看雪CTF.TSRC 2018 团队赛 第十题 侠义双雄
题目是delphi编译,内嵌的html窗口,通过js脚本验证
Tfrmcrackme_FormShow:
00469048 55 PUSH EBP
00469049 8BEC MOV EBP,ESP
0046904B B9 2A000000 MOV ECX,2A
00469050 6A 00 PUSH 0
00469052 6A 00 PUSH 0
00469054 49 DEC ECX
00469055 ^75 F9 JNZ SHORT enc0_cra.00469050
00469057 51 PUSH ECX
00469058 53 PUSH EBX
00469059 56 PUSH ESI
0046905A 57 PUSH EDI
0046905B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0046905E 33C0 XOR EAX,EAX
00469060 55 PUSH EBP
00469061 68 B4944600 PUSH enc0_cra.004694B4
00469066 64:FF30 PUSH DWORD PTR FS:[EAX]
00469069 64:8920 MOV DWORD PTR FS:[EAX],ESP
0046906C 68 CC944600 PUSH enc0_cra.004694CC ; ASCII "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">"
00469071 68 0C954600 PUSH enc0_cra.0046950C
00469076 68 18954600 PUSH enc0_cra.00469518
0046907B 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
0046907E 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00469081 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
00469087 E8 C069FFFF CALL enc0_cra.0045FA4C
0046908C 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0046908F 50 PUSH EAX
00469090 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00469093 50 PUSH EAX
00469094 E8 9B69FAFF CALL enc0_cra.0040FA34
00469099 83C4 0C ADD ESP,0C
0046909C 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0046909F 50 PUSH EAX
004690A0 6A 00 PUSH 0
004690A2 E8 8D69FAFF CALL enc0_cra.0040FA34
004690A7 83C4 10 ADD ESP,10
004690AA 68 2C954600 PUSH enc0_cra.0046952C ; ASCII "<script>"
004690AF 68 0C954600 PUSH enc0_cra.0046950C
004690B4 68 18954600 PUSH enc0_cra.00469518
004690B9 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
004690BC 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004690BF 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
004690C5 E8 8269FFFF CALL enc0_cra.0045FA4C
004690CA 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
004690CD 50 PUSH EAX
004690CE 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
004690D1 50 PUSH EAX
004690D2 E8 5D69FAFF CALL enc0_cra.0040FA34
004690D7 83C4 0C ADD ESP,0C
004690DA 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
004690DD 50 PUSH EAX
004690DE 6A 00 PUSH 0
004690E0 E8 4F69FAFF CALL enc0_cra.0040FA34
004690E5 83C4 10 ADD ESP,10
004690E8 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004690EB 8B15 3CAF4600 MOV EDX,DWORD PTR DS:[46AF3C]
004690F1 E8 4EBAF9FF CALL enc0_cra.00404B44
004690F6 A1 3CAF4600 MOV EAX,DWORD PTR DS:[46AF3C]
004690FB E8 48BBF9FF CALL enc0_cra.00404C48
00469100 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00469103 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00469106 50 PUSH EAX //这里指向一个unicode字符串,内容如下:
eval(function(s,p,a,c,k,e,d){for(i=0;i<k.length;i++)k[i]=k[i].replace(s, '');e=function(c){eval(document.write(String.fromCharCode(13)));return(eval(c<a)?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('$$$','8 4() { 1 = 6.3.e.f; 9 (1 == "b") { 2("5!") } 7 { 2("g!<" + 1 + "> a d c 0 ;-)") }}',62,17,'GUID$$$@a$$$@alert$$$@all$$$@ckpswd$$$@congratulations$$$@document$$$@else$$$@function
这个js函数最后的参数不完整,后来又拼接了一部分上去,但这已经不重要了
参数不完整,但是函数体本身完整了,最后返回处是:
return p}
把这几个字符串改一下:
alert(p)}
然后让程序继续跑起来
会弹出了alert窗口,把内容提取出来得到:
function ckpswd() { a = document.all.pswd.value; if (a == "kanxueCTF2018bySimpower91") { alert("congratulations!") } else { alert("wrong!<" + a + "> is not my GUID ;-)") }}
竟然是明码比较
得到最后结果:
kanxueCTF2018bySimpower91
