-
-
[原创]看雪CTF.TSRC 2018 團隊赛 半加器WP
-
发表于: 2018-12-3 21:06 2854
-
Microsoft Linker(14.15)[EXE32,console]
0x01. OD 字符串定位關鍵函數
001F19B0 /> \55 push ebp 001F19B1 |. 8BEC mov ebp,esp 001F19B3 |. 81EC CC000000 sub esp,0xCC 001F19B9 |. 53 push ebx 001F19BA |. 56 push esi ; Exam.<ModuleEntryPoint> 001F19BB |. 57 push edi ; Exam.<ModuleEntryPoint> 001F19BC |. 8DBD 34FFFFFF lea edi,[local.51] 001F19C2 |. B9 33000000 mov ecx,0x33 001F19C7 |. B8 CCCCCCCC mov eax,0xCCCCCCCC 001F19CC |. F3:AB rep stos dword ptr es:[edi] 001F19CE |. B9 07603400 mov ecx,Exam.00346007 ; āāāāāāāāāāāāāāāāāāāā 001F19D3 |. E8 DCBDFEFF call Exam.001DD7B4 001F19D8 |. 68 BC253000 push Exam.003025BC ; Please Input: 001F19DD |. 68 E0313400 push Exam.003431E0 001F19E2 |. E8 5FB3FEFF call Exam.001DCD46 001F19E7 |. 83C4 08 add esp,0x8 001F19EA |. 6A 1E push 0x1E 001F19EC |. 68 68303400 push Exam.00343068 001F19F1 |. 68 9C223000 push Exam.0030229C ; %s 001F19F6 |. E8 F3A6FEFF call Exam.001DC0EE ; scanf 001F19FB |. 83C4 0C add esp,0xC 001F19FE |. 68 68303400 push Exam.00343068 ; 假碼 001F1A03 |. E8 9E8FFEFF call Exam.001DA9A6 ; strlen 001F1A08 |. 83C4 04 add esp,0x4 001F1A0B |. 8945 F8 mov [local.2],eax ; 註冊碼位數 001F1A0E |. 837D F8 1E cmp [local.2],0x1E ; 不能大於30 001F1A12 |. 7F 06 jg short Exam.001F1A1A 001F1A14 |. 837D F8 0A cmp [local.2],0xA 001F1A18 |. 7D 16 jge short Exam.001F1A30 ; 註冊碼大於等於10位 001F1A1A |> 68 CC253000 push Exam.003025CC ; 输入错误; 001F1A1F |. E8 B78CFEFF call Exam.001DA6DB 001F1A24 |. 83C4 04 add esp,0x4 001F1A27 |. 6A 00 push 0x0 001F1A29 |. E8 46A8FEFF call Exam.001DC274 001F1A2E |. EB 4E jmp short Exam.001F1A7E 001F1A30 |> 68 68303400 push Exam.00343068 ; 假碼 001F1A35 |. 6A 1E push 0x1E ; 30 001F1A37 |. A1 88303400 mov eax,dword ptr ds:[0x343088] 001F1A3C |. 50 push eax 001F1A3D |. E8 7DCBFEFF call Exam.001DE5BF 001F1A42 |. 83C4 0C add esp,0xC 001F1A45 |. B8 01000000 mov eax,0x1 001F1A4A |. 6BC8 07 imul ecx,eax,0x7 001F1A4D |. 8B15 88303400 mov edx,dword ptr ds:[0x343088] ; 假碼地址 001F1A53 |. 0FBE040A movsx eax,byte ptr ds:[edx+ecx] ; 假碼第八位 41h (A) 001F1A57 |. 83F8 41 cmp eax,0x41 001F1A5A |. 74 14 je short Exam.001F1A70 001F1A5C |. 68 CC253000 push Exam.003025CC ; 输入错误; 001F1A61 |. E8 758CFEFF call Exam.001DA6DB 001F1A66 |. 83C4 04 add esp,0x4 001F1A69 |. 6A 00 push 0x0 001F1A6B |. E8 04A8FEFF call Exam.001DC274 001F1A70 |> A1 88303400 mov eax,dword ptr ds:[0x343088] ; 假碼地址 001F1A75 |. 50 push eax 001F1A76 |. E8 29B9FEFF call Exam.001DD3A4 ; 異或 函數 001F1A7B |. 83C4 04 add esp,0x4 001F1A7E |> 33C0 xor eax,eax ; 001F1A80 5F pop edi ; kernel32.75263744 001F1A81 5E pop esi ; kernel32.75263744 001F1A82 5B pop ebx ; kernel32.75263744 001F1A83 81C4 CC000000 add esp,0xCC 001F1A89 |. 3BEC cmp ebp,esp 001F1A8B |. E8 A5BEFEFF call Exam.001DD935 001F1A90 |. 8BE5 mov esp,ebp 001F1A92 |. 5D pop ebp ; kernel32.75263744 001F1A93 \. C3 retn
