-
-
[原创]CTF2018第二题WP
-
发表于: 2018-12-3 15:40 2743
-
这个题比较简单,先是根据字符串"Please Input"定位到
00C019B0 | 55 | push ebp | 00C019B1 | 8B EC | mov ebp,esp | 00C019B3 | 81 EC CC 00 00 00 | sub esp,CC | 00C019B9 | 53 | push ebx | 00C019BA | 56 | push esi | 00C019BB | 57 | push edi | 00C019BC | 8D BD 34 FF FF FF | lea edi,dword ptr ss:[ebp-CC] | 00C019C2 | B9 33 00 00 00 | mov ecx,33 | 0x33:'3' 00C019C7 | B8 CC CC CC CC | mov eax,CCCCCCCC | 00C019CC | F3 AB | repe stosd | 00C019CE | B9 07 60 D5 00 | mov ecx,exam.D56007 | 00C019D3 | E8 DC BD FE FF | call exam.BED7B4 | 00C019D8 | 68 BC 25 D1 00 | push exam.D125BC | 0xD125BC:"Please Input:" 00C019DD | 68 E0 31 D5 00 | push exam.D531E0 | 00C019E2 | E8 5F B3 FE FF | call exam.BECD46 | 00C019E7 | 83 C4 08 | add esp,8 | 00C019EA | 6A 1E | push 1E | 00C019EC | 68 68 30 D5 00 | push exam.D53068 | 00C019F1 | 68 9C 22 D1 00 | push exam.D1229C | 0xD1229C:"%s" 00C019F6 | E8 F3 A6 FE FF | call exam.BEC0EE |
这里就是获取输入的,然后接下来就是计算输入字符串的长度,并对字符串长度做检测
00C019B0 | 55 | push ebp | 00C019B1 | 8B EC | mov ebp,esp | 00C019B3 | 81 EC CC 00 00 00 | sub esp,CC | 00C019B9 | 53 | push ebx | 00C019BA | 56 | push esi | 00C019BB | 57 | push edi | 00C019BC | 8D BD 34 FF FF FF | lea edi,dword ptr ss:[ebp-CC] | 00C019C2 | B9 33 00 00 00 | mov ecx,33 | 0x33:'3' 00C019C7 | B8 CC CC CC CC | mov eax,CCCCCCCC | 00C019CC | F3 AB | repe stosd | 00C019CE | B9 07 60 D5 00 | mov ecx,exam.D56007 | 00C019D3 | E8 DC BD FE FF | call exam.BED7B4 | 00C019D8 | 68 BC 25 D1 00 | push exam.D125BC | 0xD125BC:"Please Input:" 00C019DD | 68 E0 31 D5 00 | push exam.D531E0 | 00C019E2 | E8 5F B3 FE FF | call exam.BECD46 | 00C019E7 | 83 C4 08 | add esp,8 | 00C019EA | 6A 1E | push 1E | 00C019EC | 68 68 30 D5 00 | push exam.D53068 | 00C019F1 | 68 9C 22 D1 00 | push exam.D1229C | 0xD1229C:"%s" 00C019F6 | E8 F3 A6 FE FF | call exam.BEC0EE |
这里就是获取输入的,然后接下来就是计算输入字符串的长度,并对字符串长度做检测
00C019FB | 83 C4 0C | add esp,C | 00C019FE | 68 68 30 D5 00 | push exam.D53068 | 0xD53068:"1234567A99" 00C01A03 | E8 9E 8F FE FF | call exam.BEA9A6 | 计算字符串长度 00C01A08 | 83 C4 04 | add esp,4 | 00C01A0B | 89 45 F8 | mov dword ptr ss:[ebp-8],eax | 00C01A0E | 83 7D F8 1E | cmp dword ptr ss:[ebp-8],1E | 用字符串长度和0x1e做比较 00C01A12 | 7F 06 | jg exam.C01A1A | 00C01A14 | 83 7D F8 0A | cmp dword ptr ss:[ebp-8],A | 用字符串长度和0x0a做比较 00C01A18 | 7D 16 | jge exam.C01A30 | 00C01A1A | 68 CC 25 D1 00 | push exam.D125CC | 00C01A1F | E8 B7 8C FE FF | call exam.BEA6DB | 00C01A24 | 83 C4 04 | add esp,4 | 00C01A27 | 6A 00 | push 0 | 00C01A29 | E8 46 A8 FE FF | call exam.BEC274 | 00C01A2E | EB 4E | jmp exam.C01A7E |
从上面的代码可以看出,输入的字符串长度要在0x0a~0x1e之间,大于0x1e或小于0x0a就会报输入错误,这里是第一个检测点,接着往下看
