看雪CTF.TSRC 2018 团队赛-第6题-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

看雪CTF.TSRC 2018 团队赛-第6题

发表于: 2018-12-11 14:08 2655

看雪CTF.TSRC 2018 团队赛-第6题

风间仁

2018-12-11 14:08

2655

1. TlsCallback中hook WinMain及GetDlgItemTextA

.text:00401E4E                 call    x_hook_WinMain
..
.text:00401E55                 push    offset CriticalSection ; lpCriticalSection
.text:00401E5A                 call    ds:InitializeCriticalSection
..
.text:00401E67                 call    x_hook_GetDlgItemTextA
..
.text:00401E6E                 push    0               ; lpThreadId
.text:00401E70                 push    0               ; dwCreationFlags
.text:00401E72                 lea     eax, [ebp+Parameter]
.text:00401E75                 push    eax             ; lpParameter
.text:00401E76                 push    offset hook_GetDlgItemTextA_thread ; lpStartAddress
.text:00401E7B                 push    0               ; dwStackSize
.text:00401E7D                 push    0               ; lpThreadAttributes
.text:00401E7F                 call    ds:CreateThread

.text:00401E4E                 call    x_hook_WinMain
..
.text:00401E55                 push    offset CriticalSection ; lpCriticalSection
.text:00401E5A                 call    ds:InitializeCriticalSection
..
.text:00401E67                 call    x_hook_GetDlgItemTextA
..
.text:00401E6E                 push    0               ; lpThreadId
.text:00401E70                 push    0               ; dwCreationFlags
.text:00401E72                 lea     eax, [ebp+Parameter]
.text:00401E75                 push    eax             ; lpParameter
.text:00401E76                 push    offset hook_GetDlgItemTextA_thread ; lpStartAddress
.text:00401E7B                 push    0               ; dwStackSize
.text:00401E7D                 push    0               ; lpThreadAttributes
.text:00401E7F                 call    ds:CreateThread

.text:00401E4E                 call    x_hook_WinMain
..
.text:00401E55                 push    offset CriticalSection ; lpCriticalSection
.text:00401E5A                 call    ds:InitializeCriticalSection
..
.text:00401E67                 call    x_hook_GetDlgItemTextA
..
.text:00401E6E                 push    0               ; lpThreadId
.text:00401E70                 push    0               ; dwCreationFlags
.text:00401E72                 lea     eax, [ebp+Parameter]
.text:00401E75                 push    eax             ; lpParameter
.text:00401E76                 push    offset hook_GetDlgItemTextA_thread ; lpStartAddress
.text:00401E7B                 push    0               ; dwStackSize
.text:00401E7D                 push    0               ; lpThreadAttributes
.text:00401E7F                 call    ds:CreateThread

1 2	`.text:00401284 jmp x_WinMain` `user32_GetDlgItemTextA+20 jmp x_stub_GetDlgItemTextA`

1 2	`.text:00401284 jmp x_WinMain` `user32_GetDlgItemTextA+20 jmp x_stub_GetDlgItemTextA`

2. GetDlgItemTextA之后的验证

.text:00401A8F                 push    ecx
.text:00401A90                 mov     edx, g_sn
.text:00401A96                 push    edx
.text:00401A97                 call    x_check
.text:00401A9C                 add     esp, 8
.text:00401A9F                 movzx   eax, al
.text:00401AA2                 test    eax, eax
.text:00401AA4                 jz      loc_401B85
.text:00401AAA                 mov     ecx, g_sn
.text:00401AB0                 push    ecx
.text:00401AB1                 call    strlen
.text:00401AB6                 push    eax
.text:00401AB7                 mov     edx, g_sn
.text:00401ABD                 push    edx
.text:00401ABE                 call    x_hash
.text:00401AC3                 cmp     eax, 5634D252h
.text:00401AC8                 jnz     loc_401B85
 
.text:00401380 ; bool __cdecl x_move(int direction, int num)

.text:00401A8F                 push    ecx
.text:00401A90                 mov     edx, g_sn
.text:00401A96                 push    edx
.text:00401A97                 call    x_check
.text:00401A9C                 add     esp, 8
.text:00401A9F                 movzx   eax, al
.text:00401AA2                 test    eax, eax
.text:00401AA4                 jz      loc_401B85
.text:00401AAA                 mov     ecx, g_sn
.text:00401AB0                 push    ecx
.text:00401AB1                 call    strlen
.text:00401AB6                 push    eax
.text:00401AB7                 mov     edx, g_sn
.text:00401ABD                 push    edx
.text:00401ABE                 call    x_hash
.text:00401AC3                 cmp     eax, 5634D252h
.text:00401AC8                 jnz     loc_401B85
 
.text:00401380 ; bool __cdecl x_move(int direction, int num)