001F19B0 /> \55 push ebp 001F19B1 |. 8BEC mov ebp,esp 001F19B3 |. 81EC CC000000 sub esp,0xCC 001F19B9 |. 53 push ebx 001F19BA |. 56 push esi ; Exam.<ModuleEntryPoint> 001F19BB |. 57 push edi ; Exam.<ModuleEntryPoint> 001F19BC |. 8DBD 34FFFFFF lea edi,[local.51] 001F19C2 |. B9 33000000 mov ecx,0x33 001F19C7 |. B8 CCCCCCCC mov eax,0xCCCCCCCC 001F19CC |. F3:AB rep stos dword ptr es:[edi] 001F19CE |. B9 07603400 mov ecx,Exam.00346007 ; āāāāāāāāāāāāāāāāāāāā 001F19D3 |. E8 DCBDFEFF call Exam.001DD7B4 001F19D8 |. 68 BC253000 push Exam.003025BC ; Please Input: 001F19DD |. 68 E0313400 push Exam.003431E0 001F19E2 |. E8 5FB3FEFF call Exam.001DCD46 001F19E7 |. 83C4 08 add esp,0x8 001F19EA |. 6A 1E push 0x1E 001F19EC |. 68 68303400 push Exam.00343068 001F19F1 |. 68 9C223000 push Exam.0030229C ; %s 001F19F6 |. E8 F3A6FEFF call Exam.001DC0EE ; scanf 001F19FB |. 83C4 0C add esp,0xC 001F19FE |. 68 68303400 push Exam.00343068 ; 假碼 001F1A03 |. E8 9E8FFEFF call Exam.001DA9A6 ; strlen 001F1A08 |. 83C4 04 add esp,0x4 001F1A0B |. 8945 F8 mov [local.2],eax ; 註冊碼位數 001F1A0E |. 837D F8 1E cmp [local.2],0x1E ; 不能大於30 001F1A12 |. 7F 06 jg short Exam.001F1A1A 001F1A14 |. 837D F8 0A cmp [local.2],0xA 001F1A18 |. 7D 16 jge short Exam.001F1A30 ; 註冊碼大於等於10位 001F1A1A |> 68 CC253000 push Exam.003025CC ; 输入错误; 001F1A1F |. E8 B78CFEFF call Exam.001DA6DB 001F1A24 |. 83C4 04 add esp,0x4 001F1A27 |. 6A 00 push 0x0 001F1A29 |. E8 46A8FEFF call Exam.001DC274 001F1A2E |. EB 4E jmp short Exam.001F1A7E 001F1A30 |> 68 68303400 push Exam.00343068 ; 假碼 001F1A35 |. 6A 1E push 0x1E ; 30 001F1A37 |. A1 88303400 mov eax,dword ptr ds:[0x343088] 001F1A3C |. 50 push eax 001F1A3D |. E8 7DCBFEFF call Exam.001DE5BF 001F1A42 |. 83C4 0C add esp,0xC 001F1A45 |. B8 01000000 mov eax,0x1 001F1A4A |. 6BC8 07 imul ecx,eax,0x7 001F1A4D |. 8B15 88303400 mov edx,dword ptr ds:[0x343088] ; 假碼地址 001F1A53 |. 0FBE040A movsx eax,byte ptr ds:[edx+ecx] ; 假碼第八位 41h (A) 001F1A57 |. 83F8 41 cmp eax,0x41 001F1A5A |. 74 14 je short Exam.001F1A70 001F1A5C |. 68 CC253000 push Exam.003025CC ; 输入错误; 001F1A61 |. E8 758CFEFF call Exam.001DA6DB 001F1A66 |. 83C4 04 add esp,0x4 001F1A69 |. 