00C019FB | 83 C4 0C | add esp,C | 00C019FE | 68 68 30 D5 00 | push exam.D53068 | 0xD53068:"1234567A99" 00C01A03 | E8 9E 8F FE FF | call exam.BEA9A6 | 计算字符串长度 00C01A08 | 83 C4 04 | add esp,4 | 00C01A0B | 89 45 F8 | mov dword ptr ss:[ebp-8],eax | 00C01A0E | 83 7D F8 1E | cmp dword ptr ss:[ebp-8],1E | 用字符串长度和0x1e做比较 00C01A12 | 7F 06 | jg exam.C01A1A | 00C01A14 | 83 7D F8 0A | cmp dword ptr ss:[ebp-8],A | 用字符串长度和0x0a做比较 00C01A18 | 7D 16 | jge exam.C01A30 | 00C01A1A | 68 CC 25 D1 00 | push exam.D125CC | 00C01A1F | E8 B7 8C FE FF | call exam.BEA6DB | 00C01A24 | 83 C4 04 | add esp,4 | 00C01A27 | 6A 00 | push 0 | 00C01A29 | E8 46 A8 FE FF | call exam.BEC274 | 00C01A2E | EB 4E | jmp exam.C01A7E |
从上面的代码可以看出,输入的字符串长度要在0x0a~0x1e之间,大于0x1e或小于0x0a就会报输入错误,这里是第一个检测点,接着往下看
00C01A30 | 68 68 30 D5 00 | push exam.D53068 | 0xD53068:"1234567A99" 00C01A35 | 6A 1E | push 1E | 00C01A37 | A1 88 30 D5 00 | mov eax,dword ptr ds:[D53088] | 0x00D53088:"@O0" 00C01A3C | 50 | push eax | 00C01A3D | E8 7D CB FE FF | call exam.BEE5BF | copy输入字符串到0xD53088处 00C01A42 | 83 C4 0C | add esp,C | 00C01A45 | B8 01 00 00 00 | mov eax,1 | 00C01A4A | 6B C8 07 | imul ecx,eax,7 | 把eax*7的结果赋给ecx 00C01A4D | 8B 15 88 30 D5 00 | mov edx,dword ptr ds:[D53088] | 0x00D53088:"@O0" 00C01A53 | 0F BE 04 0A | movsx eax,byte ptr ds:[edx+ecx] | 取出输入字符串的第8个字符 00C01A57 | 83 F8 41 | cmp eax,41 | 看第8个字符是否为'A' 00C01A5A | 74 14 | je exam.C01A70 | 是就跳转 00C01A5C | 68 CC 25 D1 00 | push exam.D125CC | 00C01A61 | E8 75 8C FE FF | call exam.BEA6DB | 00C01A66 | 83 C4 04 | add esp,4 | 00C01A69 | 6A 00 | push 0 | 00C01A6B | E8 04 A8 FE FF | call exam.BEC274 | 00C01A70 | A1 88 30 D5 00 | mov eax,dword ptr ds:[D53088] | 0x00D53088:"@O0" 00C01A75 | 50 | push eax | 00C01A76 | E8 29 B9 FE FF | call exam.BED3A4 | 对输入字符串进行处理 00C01A7B | 83 C4 04 | add esp,4 | 00C01A7E | 33 C0 | xor eax,eax | 00C01A80 | 5F | pop edi | 00C01A81 | 5E | pop esi | 00C01A82 | 5B | pop ebx | 00C01A83 | 81 C4 CC 00 00 00 | add esp,CC | 00C01A89 | 3B EC | cmp ebp,esp | 00C01A8B | E8 A5 BE FE FF | call exam.BED935 | 00C01A90 | 8B E5 | mov esp,ebp | 00C01A92 | 5D | pop ebp | 00C01A93 | C3 | ret |
上面这段代码先把输入的字符串copy到0x0D53088处,然后再检测输入字符串的第8个字符,看是不是0x41(大写的字母A),如果是,就跳转到字符串处理函数,否则就报输入错误,接下来看字符串处理函数
00C01A30 | 68 68 30 D5 00 | push exam.D53068 | 0xD53068:"1234567A99" 00C01A35 | 6A 1E | push 1E | 00C01A37 | A1 88 30 D5 00 | mov eax,dword ptr ds:[D53088] | 0x00D53088:"@O0" 00C01A3C | 50 | push eax | 00C01A3D | E8 7D CB FE FF | call exam.BEE5BF | copy输入字符串到0xD53088处 00C01A42 | 83 C4 0C | add esp,C | 00C01A45 | B8 01 00 00 00 | mov eax,1 | 00C01A4A | 6B C8 07 | imul ecx,eax,7 | 把eax*7的结果赋给ecx 00C01A4D | 8B 15 88 30 D5 00 | mov edx,dword ptr ds:[D53088] | 0x00D53088:"@O0" 00C01A53 | 0F BE 04 0A | movsx