |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
0040180B |. E8 14060000 CALL <JMP.&MFC42.#?GetDlgItem@CWnd@@QBEPAV1@H@Z_3092>
00401810 |. 8BC8 MOV ECX, EAX
00401812 |. E8 07060000 CALL <JMP.&MFC42.#?GetWindowTextA@CWnd@@QBEXAAVCString@@@Z>; //GetWindowTextA取输入的密码
00401817 |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
0040181A |. 83C1 64 ADD ECX, 0x64
0040181D |. E8 AE000000 CALL 004018D0
00401822 |. 50 PUSH EAX
00401823 |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
00401826 |. 83C1 64 ADD ECX, 0x64
00401829 |. E8 EA050000 CALL <JMP.&MFC42.#?GetBuffer@CString@@QAEPADH@Z_2915>
0040182E |. 8945 F8 MOV DWORD PTR SS:[EBP-0x8], EAX
00401831 |. 8B4D F8 MOV ECX, DWORD PTR SS:[EBP-0x8]
00401834 |. 51 PUSH ECX ; /s
00401835 |. E8 5C060000 CALL <JMP.&MSVCRT.strlen> ; \//strlen 输入密码长度
0040183A |. 83C4 04 ADD ESP, 0x4
0040183D |. 85C0 TEST EAX, EAX ; //密码是否为空,为空则提示输入密码
0040183F |. 75 13 JNZ SHORT 00401854 ; //密码不为空,则跳
00401841 |. 6A 00 PUSH 0x0
00401843 |. 6A 00 PUSH 0x0
00401845 |. 68 98354000 PUSH 00403598 ; ASCII "请输入pass!"
0040184A |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
0040184D |. E8 C0050000 CALL <JMP.&MFC42.#?MessageBoxA@CWnd@@QAEHPBD0I@Z_4224>
00401852 |. EB 21 JMP SHORT 00401875
00401854 |> 68 80354000 PUSH 00403580 ; /s2 = "WelcomeToKanXueCtf2017"
00401859 |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-0x8] ; |//输入的密码
0040185C |. 52 PUSH EDX ; |s1
0040185D |. E8 2E060000 CALL <JMP.&MSVCRT.strcmp> ; \//strcmp字符串比较
00401862 |. 83C4 08 ADD ESP, 0x8
00401865 |. 85C0 TEST EAX, EAX
00401867 |. 75 07 JNZ SHORT 00401870 ; //爆破点
00401869 |. E8 02FFFFFF CALL 00401770 ; //pass通过
0040186E |. EB 05 JMP SHORT 00401875
00401870 |> E8 3BFFFFFF CALL 004017B0 ; //密码错误
00401875 |> 5F POP EDI ; //从堆栈返回到这里
004017F1 |. 8BEC MOV EBP, ESP
004017F3 |. 83EC 48 SUB ESP, 0x48
004017F6 |. 53 PUSH EBX
004017F7 |. 56 PUSH ESI
004017F8 |. 57 PUSH EDI
004017F9 |. 894D FC MOV DWORD PTR SS:[EBP-0x4], ECX
004017FC |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-0x4]
004017FF |. 83C0 64 ADD EAX, 0x64
00401802 |. 50 PUSH EAX
00401803 |. 68 EA030000 PUSH 0x3EA
00401808 |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
0040180B |. E8 14060000 CALL <JMP.&MFC42.#?GetDlgItem@CWnd@@QBEPAV1@H@Z_3092>
00401810 |. 8BC8 MOV ECX, EAX
00401812 |. E8 07060000 CALL <JMP.&MFC42.#?GetWindowTextA@CWnd@@QBEXAAVCString@@@Z>; //GetWindowTextA取输入的密码
00401817 |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
0040181A |. 83C1 64 ADD ECX, 0x64
0040181D |. E8 AE000000 CALL 004018D0
00401822 |. 50 PUSH EAX
00401823 |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
00401826 |. 83C1 64 ADD ECX, 0x64
00401829 |. E8 EA050000 CALL <JMP.&MFC42.#?GetBuffer@CString@@QAEPADH@Z_2915>
0040182E |. 8945 F8 MOV DWORD PTR SS:[EBP-0x8], EAX
00401831 |. 8B4D F8 MOV ECX, DWORD PTR SS:[EBP-0x8]
00401834 |. 51 PUSH ECX ; /s
00401835 |. E8 5C060000 CALL <JMP.&MSVCRT.strlen> ; \//strlen 输入密码长度
0040183A |. 83C4 04 ADD ESP, 0x4
0040183D |. 85C0 TEST EAX, EAX ; //密码是否为空,为空则提示输入密码
0040183F |. 75 13 JNZ SHORT 00401854 ; //密码不为空,则跳
00401841 |. 6A 00 PUSH 0x0
00401843 |. 6A 00 PUSH 0x0
00401845 |. 68 98354000 PUSH 00403598 ; ASCII "请输入pass!"
0040184A |. 8B4D FC MOV ECX, DWORD PTR SS:[EBP-0x4]
0040184D |. E8 C0050000 CALL <JMP.&MFC42.#?MessageBoxA@CWnd@@QAEHPBD0I@Z_4224>
00401852 |. EB 21 JMP SHORT 00401875
00401854 |> 68 80354000 PUSH 00403580 ; /s2 = "WelcomeToKanXueCtf2017"
00401859 |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-0x8] ; |//输入的密码
0040185C |. 52 PUSH EDX ; |s1
0040185D |. E8 2E060000 CALL <JMP.&MSVCRT.strcmp> ; \//strcmp字符串比较
00401862 |. 83C4 08 ADD ESP, 0x8
00401865 |. 85C0 TEST EAX, EAX
00401867 |. 75 07 JNZ SHORT 00401870 ; //爆破点
00401869 |. E8 02FFFFFF CALL 00401770 ; //pass通过
0040186E |. EB 05 JMP SHORT 00401875
00401870 |> E8 3BFFFFFF CALL 004017B0 ; //密码错误
00401875 |> 5F POP EDI ; //从堆栈返回到这里
以上关键代码 可以看出密码是常量字符串:WelcomeToKanXueCtf2017
验证一下无误,哈哈通过:pass!
BTW:感谢看雪~~!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