6A 00 push 0x0 001F1A6B |. E8 04A8FEFF call Exam.001DC274 001F1A70 |> A1 88303400 mov eax,dword ptr ds:[0x343088] ; 假碼地址 001F1A75 |. 50 push eax 001F1A76 |. E8 29B9FEFF call Exam.001DD3A4 ; 異或 函數 001F1A7B |. 83C4 04 add esp,0x4 001F1A7E |> 33C0 xor eax,eax ; 001F1A80 5F pop edi ; kernel32.75263744 001F1A81 5E pop esi ; kernel32.75263744 001F1A82 5B pop ebx ; kernel32.75263744 001F1A83 81C4 CC000000 add esp,0xCC 001F1A89 |. 3BEC cmp ebp,esp 001F1A8B |. E8 A5BEFEFF call Exam.001DD935 001F1A90 |. 8BE5 mov esp,ebp 001F1A92 |. 5D pop ebp ; kernel32.75263744 001F1A93 \. C3 retn
0x02. 跑一遍, 發現:
註冊碼碼: 10 <= 長度 < 30 第八位: A
0x3. 001F1A76函數 每一位異或 0x1F
001EDBD0 /> \55 push ebp 001EDBD1 |. 8BEC mov ebp,esp 001EDBD3 |. 81EC CC000000 sub esp,0xCC 001EDBD9 |. 53 push ebx 001EDBDA |. 56 push esi ; Exam.<ModuleEntryPoint> 001EDBDB |. 57 push edi 001EDBDC |. 8DBD 34FFFFFF lea edi,[local.51] 001EDBE2 |. B9 33000000 mov ecx,0x33 001EDBE7 |. B8 CCCCCCCC mov eax,0xCCCCCCCC 001EDBEC |. F3:AB rep stos dword ptr es:[edi] 001EDBEE |. B9 07603400 mov ecx,Exam.00346007 ; āāāāāāāāāāāāāāāāāāāā 001EDBF3 |. E8 BCFBFEFF call Exam.001DD7B4 001EDBF8 |. B8 01000000 mov eax,0x1 001EDBFD |. 6BC8 07 imul ecx,eax,0x7 ; ecx =7 001EDC00 |. 8B55 08 mov edx,[arg.1] ; ASCII "1427300A35" 001EDC03 |. C6040A 23 mov byte ptr ds:[edx+ecx],0x23 ; ASCII "1427300#35" 001EDC07 |. C745 F8 00000>mov [local.2],0x0 001EDC0E |. EB 09 jmp short Exam.001EDC19 001EDC10 |> 8B45 F8 /mov eax,[local.2] 001EDC13 |. 83C0 01 |add eax,0x1 001EDC16 |. 8945 F8 |mov [local.2],eax 001EDC19 |> 8B45 08 mov eax,[arg.1] ; ASCII "1427300#35" 001EDC1C |. 50 |push eax 001EDC1D |. E8 84CDFEFF |call Exam.001DA9A6 ; strlen 001EDC22 |. 83C4 04 |add esp,0x4 001EDC25 |. 3945 F8 |cmp [local.2],eax ; strlen 001EDC28 |. 73 16 |jnb short Exam.001EDC40 001EDC2A |. 8B45 08 |mov eax,[arg.1] ; ASCII "1427300#35" 001EDC2D |. 0345 F8 |add eax,[local.2] ; eax = ASCII "1427300#35" 001EDC30 |. 0FBE08 |movsx ecx,byte ptr ds:[eax] ; 註冊碼第I位 001EDC33 |. 83F1 1F |xor ecx,0x1F ; 31 xor 0x1F = 2E 001EDC36 |. 8B55 08 |mov edx,[arg.1] ; 假碼地址 001EDC39 |. 0355 F8 |add edx,[local.2] 001EDC3C |. 880A |mov byte ptr ds:[edx],cl ; 異或結果存到內存-> ASCII ".427300#35" 001EDC3E |.^ EB D0 \jmp short Exam.001EDC10 001EDC40 |> 8B45 08 mov eax,[arg.1] ; eax = 異或結果 ASCII ".+-(,//<,*" 001EDC43 |. 5F pop edi ; 0089FEF4 001EDC44 |. 5E pop esi ; 0089FEF4 001EDC45 |. 5B pop ebx ; 0089FEF4 001EDC46 |. 81C4 CC000000 add esp,0xCC 001EDC4C |. 3BEC cmp ebp,esp 001EDC4E |. E8 E2FCFEFF call Exam.001DD935 001EDC53 |. 8BE5 mov esp,ebp 001EDC55 |. 5D pop ebp ; 0089FEF4 001EDC56 \. C3 retn