eax,byte ptr ds:[edx+ecx] | 取出输入字符串的第8个字符 00C01A57 | 83 F8 41 | cmp eax,41 | 看第8个字符是否为'A' 00C01A5A | 74 14 | je exam.C01A70 | 是就跳转 00C01A5C | 68 CC 25 D1 00 | push exam.D125CC | 00C01A61 | E8 75 8C FE FF | call exam.BEA6DB | 00C01A66 | 83 C4 04 | add esp,4 | 00C01A69 | 6A 00 | push 0 | 00C01A6B | E8 04 A8 FE FF | call exam.BEC274 | 00C01A70 | A1 88 30 D5 00 | mov eax,dword ptr ds:[D53088] | 0x00D53088:"@O0" 00C01A75 | 50 | push eax | 00C01A76 | E8 29 B9 FE FF | call exam.BED3A4 | 对输入字符串进行处理 00C01A7B | 83 C4 04 | add esp,4 | 00C01A7E | 33 C0 | xor eax,eax | 00C01A80 | 5F | pop edi | 00C01A81 | 5E | pop esi | 00C01A82 | 5B | pop ebx | 00C01A83 | 81 C4 CC 00 00 00 | add esp,CC | 00C01A89 | 3B EC | cmp ebp,esp | 00C01A8B | E8 A5 BE FE FF | call exam.BED935 | 00C01A90 | 8B E5 | mov esp,ebp | 00C01A92 | 5D | pop ebp | 00C01A93 | C3 | ret |
上面这段代码先把输入的字符串copy到0x0D53088处,然后再检测输入字符串的第8个字符,看是不是0x41(大写的字母A),如果是,就跳转到字符串处理函数,否则就报输入错误,接下来看字符串处理函数
00BFDBD0 | 55 | push ebp | 00BFDBD1 | 8B EC | mov ebp,esp | 00BFDBD3 | 81 EC CC 00 00 00 | sub esp,CC | 00BFDBD9 | 53 | push ebx | 00BFDBDA | 56 | push esi | 00BFDBDB | 57 | push edi | 00BFDBDC | 8D BD 34 FF FF FF | lea edi,dword ptr ss:[ebp-CC] | 00BFDBE2 | B9 33 00 00 00 | mov ecx,33 | ecx:"1234567A99", 0x33:'3' 00BFDBE7 | B8 CC CC CC CC | mov eax,CCCCCCCC | 00BFDBEC | F3 AB | repe stosd | 00BFDBEE | B9 07 60 D5 00 | mov ecx,exam.D56007 | ecx:"1234567A99" 00BFDBF3 | E8 BC FB FE FF | call exam.BED7B4 | 00BFDBF8 | B8 01 00 00 00 | mov eax,1 | 00BFDBFD | 6B C8 07 | imul ecx,eax,7 | ecx:"1234567A99" 00BFDC00 | 8B 55 08 | mov edx,dword ptr ss:[ebp+8] | 00BFDC03 | C6 04 0A 23 | mov byte ptr ds:[edx+ecx],23 | 把输入字符串的第8个字符改为'#' 00BFDC07 | C7 45 F8 00 00 00 00 | mov dword ptr ss:[ebp-8],0 |
上面的代码主要就是把输入字符串的第8个字符改为'#',接下来就对输入字符串进行加密处理,代码如下
00BFDBD0 | 55 | push ebp | 00BFDBD1 | 8B EC | mov ebp,esp | 00BFDBD3 | 81 EC CC 00 00 00 | sub esp,CC | 00BFDBD9 | 53 | push ebx | 00BFDBDA | 56 | push esi | 00BFDBDB | 57 | push edi | 00BFDBDC | 8D BD 34 FF FF FF | lea edi,dword ptr ss:[ebp-CC] | 00BFDBE2 | B9 33 00 00 00 | mov ecx,33 | ecx:"1234567A99", 0x33:'3' 00BFDBE7 | B8 CC CC CC CC | mov eax,CCCCCCCC | 00BFDBEC | F3 AB | repe stosd | 00BFDBEE | B9 07 60 D5 00 | mov ecx,exam.D56007 | ecx:"1234567A99" 00BFDBF3 | E8 BC FB FE FF | call exam.BED7B4 | 00BFDBF8 | B8 01 00 00 00 | mov eax,1 | 00BFDBFD | 6B C8 07 | imul ecx,eax,7 | ecx:"1234567A99" 00BFDC00 | 8B 55 08 | mov edx,dword ptr ss:[ebp+8] | 00BFDC03 | C6 04 0A 23 | mov byte ptr ds:[edx+ecx],23 | 把输入字符串的第8个字符改为'#' 00BFDC07 | C7 45 F8 00 00 00 00 | mov dword ptr ss:[ebp-8],0 |
上面的代码主要就是把输入字符串的第8个字符改为'#',接下来就对输入字符串进行加密处理,代码如下
