-
-
[原创]2019看雪CTF 晋级赛Q1 第1题
-
发表于:
2019-3-23 16:19
3337
-
校验函数如下:
int __thiscall check(CWnd *this)
{
struct CString *v1; // ST08_4
CWnd *v2; // eax
int v3; // eax
int v5[26]; // [esp+4Ch] [ebp-74h]
int i; // [esp+B4h] [ebp-Ch]
char *Str; // [esp+B8h] [ebp-8h]
CWnd *v8; // [esp+BCh] [ebp-4h]
v8 = this;
v1 = (CWnd *)((char *)this + 100);
v2 = CWnd::GetDlgItem(this, 1002);
CWnd::GetWindowTextA(v2, v1);
v3 = sub_401A30((char *)v8 + 100);
Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3);
if ( !strlen(Str) )
return CWnd::MessageBoxA(v8, &byte_4035DC, 0, 0);
for ( i = 0; Str[i]; ++i )
{
if ( Str[i] > 0x39 || Str[i] < 0x30 )
{
if ( Str[i] > 0x7A || Str[i] < 0x61 )
{
if ( Str[i] > 0x5A || Str[i] < 0x41 )
fail();
else
v5[i] = Str[i] - 0x1D;
}
else
{
v5[i] = Str[i] - 0x57;
}
}
else
{
v5[i] = Str[i] - 0x30;
}
}
return check1((int)v5);
}1、读取输入sn,然后根据sn字符类型减去一个相关的常量,放入到一个整形数组中。
int __thiscall check(CWnd *this)
{
struct CString *v1; // ST08_4
CWnd *v2; // eax
int v3; // eax
int v5[26]; // [esp+4Ch] [ebp-74h]
int i; // [esp+B4h] [ebp-Ch]
char *Str; // [esp+B8h] [ebp-8h]
CWnd *v8; // [esp+BCh] [ebp-4h]
v8 = this;
v1 = (CWnd *)((char *)this + 100);
v2 = CWnd::GetDlgItem(this, 1002);
CWnd::GetWindowTextA(v2, v1);
v3 = sub_401A30((char *)v8 + 100);
Str = CString::GetBuffer((CWnd *)((char *)v8 + 100), v3);
if ( !strlen(Str) )
return CWnd::MessageBoxA(v8, &byte_4035DC, 0, 0);
for ( i = 0; Str[i]; ++i )
{
if ( Str[i] > 0x39 || Str[i] < 0x30 )
{
if ( Str[i] > 0x7A || Str[i] < 0x61 )
{
if ( Str[i] > 0x5A || Str[i] < 0x41 )
fail();
else
v5[i] = Str[i] - 0x1D;
}
else
{
v5[i] = Str[i] - 0x57;
}
}
else
{
v5[i] = Str[i] - 0x30;
}
}
return check1((int)v5);
}1、读取输入sn,然后根据sn字符类型减去一个相关的常量,放入到一个整形数组中。
2、调用check1函数继续校验
BOOL __cdecl check1(int a1)
{
BOOL result; // eax
char Str1[28]; // [esp+D8h] [ebp-24h]
int v3; // [esp+F4h] [ebp-8h]
int v4; // [esp+F8h] [ebp-4h]
v4 = 0;
v3 = 0;
while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 )
{
Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)];
++v4;
}
Str1[v4] = 0;
if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") )
result = success();
else
result = fail();
return result;
}3、根据步骤2生成的整形数组,索引常量字符串“abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ”,生成一个新的sn
BOOL __cdecl check1(int a1)
{
BOOL result; // eax
char Str1[28]; // [esp+D8h] [ebp-24h]
int v3; // [esp+F4h] [ebp-8h]
int v4; // [esp+F8h] [ebp-4h]
v4 = 0;
v3 = 0;
while ( *(_DWORD *)(a1 + 4 * v4) < 0x3E && *(_DWORD *)(a1 + 4 * v4) >= 0 )
{
Str1[v4] = aAbcdefghiabcde[*(_DWORD *)(a1 + 4 * v4)];
++v4;
}
Str1[v4] = 0;
if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") )
result = success();
else
result = fail();
return result;
}3、根据步骤2生成的整形数组,索引常量字符串“abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ”,生成一个新的sn
4、使用步骤3生成的新的sn与key“KanXueCTF2019JustForhappy”比较。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