001EDBD0 /> \55 push ebp 001EDBD1 |. 8BEC mov ebp,esp 001EDBD3 |. 81EC CC000000 sub esp,0xCC 001EDBD9 |. 53 push ebx 001EDBDA |. 56 push esi ; Exam.<ModuleEntryPoint> 001EDBDB |. 57 push edi 001EDBDC |. 8DBD 34FFFFFF lea edi,[local.51] 001EDBE2 |. B9 33000000 mov ecx,0x33 001EDBE7 |. B8 CCCCCCCC mov eax,0xCCCCCCCC 001EDBEC |. F3:AB rep stos dword ptr es:[edi] 001EDBEE |. B9 07603400 mov ecx,Exam.00346007 ; āāāāāāāāāāāāāāāāāāāā 001EDBF3 |. E8 BCFBFEFF call Exam.001DD7B4 001EDBF8 |. B8 01000000 mov eax,0x1 001EDBFD |. 6BC8 07 imul ecx,eax,0x7 ; ecx =7 001EDC00 |. 8B55 08 mov edx,[arg.1] ; ASCII "1427300A35" 001EDC03 |. C6040A 23 mov byte ptr ds:[edx+ecx],0x23 ; ASCII "1427300#35" 001EDC07 |. C745 F8 00000>mov [local.2],0x0 001EDC0E |. EB 09 jmp short Exam.001EDC19 001EDC10 |> 8B45 F8 /mov eax,[local.2] 001EDC13 |. 83C0 01 |add eax,0x1 001EDC16 |. 8945 F8 |mov [local.2],eax 001EDC19 |> 8B45 08 mov eax,[arg.1] ; ASCII "1427300#35" 001EDC1C |. 50 |push eax 001EDC1D |. E8 84CDFEFF |call Exam.001DA9A6 ; strlen 001EDC22 |. 83C4 04 |add esp,0x4 001EDC25 |. 3945 F8 |cmp [local.2],eax ; strlen 001EDC28 |. 73 16 |jnb short Exam.001EDC40 001EDC2A |. 8B45 08 |mov eax,[arg.1] ; ASCII "1427300#35" 001EDC2D |. 0345 F8 |add eax,[local.2] ; eax = ASCII "1427300#35" 001EDC30 |. 0FBE08 |movsx ecx,byte ptr ds:[eax] ; 註冊碼第I位 001EDC33 |. 83F1 1F |xor ecx,0x1F ; 31 xor 0x1F = 2E 001EDC36 |. 8B55 08 |mov edx,[arg.1] ; 假碼地址 001EDC39 |. 0355 F8 |add edx,[local.2] 001EDC3C |. 880A |mov byte ptr ds:[edx],cl ; 異或結果存到內存-> ASCII ".427300#35" 001EDC3E |.^ EB D0 \jmp short Exam.001EDC10 001EDC40 |> 8B45 08 mov eax,[arg.1] ; eax = 異或結果 ASCII ".+-(,//<,*" 001EDC43 |. 5F pop edi ; 0089FEF4 001EDC44 |. 5E pop esi ; 0089FEF4 001EDC45 |. 5B pop ebx ; 0089FEF4 001EDC46 |. 81C4 CC000000 add esp,0xCC 001EDC4C |. 3BEC cmp ebp,esp 001EDC4E |. E8 E2FCFEFF call Exam.001DD935 001EDC53 |. 8BE5 mov esp,ebp 001EDC55 |. 5D pop ebp ; 0089FEF4 001EDC56 \. C3 retn
0x04. 在0存放假碼的內存地址dword ptr ds:[0x343088] 下硬件斷點Word
重載, 第一次, 數據沒有初始化:
0101CDF0 CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD 屯屯屯屯屯屯屯屯 0101CE00 CD CD CD CD CD CD CD CD CD CD CD CD CD CD FD FD 屯屯屯屯屯屯屯
0101CDF0 CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD 屯屯屯屯屯屯屯屯 0101CE00 CD CD CD CD CD CD CD CD CD CD CD CD CD CD FD FD 屯屯屯屯屯屯屯
輸入註冊碼後,經過第一步的函數三次, 分別為: 未初始化-假碼-假碼
0x05. 輸入字符串完成異或後, 斷點停在這同時, 寄存器窗口:
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2018-12-3 21:09
被KwaiChing编辑
,原因:
赞赏
|
|
|---|---|
|
|
他的文章
赞赏
雪币:
留言:
