-
-
看雪CTF.TSRC 2018 团队赛-第6题
-
发表于:
2018-12-11 14:08
2526
-
1. TlsCallback中hook WinMain及GetDlgItemTextA
.text:00401E4E call x_hook_WinMain
..
.text:00401E55 push offset CriticalSection ; lpCriticalSection
.text:00401E5A call ds:InitializeCriticalSection
..
.text:00401E67 call x_hook_GetDlgItemTextA
..
.text:00401E6E push 0 ; lpThreadId
.text:00401E70 push 0 ; dwCreationFlags
.text:00401E72 lea eax, [ebp+Parameter]
.text:00401E75 push eax ; lpParameter
.text:00401E76 push offset hook_GetDlgItemTextA_thread ; lpStartAddress
.text:00401E7B push 0 ; dwStackSize
.text:00401E7D push 0 ; lpThreadAttributes
.text:00401E7F call ds:CreateThread
.text:00401E4E call x_hook_WinMain
..
.text:00401E55 push offset CriticalSection ; lpCriticalSection
.text:00401E5A call ds:InitializeCriticalSection
..
.text:00401E67 call x_hook_GetDlgItemTextA
..
.text:00401E6E push 0 ; lpThreadId
.text:00401E70 push 0 ; dwCreationFlags
.text:00401E72 lea eax, [ebp+Parameter]
.text:00401E75 push eax ; lpParameter
.text:00401E76 push offset hook_GetDlgItemTextA_thread ; lpStartAddress
.text:00401E7B push 0 ; dwStackSize
.text:00401E7D push 0 ; lpThreadAttributes
.text:00401E7F call ds:CreateThread
.text:00401E4E call x_hook_WinMain
..
.text:00401E55 push offset CriticalSection ; lpCriticalSection
.text:00401E5A call ds:InitializeCriticalSection
..
.text:00401E67 call x_hook_GetDlgItemTextA
..
.text:00401E6E push 0 ; lpThreadId
.text:00401E70 push 0 ; dwCreationFlags
.text:00401E72 lea eax, [ebp+Parameter]
.text:00401E75 push eax ; lpParameter
.text:00401E76 push offset hook_GetDlgItemTextA_thread ; lpStartAddress
.text:00401E7B push 0 ; dwStackSize
.text:00401E7D push 0 ; lpThreadAttributes
.text:00401E7F call ds:CreateThread
.text:00401284 jmp x_WinMain
user32_GetDlgItemTextA+20 jmp x_stub_GetDlgItemTextA
.text:00401284 jmp x_WinMain
user32_GetDlgItemTextA+20 jmp x_stub_GetDlgItemTextA
2. GetDlgItemTextA之后的验证
.text:00401A8F push ecx
.text:00401A90 mov edx, g_sn
.text:00401A96 push edx
.text:00401A97 call x_check
.text:00401A9C add esp, 8
.text:00401A9F movzx eax, al
.text:00401AA2 test eax, eax
.text:00401AA4 jz loc_401B85
.text:00401AAA mov ecx, g_sn
.text:00401AB0 push ecx
.text:00401AB1 call strlen
.text:00401AB6 push eax
.text:00401AB7 mov edx, g_sn
.text:00401ABD push edx
.text:00401ABE call x_hash
.text:00401AC3 cmp eax, 5634D252h
.text:00401AC8 jnz loc_401B85
.text:00401380 ; bool __cdecl x_move(int direction, int num)
.text:00401A8F push ecx
.text:00401A90 mov edx, g_sn
.text:00401A96 push edx
.text:00401A97 call x_check
.text:00401A9C add esp, 8
.text:00401A9F movzx eax, al
.text:00401AA2 test eax, eax
.text:00401AA4 jz loc_401B85
.text:00401AAA mov ecx, g_sn
.text:00401AB0 push ecx
.text:00401AB1 call strlen
.text:00401AB6 push eax
.text:00401AB7 mov edx, g_sn
.text:00401ABD push edx
.text:00401ABE call x_hash
.text:00401AC3 cmp eax, 5634D252h
.text:00401AC8 jnz loc_401B85
.text:00401380 ; bool __cdecl x_move(int direction, int num)
check是一个九宫格拼图游戏,
w: 上
s: 下
a: 左
d: 右
原始状态
4 1 3
7 2 5
8 6 0
=>
目标状态
1 2 3
4 5 6
7 8 0
7 2 5
8 6 0
=>
目标状态
1 2 3
4 5 6
7 8 0
3. 手动移一下得到sn: d6d8s7s4a1w2a5w6
4 1 3
7 2 5
8 6 0
=>
4 1 3
7 2 5
0 8 6
=>
0 1 3
4 2 5
7 8 6
=>
1 0 3
4 2 5
7 8 6
=>
1 2 3
4 0 5
7 8 6
=>
1 2 3
4 5 0
7 8 6
=>
1 2 3
4 5 6
7 8 0
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
