-
-
[原创]CTF2017_fpu 分析过程
-
2017-10-27 13:46 2818
-
CTF2017_fpu 分析过程
1.IDA分析
根据字符串常量" Please input your code: ",找到输入字符串的地方
.text:00401050 var_C = dword ptr -0Ch
.text:00401050
.text:00401050 sub esp, 0Ch
.text:00401053 push offset aCodedByFpc_ ; " Coded by Fpc.\n\n"
.text:00401058 call sub_413D42
.text:0040105D add esp, 4
.text:00401060 push offset aPleaseInputYou ; " Please input your code: "
.text:00401065 call sub_413D42
.text:0040106A add esp, 4
.text:0040106D lea eax, [esp+0Ch+var_C]
.text:00401071 push eax
.text:00401072 push offset aS ; "%s"
.text:00401077 call _scanf
.text:0040107C lea eax, [esp+14h+var_C]
.text:00401080 add esp, 14h
.text:00401083 retn
.text:00401083 sub_401050 endp
2.随便输入12345678,找到两个处理返回值的地方
.text:0040101C call sub_401090
.text:00401021 call sub_4010E0
void sub_401090()
{
int v0; // [sp+4h] [bp-8h]@0
int v1; // [sp+8h] [bp-4h]@0
if ( v1 && v0 && v1 != v0 && 5 * (v1 - v0) + v1 == 0x8F503A42 && 13 * (v1 - v0) + v0 == 0xEF503A42 )
--dword_41B034;
}
void sub_4010E0()
{
int v0; // [sp+4h] [bp-8h]@0
int v1; // [sp+8h] [bp-4h]@0
if ( v1 && v0 && v1 != v0 && 17 * (v1 - v0) + v1 == 0xF3A94883 && 7 * (v1 - v0) + v0 == 0x33A94883 )
--dword_41B034;
}
初次采用穷举
写了个C程序
X 和Y从0x20202020到0x7F7F7F7F7F,穷举无果。
后来根据公式化简,采用计算器
11(y-x)=c0000000 4(y-x)=70000000 y-x = 1c000000,
算出一个x= 0xe7503a42,y = 03503a42,多次验证不正确。
3.
后来拖动IDA,发现00403131可疑。
.text:00413131 db 83h, 0C4h, 0F0h
.text:00413134 dd 20712A70h, 0F1C75F2h, 28741C71h, 2E0671DDh, 870F574h
.text:00413134 dd 74F17169h, 0DC167002h, 0EA74C033h, 0DC261275h,
4.经过调试发现scanf 存储字符串的地址在栈中
00401077 |. E8 F72C0100 call ctf2017_.00413D73
0040107C |. 8D4424 08 lea eax,dword ptr ss:[esp+0x8]
00401080 |. 83C4 14 add esp,0x14
00401083 \. C3 retn
0018FF34 0041B08C ASCII "%s"
0018FF38 0018FF3C ASCII "12345678"
0018FF3C 34333231
0018FF40 38373635
0018FF44 00401000 Entry address
0018FF48 0040101C RETURN to ctf2017_.0040101C from ctf2017_.00401050
0018FF4C 00413E3E RETURN to ctf2017_.00413E3E from ctf2017_.00401000
返回到00413131的话,最后输入的字符需要为”11A”
这次多输入几个12341234123411A
来到00413131
00413131 83C4 F0 add esp,-0x10
00413134 70 2A jo short ctf2017_.00413160
00413136 71 20 jno short ctf2017_.00413158
00413138 f2:75 1c repne jne short 00413157
0041313B 0f db 0f
0041313C 71 1C jno short ctf2017_.0041315A
0041313E 74 28 je short ctf2017_.00413168
进过混淆,单步跟踪
........
00413184 A3 34B04100 mov dword ptr ds:[0x41B034],eax
...
004131BA 58 pop eax
004131EB 8BC8 mov ecx,eax
0041321F 58 pop eax
00413254 8BD8 mov ebx,eax
00413289 58 pop eax
004132B5 8BD0 mov edx,eax
004132AD 8BD0 mov edx,eax
004132E2 8BC1 mov eax,ecx
00413316 2BC3 sub eax,ebx
00413349 C1E0 02 shl eax,0x2
00413380 03C1 add eax,ecx
.........
004133E9 2D E217F9EA sub eax,0xEAF917E2
((x - y) *4) + x + z== 0xEAF917E2
((x - y) *2) + (x - y) + x + z == 0xE8F508C8
((x - y) *2 + (x - y) + x - z == 0C0A3C68
2Z= 0xE8F508C8 - 0x0C0A3C68 = DCEACC60 z= 6E756630
X = 7473754A Y = 726F65E8 z= 6E756630
结果Just0for0fun11A
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。