-
-
[原创]第一题 流浪者解析
-
发表于: 2019-3-12 14:05
-
本人小菜一枚 大牛见笑了
界面长这样
下断点
运行 随便输个密码 断下 查看调用堆栈
点进去
记下这个地址 ida 打开 找到这
F5 大法
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | int __thiscall sub_401890(CWnd *this){ struct CString *v1; // ST08_4@1 CWnd *v2; // eax@1 int v3; // eax@1 int result; // eax@2 int v5[26]; // [sp+4Ch] [bp-74h]@7 int i; // [sp+B4h] [bp-Ch]@3 char *Str; // [sp+B8h] [bp-8h]@1 CWnd *v8; // [sp+BCh] [bp-4h]@1 v8 = this; v1 = (CWnd *)((char *)this + 100); v2 = CWnd::GetDlgItem(this, 1002); CWnd::GetWindowTextA(v2, v1); v3 = sub_401A30((char *)v8 + 100); Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3); if ( strlen(Str) ) { for ( i = 0; Str[i]; ++i ) { if ( Str[i] > 57 || Str[i] < 48 ) { if ( Str[i] > 122 || Str[i] < 97 ) { if ( Str[i] > 90 || Str[i] < 65 ) sub_4017B0(); else v5[i] = Str[i] - 29; } else { v5[i] = Str[i] - 87; } } else { v5[i] = Str[i] - 48; } } result = sub_4017F0((int)v5); } else { result = CWnd::MessageBoxA(v8, "请输入pass!", 0, 0); } return result;} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | int __cdecl sub_4017F0(int a1){ int result; // eax@6 char Str1[28]; // [sp+D8h] [bp-24h]@4 int v3; // [sp+F4h] [bp-8h]@1 int v4; // [sp+F8h] [bp-4h]@1 v4 = 0; v3 = 0; while ( *(_DWORD *)(a1 + 4 * v4) < 62 && *(_DWORD *)(a1 + 4 * v4) >= 0 ) { Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)]; ++v4; } Str1[v4] = 0; if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") ) result = sub_401770(); else result = sub_4017B0(); return result;} |
1 | .rdata:00403580 aAbcdefghiabcde db 'abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ',0 |
关键逻辑 我用C# 写出来了 写的有点烂 大家见笑了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | int __thiscall sub_401890(CWnd *this){ struct CString *v1; // ST08_4@1 CWnd *v2; // eax@1 int v3; // eax@1 int result; // eax@2 int v5[26]; // [sp+4Ch] [bp-74h]@7 int i; // [sp+B4h] [bp-Ch]@3 char *Str; // [sp+B8h] [bp-8h]@1 CWnd *v8; // [sp+BCh] [bp-4h]@1 v8 = this; v1 = (CWnd *)((char *)this + 100); v2 = CWnd::GetDlgItem(this, 1002); CWnd::GetWindowTextA(v2, v1); v3 = sub_401A30((char *)v8 + 100); Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3); if ( strlen(Str) ) { for ( i = 0; Str[i]; ++i ) { if ( Str[i] > 57 || Str[i] < 48 ) { if ( Str[i] > 122 || Str[i] < 97 ) { if ( Str[i] > 90 || Str[i] < 65 ) sub_4017B0(); else v5[i] = Str[i] - 29; } else { v5[i] = Str[i] - 87; } } else { v5[i] = Str[i] - 48; } } result = sub_4017F0((int)v5); } else { result = CWnd::MessageBoxA(v8, "请输入pass!", 0, 0); } return result;} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | int __cdecl sub_4017F0(int a1){ int result; // eax@6 char Str1[28]; // [sp+D8h] [bp-24h]@4 int v3; // [sp+F4h] [bp-8h]@1 int v4; // [sp+F8h] [bp-4h]@1 v4 = 0; v3 = 0; while ( *(_DWORD *)(a1 + 4 * v4) < 62 && *(_DWORD *)(a1 + 4 * v4) >= 0 ) { Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)]; ++v4; } Str1[v4] = 0; if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") ) result = sub_401770(); else result = sub_4017B0(); return result;} |
1 | .rdata:00403580 aAbcdefghiabcde db 'abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ',0 |
关键逻辑 我用C# 写出来了 写的有点烂 大家见笑了
最后于 2019-3-12 14:25
被ydshk编辑
,原因:
|
|
|---|---|
|
|
|
