-
-
[讨论]第一题 Helllo-CTF
-
2017-10-25 14:14 1723
-
1. 用xdbg64 Search for String references
看到"pass!"显然是成功提示
Address=00401780
Disassembly=push hello.403560
String="pass!"
2. 找到"pass!"被引用的函数,再find reference to selected address
3. 看到以下内容,strcmp的参数
"WelcomeToKanXueCtf2017",strcmp结果决定是否调用成功函数,显然参数就是password
00401854 | 68 80 35 40 00 | push hello.403580 | 403580:"WelcomeToKanXueCtf2017"
00401859 | 8B 55 F8 | mov edx,dword ptr ss:[ebp-8] | edx:EntryPoint, [ebp-8]:BaseThreadInitThunk
0040185C | 52 | push edx | edx:EntryPoint
0040185D | E8 2E 06 00 00 | call <hello.strcmp> |
00401862 | 83 C4 08 | add esp,8 |
00401865 | 85 C0 | test eax,eax |
00401867 | 75 07 | jne hello.401870 |
00401869 | E8 02 FF FF FF | call hello.401770 |
0040186E | EB 05 | jmp hello.401875 |
00401870 | E8 3B FF FF FF | call hello.4017B0 |
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
赞赏
看原图