1. 用xdbg64 Search for String references
2. 找到"pass!"被引用的函数,再find reference to selected address
3. 看到以下内容,strcmp的参数
"WelcomeToKanXueCtf2017",strcmp结果决定是否调用成功函数,显然参数就是password
00401854 | 68 80 35 40 00 | push hello.403580 | 403580:"WelcomeToKanXueCtf2017"
00401859 | 8B 55 F8 | mov edx,dword ptr ss:[ebp-8] | edx:EntryPoint, [ebp-8]:BaseThreadInitThunk
0040185C | 52 | push edx | edx:EntryPoint
0040185D | E8 2E 06 00 00 | call <hello.strcmp> |
00401862 | 83 C4 08 | add esp,8 |
00401865 | 85 C0 | test eax,eax |
00401867 | 75 07 | jne hello.401870 |
00401869 | E8 02 FF FF FF | call hello.401770 |
0040186E | EB 05 | jmp hello.401875 |
00401870 | E8 3B FF FF FF | call hello.4017B0 |
