-
-
[原创]2019看雪CTF 团队赛 第一题 流浪者WP
-
发表于: 2019-3-19 00:51 3040
-
用ida打开程序
搜索字符串,按X查看引用,定位到sub_401890
int __thiscall sub_401890(CWnd *this) { struct CString *v1; // ST08_4 CWnd *v2; // eax int v3; // eax int v5[26]; // [esp+4Ch] [ebp-74h] int i; // [esp+B4h] [ebp-Ch] char *Str; // [esp+B8h] [ebp-8h] CWnd *v8; // [esp+BCh] [ebp-4h] v8 = this; v1 = (CWnd *)((char *)this + 100); v2 = CWnd::GetDlgItem(this, 1002); CWnd::GetWindowTextA(v2, v1); v3 = sub_401A30((char *)v8 + 100); Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3); if ( !strlen(Str) ) return CWnd::MessageBoxA(v8, "请输入pass!", 0, 0); for ( i = 0; Str[i]; ++i ) { if ( Str[i] > '9' || Str[i] < '0' ) { if ( Str[i] > 'z' || Str[i] < 'a' ) { if ( Str[i] > 'Z' || Str[i] < 'A' ) sub_4017B0(); else v5[i] = Str[i] - 0x1D; } else { v5[i] = Str[i] - 0x57; } } else { v5[i] = Str[i] - 0x30; } } return sub_4017F0((int)v5); }
代码逻辑比较清晰,输入字符如果是'0'-'9'则减去0x30,'A'-'Z'则减0x1D,'a'-'z'则减0x57
查看sub_4017F0的代码
BOOL __cdecl sub_4017F0(int a1) { BOOL result; // eax char Str1[28]; // [esp+D8h] [ebp-24h] int v3; // [esp+F4h] [ebp-8h] int v4; // [esp+F8h] [ebp-4h] v4 = 0; v3 = 0; while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 ) { Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)]; ++v4; } Str1[v4] = 0; if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") ) result = sub_401770(); else result = sub_4017B0(); return result; }
逐位取前面转换后的字符串,记为n,取
abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ
第n位,添加到Str1,等于KanXueCTF2019JustForhappy则成功
写个代码跑一下就可以了
#include <stdio.h> #include <string.h> int main(){ char encode[]="abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ"; unsigned char key[]="KanXueCTF2019JustForhappy"; unsigned char c=0; for(int i =0; i<sizeof(key)-1;i++){ c=strchr(encode,*(key+i))-encode; if(c<=('z'-0x57)&&c>=('a'-0x57)){ c+=0x57; }else if(c<=('Z'-0x1D)&&c>=('A'-0x1D)){ c+=0x1D; }else{ c+=0x30; } printf("%c",c); } }
最后输出的flag:j0rXI4bTeustBiIGHeCF70DDM
int __thiscall sub_401890(CWnd *this) { struct CString *v1; // ST08_4 CWnd *v2; // eax int v3; // eax int v5[26]; // [esp+4Ch] [ebp-74h] int i; // [esp+B4h] [ebp-Ch] char *Str; // [esp+B8h] [ebp-8h] CWnd *v8; // [esp+BCh] [ebp-4h] v8 = this; v1 = (CWnd *)((char *)this + 100); v2 = CWnd::GetDlgItem(this, 1002); CWnd::GetWindowTextA(v2, v1); v3 = sub_401A30((char *)v8 + 100); Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3); if ( !strlen(Str) ) return CWnd::MessageBoxA(v8, "请输入pass!", 0, 0); for ( i = 0; Str[i]; ++i ) { if ( Str[i] > '9' || Str[i] < '0' ) { if ( Str[i] > 'z' || Str[i] < 'a' ) { if ( Str[i] > 'Z' || Str[i] < 'A' ) sub_4017B0(); else v5[i] = Str[i] - 0x1D; } else { v5[i] = Str[i] - 0x57; } } else { v5[i] = Str[i] - 0x30; } } return sub_4017F0((int)v5); }
代码逻辑比较清晰,输入字符如果是'0'-'9'则减去0x30,'A'-'Z'则减0x1D,'a'-'z'则减0x57
查看sub_4017F0的代码
BOOL __cdecl sub_4017F0(int a1) { BOOL result; // eax char Str1[28]; // [esp+D8h] [ebp-24h] int v3; // [esp+F4h] [ebp-8h] int v4; // [esp+F8h] [ebp-4h] v4 = 0; v3 = 0; while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 ) { Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)]; ++v4; } Str1[v4] = 0; if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") ) result = sub_401770(); else result = sub_4017B0(); return result; }
逐位取前面转换后的字符串,记为n,取
abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ
第n位,添加到Str1,等于KanXueCTF2019JustForhappy则成功
BOOL __cdecl sub_4017F0(int a1) { BOOL result; // eax char Str1[28]; // [esp+D8h] [ebp-24h] int v3; // [esp+F4h] [ebp-8h] int v4; // [esp+F8h] [ebp-4h] v4 = 0; v3 = 0; while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 ) { Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)]; ++v4; } Str1[v4] = 0; if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") ) result = sub_401770(); else result = sub_4017B0(); return result; }
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: