-
-
[原创]2019看雪CTF 团队赛 第一题 流浪者WP
-
发表于:
2019-3-19 00:51
3032
-
[原创]2019看雪CTF 团队赛 第一题 流浪者WP
用ida打开程序
搜索字符串,按X查看引用,定位到sub_401890
int __thiscall sub_401890(CWnd *this)
{
struct CString *v1; // ST08_4
CWnd *v2; // eax
int v3; // eax
int v5[26]; // [esp+4Ch] [ebp-74h]
int i; // [esp+B4h] [ebp-Ch]
char *Str; // [esp+B8h] [ebp-8h]
CWnd *v8; // [esp+BCh] [ebp-4h]
v8 = this;
v1 = (CWnd *)((char *)this + 100);
v2 = CWnd::GetDlgItem(this, 1002);
CWnd::GetWindowTextA(v2, v1);
v3 = sub_401A30((char *)v8 + 100);
Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3);
if ( !strlen(Str) )
return CWnd::MessageBoxA(v8, "请输入pass!", 0, 0);
for ( i = 0; Str[i]; ++i )
{
if ( Str[i] > '9' || Str[i] < '0' )
{
if ( Str[i] > 'z' || Str[i] < 'a' )
{
if ( Str[i] > 'Z' || Str[i] < 'A' )
sub_4017B0();
else
v5[i] = Str[i] - 0x1D;
}
else
{
v5[i] = Str[i] - 0x57;
}
}
else
{
v5[i] = Str[i] - 0x30;
}
}
return sub_4017F0((int)v5);
}
代码逻辑比较清晰,输入字符如果是'0'-'9'则减去0x30,'A'-'Z'则减0x1D,'a'-'z'则减0x57
查看sub_4017F0的代码
BOOL __cdecl sub_4017F0(int a1)
{
BOOL result; // eax
char Str1[28]; // [esp+D8h] [ebp-24h]
int v3; // [esp+F4h] [ebp-8h]
int v4; // [esp+F8h] [ebp-4h]
v4 = 0;
v3 = 0;
while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 )
{
Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)];
++v4;
}
Str1[v4] = 0;
if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") )
result = sub_401770();
else
result = sub_4017B0();
return result;
}
逐位取前面转换后的字符串,记为n,取
abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ
第n位,添加到Str1,等于KanXueCTF2019JustForhappy则成功
写个代码跑一下就可以了
#include <stdio.h>
#include <string.h>
int main(){
char encode[]="abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ";
unsigned char key[]="KanXueCTF2019JustForhappy";
unsigned char c=0;
for(int i =0; i<sizeof(key)-1;i++){
c=strchr(encode,*(key+i))-encode;
if(c<=('z'-0x57)&&c>=('a'-0x57)){
c+=0x57;
}else if(c<=('Z'-0x1D)&&c>=('A'-0x1D)){
c+=0x1D;
}else{
c+=0x30;
}
printf("%c",c);
}
}最后输出的flag:j0rXI4bTeustBiIGHeCF70DDM
int __thiscall sub_401890(CWnd *this)
{
struct CString *v1; // ST08_4
CWnd *v2; // eax
int v3; // eax
int v5[26]; // [esp+4Ch] [ebp-74h]
int i; // [esp+B4h] [ebp-Ch]
char *Str; // [esp+B8h] [ebp-8h]
CWnd *v8; // [esp+BCh] [ebp-4h]
v8 = this;
v1 = (CWnd *)((char *)this + 100);
v2 = CWnd::GetDlgItem(this, 1002);
CWnd::GetWindowTextA(v2, v1);
v3 = sub_401A30((char *)v8 + 100);
Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3);
if ( !strlen(Str) )
return CWnd::MessageBoxA(v8, "请输入pass!", 0, 0);
for ( i = 0; Str[i]; ++i )
{
if ( Str[i] > '9' || Str[i] < '0' )
{
if ( Str[i] > 'z' || Str[i] < 'a' )
{
if ( Str[i] > 'Z' || Str[i] < 'A' )
sub_4017B0();
else
v5[i] = Str[i] - 0x1D;
}
else
{
v5[i] = Str[i] - 0x57;
}
}
else
{
v5[i] = Str[i] - 0x30;
}
}
return sub_4017F0((int)v5);
}
代码逻辑比较清晰,输入字符如果是'0'-'9'则减去0x30,'A'-'Z'则减0x1D,'a'-'z'则减0x57
查看sub_4017F0的代码
BOOL __cdecl sub_4017F0(int a1)
{
BOOL result; // eax
char Str1[28]; // [esp+D8h] [ebp-24h]
int v3; // [esp+F4h] [ebp-8h]
int v4; // [esp+F8h] [ebp-4h]
v4 = 0;
v3 = 0;
while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 )
{
Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)];
++v4;
}
Str1[v4] = 0;
if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") )
result = sub_401770();
else
result = sub_4017B0();
return result;
}
逐位取前面转换后的字符串,记为n,取
abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ
第n位,添加到Str1,等于KanXueCTF2019JustForhappy则成功
BOOL __cdecl sub_4017F0(int a1)
{
BOOL result; // eax
char Str1[28]; // [esp+D8h] [ebp-24h]
int v3; // [esp+F4h] [ebp-8h]
int v4; // [esp+F8h] [ebp-4h]
v4 = 0;
v3 = 0;
while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 )
{
Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)];
++v4;
}
Str1[v4] = 0;
if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") )
result = sub_401770();
else
result = sub_4017B0();
return result;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
