【2019看雪CTF】Q1赛季 第一题流浪者 WP

VC窗体程序，直接通过字符串定位到按钮响应函数。

int __thiscall sub_401890(CWnd *this)
{
  struct CString *v1; // ST08_4
  CWnd *v2; // eax
  int v3; // eax
  int v5[26]; // [esp+4Ch] [ebp-74h]
  int i; // [esp+B4h] [ebp-Ch]
  char *Str; // [esp+B8h] [ebp-8h]
  CWnd *v8; // [esp+BCh] [ebp-4h]

  v8 = this;
  v1 = (CWnd *)((char *)this + 100);
  v2 = CWnd::GetDlgItem(this, 1002);
  CWnd::GetWindowTextA(v2, v1);
  v3 = sub_401A30((char *)v8 + 100);
  Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3);
  if ( !strlen(Str) )
    return CWnd::MessageBoxA(v8, "请输入pass!", 0, 0);
  for ( i = 0; Str[i]; ++i )
  {
    if ( Str[i] > 0x39 || Str[i] < 0x30 )
    {
      if ( Str[i] > 0x7A || Str[i] < 0x61 )
      {
        if ( Str[i] > 0x5A || Str[i] < 0x41 )
          fail_4017B0();
        else
          v5[i] = Str[i] - 0x1D;
      }
      else
      {
        v5[i] = Str[i] - 0x57;
      }
    }
    else
    {
      v5[i] = Str[i] - 0x30;
    }
  }
  return check_4017F0(v5);
}

校验函数在4017F0处的函数中：

BOOL __cdecl check_4017F0(int *a1)
{
  BOOL result; // eax
  char Str1[28]; // [esp+D8h] [ebp-24h]
  int v3; // [esp+F4h] [ebp-8h]
  int v4; // [esp+F8h] [ebp-4h]

  v4 = 0;
  v3 = 0;
  while ( a1[v4] < 0x3E && a1[v4] >= 0 )
  {
    Str1[v4] = aAbcdefghiabcde[a1[v4]];
    ++v4;
  }
  Str1[v4] = 0;
  if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") )
    result = success_401770();
  else
    result = fail_4017B0();
  return result;
}

开始先进行了输入字串的范围，输入限定在大小写字母及数字中。校验函数是一种替换加密吧。反解如下：

a='KanXueCTF2019JustForhappy'
table='abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ'
table1 = string.digits+string.letters
transtab = string.maketrans(table,table1)
print a.translate(transtab)

最终flag为j0rXI4bTeustBiIGHeCF70DDM。

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》，视频+靶场+题目！助力进入CTF世界