00BFDC10 | 8B 45 F8 | mov eax,dword ptr ss:[ebp-8] | 00BFDC13 | 83 C0 01 | add eax,1 | eax:"1234567#99" 00BFDC16 | 89 45 F8 | mov dword ptr ss:[ebp-8],eax | 00BFDC19 | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | [ebp+8]:"1234567#99" 00BFDC1C | 50 | push eax | eax:"1234567#99" 00BFDC1D | E8 84 CD FE FF | call exam.BEA9A6 | 计算字符串长度 00BFDC22 | 83 C4 04 | add esp,4 | 00BFDC25 | 39 45 F8 | cmp dword ptr ss:[ebp-8],eax | 00BFDC28 | 73 16 | jae exam.BFDC40 | 00BFDC2A | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | 把字符串首地址给eax 00BFDC2D | 03 45 F8 | add eax,dword ptr ss:[ebp-8] | 加上要获取的字符偏移 00BFDC30 | 0F BE 08 | movsx ecx,byte ptr ds:[eax] | 取出当前字符 00BFDC33 | 83 F1 1F | xor ecx,1F | 将取出的字符与0x1f异或 00BFDC36 | 8B 55 08 | mov edx,dword ptr ss:[ebp+8] | [ebp+8]:"1234567#99" 00BFDC39 | 03 55 F8 | add edx,dword ptr ss:[ebp-8] | 00BFDC3C | 88 0A | mov byte ptr ds:[edx],cl | 将字符串中的字符替换成加密后的数据 00BFDC3E | EB D0 | jmp exam.BFDC10 | 00BFDC40 | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | [ebp+8]:"1234567#99" 00BFDC43 | 5F | pop edi | 00BFDC44 | 5E | pop esi | 00BFDC45 | 5B | pop ebx | 00BFDC46 | 81 C4 CC 00 00 00 | add esp,CC | 00BFDC4C | 3B EC | cmp ebp,esp | 00BFDC4E | E8 E2 FC FE FF | call exam.BED935 | 00BFDC53 | 8B E5 | mov esp,ebp | 00BFDC55 | 5D | pop ebp | 00BFDC56 | C3 | ret |
上面主要是对输入字符串进行加密处理(每个字符分别和0x1f进行异或),接下来就对加密后的字符下数据访问断点,然后直接运行程序,就来到了如下位置
00BFDC10 | 8B 45 F8 | mov eax,dword ptr ss:[ebp-8] | 00BFDC13 | 83 C0 01 | add eax,1 | eax:"1234567#99" 00BFDC16 | 89 45 F8 | mov dword ptr ss:[ebp-8],eax | 00BFDC19 | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | [ebp+8]:"1234567#99" 00BFDC1C | 50 | push eax | eax:"1234567#99" 00BFDC1D | E8 84 CD FE FF | call exam.BEA9A6 | 计算字符串长度 00BFDC22 | 83 C4 04 | add esp,4 | 00BFDC25 | 39 45 F8 | cmp dword ptr ss:[ebp-8],eax | 00BFDC28 | 73 16 | jae exam.BFDC40 | 00BFDC2A | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | 把字符串首地址给eax 00BFDC2D | 03 45 F8 | add eax,dword ptr ss:[ebp-8] | 加上要获取的字符偏移 00BFDC30 | 0F BE 08 | movsx ecx,byte ptr ds:[eax] | 取出当前字符 00BFDC33 | 83 F1 1F | xor ecx,1F | 将取出的字符与0x1f异或 00BFDC36 | 8B 55 08 | mov edx,dword ptr ss:[ebp+8] | [ebp+8]:"1234567#99" 00BFDC39 | 03 55 F8 | add edx,dword ptr ss:[ebp-8] | 00BFDC3C | 88 0A | mov byte ptr ds:[edx],cl | 将字符串中的字符替换成加密后的数据 00BFDC3E | EB D0 | jmp exam.BFDC10 | 00BFDC40 | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | [ebp+8]:"1234567#99" 00BFDC43 | 5F | pop edi | 00BFDC44 | 5E | pop esi | 00BFDC45 | 5B | pop ebx | 00BFDC46 | 81 C4 CC 00 00 00 | add esp,CC | 00BFDC4C | 3B EC | cmp ebp,esp | 00BFDC4E | E8 E2 FC FE FF | call exam.BED935 | 00BFDC53 | 8B E5 | mov esp,ebp | 00BFDC55 | 5D | pop ebp | 00BFDC56 | C3 | ret |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
