-
-
[原创]2019看雪CTF 晋级赛Q1 第1题
-
发表于: 2019-3-23 16:19 3345
-
校验函数如下:
int __thiscall check(CWnd *this) { struct CString *v1; // ST08_4 CWnd *v2; // eax int v3; // eax int v5[26]; // [esp+4Ch] [ebp-74h] int i; // [esp+B4h] [ebp-Ch] char *Str; // [esp+B8h] [ebp-8h] CWnd *v8; // [esp+BCh] [ebp-4h] v8 = this; v1 = (CWnd *)((char *)this + 100); v2 = CWnd::GetDlgItem(this, 1002); CWnd::GetWindowTextA(v2, v1); v3 = sub_401A30((char *)v8 + 100); Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3); if ( !strlen(Str) ) return CWnd::MessageBoxA(v8, &byte_4035DC, 0, 0); for ( i = 0; Str[i]; ++i ) { if ( Str[i] > 0x39 || Str[i] < 0x30 ) { if ( Str[i] > 0x7A || Str[i] < 0x61 ) { if ( Str[i] > 0x5A || Str[i] < 0x41 ) fail(); else v5[i] = Str[i] - 0x1D; } else { v5[i] = Str[i] - 0x57; } } else { v5[i] = Str[i] - 0x30; } } return check1((int)v5); }
1、读取输入sn,然后根据sn字符类型减去一个相关的常量,放入到一个整形数组中。
int __thiscall check(CWnd *this) { struct CString *v1; // ST08_4 CWnd *v2; // eax int v3; // eax int v5[26]; // [esp+4Ch] [ebp-74h] int i; // [esp+B4h] [ebp-Ch] char *Str; // [esp+B8h] [ebp-8h] CWnd *v8; // [esp+BCh] [ebp-4h] v8 = this; v1 = (CWnd *)((char *)this + 100); v2 = CWnd::GetDlgItem(this, 1002); CWnd::GetWindowTextA(v2, v1); v3 = sub_401A30((char *)v8 + 100); Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3); if ( !strlen(Str) ) return CWnd::MessageBoxA(v8, &byte_4035DC, 0, 0); for ( i = 0; Str[i]; ++i ) { if ( Str[i] > 0x39 || Str[i] < 0x30 ) { if ( Str[i] > 0x7A || Str[i] < 0x61 ) { if ( Str[i] > 0x5A || Str[i] < 0x41 ) fail(); else v5[i] = Str[i] - 0x1D; } else { v5[i] = Str[i] - 0x57; } } else { v5[i] = Str[i] - 0x30; } } return check1((int)v5); }
1、读取输入sn,然后根据sn字符类型减去一个相关的常量,放入到一个整形数组中。
2、调用check1函数继续校验
BOOL __cdecl check1(int a1) { BOOL result; // eax char Str1[28]; // [esp+D8h] [ebp-24h] int v3; // [esp+F4h] [ebp-8h] int v4; // [esp+F8h] [ebp-4h] v4 = 0; v3 = 0; while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 ) { Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)]; ++v4; } Str1[v4] = 0; if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") ) result = success(); else result = fail(); return result; }
3、根据步骤2生成的整形数组,索引常量字符串“abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ”,生成一个新的sn
BOOL __cdecl check1(int a1) { BOOL result; // eax char Str1[28]; // [esp+D8h] [ebp-24h] int v3; // [esp+F4h] [ebp-8h] int v4; // [esp+F8h] [ebp-4h] v4 = 0; v3 = 0; while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 ) { Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)]; ++v4; } Str1[v4] = 0; if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") ) result = success(); else result = fail(); return result; }
3、根据步骤2生成的整形数组,索引常量字符串“abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ”,生成一个新的sn
4、使用步骤3生成的新的sn与key“KanXueCTF2019JustForhappy”比较。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
看原图
赞赏
雪币:
留言: