-
-
[原创]CTF 第一题 初世纪
-
发表于: 2018-12-3 21:52
-
直接在ida 的伪代码里虽然大概看到了逻辑,但那一段或的判断里的参数还是不知道上面意思
找到函数断点调试一波
下面是那段关键的判断的代码的一些理解
text:00007FF77E61145E loc_7FF77E61145E: ; CODE XREF: sub_7FF77E611340+DD↑j
.text:00007FF77E61145E mov r9d, 51h ; cchMax.text:00007FF77E611464 lea r8, [rbp+30h+String] ; lpString
.text:00007FF77E611468 mov edx, 3E8h ; nIDDlgItem
.text:00007FF77E61146D mov rcx, rdi ; hDlg
.text:00007FF77E611470 call cs:GetDlgItemTextA
.text:00007FF77E611476 mov r9d, 65h ; cchMax
.text:00007FF77E61147C lea r8, [rsp+130h+Dst] ; lpString
.text:00007FF77E611481 mov edx, 3E8h ; nIDDlgItem
.text:00007FF77E611486 mov rcx, rdi ; hDlg
.text:00007FF77E611489 mov ebx, eax
.text:00007FF77E61148B call cs:GetDlgItemTextA
.text:00007FF77E611491 cmp ebx, 6 ; 判断输入的字符长度是否是6
.text:00007FF77E611494 jnz short loc_7FF77E6114F1 ; 判断zf(零标志位是不是0),是0就跳转 zf标志位由上面的cmp运算来的,相等就是1,zf就是设置为0,当不相等zf就是1,就符合了jnz,到输出错误那里
.text:00007FF77E611496 movzx eax, [rsp+130h+Dst] ; 获取第一个字符的ascii编码
.text:00007FF77E61149B sub eax, 30h ; ascii码减0x30,,eax=eax的ascii码-30
.text:00007FF77E61149E cmp eax, ebx eax和ebx判断,ebx应该现在是字符串的第一个字符
.text:00007FF77E6114A0 jnz short loc_7FF77E6114F1,不相等就跳到输出错误那
.text:00007FF77E6114A2 movzx eax, [rsp+130h+var_CF] ,再拿第二个字符
.text:00007FF77E6114A7 sub eax, 40h,一样的操作
.text:00007FF77E6114AA cmp eax, 5
.text:00007FF77E6114AD jnz short loc_7FF77E6114F1
.text:00007FF77E6114AF movzx eax, [rsp+130h+var_CE]
.text:00007FF77E6114B4 sub eax, 70h
.text:00007FF77E6114B7 cmp eax, 7
.text:00007FF77E6114BA jnz short loc_7FF77E6114F1
.text:00007FF77E6114BC movzx eax, [rsp+130h+var_CD]
.text:00007FF77E6114C1 sub eax, 60h
.text:00007FF77E6114C4 cmp eax, 9
.text:00007FF77E6114C7 jnz short loc_7FF77E6114F1
.text:00007FF77E6114C9 movzx eax, [rsp+130h+var_CC]
.text:00007FF77E6114CE sub eax, 30h
.text:00007FF77E6114D1 cmp eax, 9
.text:00007FF77E6114D4 jnz short loc_7FF77E6114F1
.text:00007FF77E6114D6 movzx eax, [rsp+130h+var_CB]
.text:00007FF77E6114DB lea rcx, String1
.text:00007FF77E6114E2 sub eax, 40h
.text:00007FF77E6114E5 cmp eax, 8
.text:00007FF77E6114E8 jnz short loc_7FF77E6114F8
.text:00007FF77E6114EA lea rdx, [rsp+130h+var_E8]
.text:00007FF77E6114EF jmp short loc_7FF77E6114FD
.text:00007FF77E6114F1 ; ---------------------------------------------------------------------------
.text:00007FF77E6114F1
.text:00007FF77E6114F1 loc_7FF77E6114F1: ; CODE XREF: sub_7FF77E611340+154↑j
.text:00007FF77E6114F1 ; sub_7FF77E611340+160↑j ...
.text:00007FF77E6114F1 lea rcx, String1 ; lpString1
.text:00007FF77E6114F8
.text:00007FF77E6114F8 loc_7FF77E6114F8: ; CODE XREF: sub_7FF77E611340+1A8↑j
.text:00007FF77E6114F8 lea rdx, [rsp+130h+String2] ; lpString2
.text:00007FF77E6114FD
.text:00007FF77E6114FD loc_7FF77E6114FD: ; CODE XREF: sub_7FF77E611340+1AF↑j
.text:00007FF77E6114FD call cs:lstrcpyA
.text:00007FF77E611503 mov rcx, cs:hInstance ; hInstance
.text:00007FF77E61150A lea r9, sub_7FF77E6112E0 ; lpDialogFunc
.text:00007FF77E611511 mov r8, rdi ; hWndParent
.text:00007FF77E611514 mov [rsp+130h+dwInitParam], 0 ; dwInitParam
.text:00007FF77E61151D mov edx, 79h ; lpTemplateName
.text:00007FF77E611522 call cs:DialogBoxParamA
.text:00007FF77E611528 mov eax, 1
.text:00007FF77E61152D jmp loc_7FF77E6115B8
.text:00007FF77E611532 ; ---------------------------------------------------------------------------
字符提取
下面是上面那截取的一段
sub eax, 40h,
.text:00007FF77E6114AA cmp eax, 5
.text:00007FF77E6114AD jnz short loc_7FF77E6114F1
.text:00007FF77E6114AA cmp eax, 5
.text:00007FF77E6114AD jnz short loc_7FF77E6114F1
比如说上面那个
eax=0x40+0x5
这个数值转换成字符就是了,将上面的依次转换为字符即可
这里用Python 的chr函数,是将ascii码转换为对应的字符,还有个相反的函数ord是将字符转换为ascii码
最后得到密码
H9iwE6
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
