[原创]第一题解答-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]第一题解答

发表于: 2017-10-24 16:39 1835

[原创]第一题解答

wx_阿密

2017-10-24 16:39

1835

DebugTool: OD

MessageBoxA 下断，上层可以看到

004017EF CC int3

004017F0 55 push ebp

004017F1 8BEC mov ebp, esp

004017F3 83EC 48 sub esp, 48

004017F6 53 push ebx

004017F7 56 push esi

004017F8 57 push edi

004017F9 894D FC mov dword ptr [ebp-4], ecx

004017FC 8B45 FC mov eax, dword ptr [ebp-4]

004017FF 83C0 64 add eax, 64

00401802 50 push eax

00401803 68 EA030000 push 3EA

00401808 8B4D FC mov ecx, dword ptr [ebp-4]

0040180B E8 14060000 call <jmp.&MFC42.#3092_CWnd::GetDlgItem>

00401810 8BC8 mov ecx, eax

00401812 E8 07060000 call <jmp.&MFC42.#3874_CWnd::GetWindowTextA>

00401817 8B4D FC mov ecx, dword ptr [ebp-4]

0040181A 83C1 64 add ecx, 64

0040181D E8 AE000000 call 004018D0

00401822 50 push eax

00401823 8B4D FC mov ecx, dword ptr [ebp-4]

00401826 83C1 64 add ecx, 64

00401829 E8 EA050000 call <jmp.&MFC42.#2915_CString::GetBuffer>

0040182E 8945 F8 mov dword ptr [ebp-8], eax

00401831 8B4D F8 mov ecx, dword ptr [ebp-8]

00401834 51 push ecx

00401835 E8 5C060000 call <jmp.&MSVCRT.strlen>

0040183A 83C4 04 add esp, 4

0040183D 85C0 test eax, eax

0040183F 75 13 jnz short 00401854

00401841 6A 00 push 0

00401843 6A 00 push 0

00401845 68 98354000 push 00403598 ; ASCII "请输入pass!"

0040184A 8B4D FC mov ecx, dword ptr [ebp-4]

0040184D E8 C0050000 call <jmp.&MFC42.#4224_CWnd::MessageBoxA>

00401852 EB 21 jmp short 00401875

00401854 68 80354000 push 00403580 ; ASCII "WelcomeToKanXueCtf2017" ---->RightAnswer

00401859 8B55 F8 mov edx, dword ptr [ebp-8]

0040185C 52 push edx

0040185D E8 2E060000 call <jmp.&MSVCRT.strcmp>

00401862 83C4 08 add esp, 8

00401865 85C0 test eax, eax

00401867 75 07 jnz short 00401870 //判断是否相等

00401869 E8 02FFFFFF call 00401770 //pass!

0040186E EB 05 jmp short 00401875

00401870 E8 3BFFFFFF call 004017B0 //加油!

00401875 5F pop edi

00401876 5E pop esi

00401877 5B pop ebx

00401878 8BE5 mov esp, ebp

0040187A 5D pop ebp

0040187B C3 retn

0040187C CC int3

00401770 55 push ebp

00401771 8BEC mov ebp, esp

00401773 83EC 44 sub esp, 44

00401776 53 push ebx

00401777 56 push esi

00401778 57 push edi

00401779 6A 00 push 0

0040177B 68 68354000 push 00403568

00401780 68 60354000 push 00403560 ; ASCII "pass!"

00401785 6A 00 push 0

00401787 FF15 00324000 call dword ptr [<&USER32.MessageBoxA>] ; USER32.MessageBoxA

0040178D FF15 0C304000 call dword ptr [<&KERNEL32.GetCurrentProcess>] ; KERNEL32.GetCurrentProcess

00401793 8945 FC mov dword ptr [ebp-4], eax

00401796 6A 00 push 0

00401798 8B45 FC mov eax, dword ptr [ebp-4]

0040179B 50 push eax

0040179C FF15 00304000 call dword ptr [<&KERNEL32.TerminateProcess>] ; KERNEL32.TerminateProcess

004017A2 5F pop edi

004017A3 5E pop esi

004017A4 5B pop ebx

004017A5 8BE5 mov esp, ebp

004017A7 5D pop ebp

004017A8 C3 retn

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・0

免费・0

支持