1、根据字符串“Please Input Your Key_ Now!“找到输入key的代码在0x0x4015A2,在4015AA处调用了sub_4012F0用于比较key的第8-19位和20位
.text:00401588 mov [esp+68h+Str], offset Str ; "Please Input Your Key_ Now!"
.text:0040158F lea ebx, [ebp+var_28]
.text:00401592 call puts
.text:00401597 mov [esp+68h+var_64], ebx
.text:0040159B mov [esp+68h+Str], offset aS ; "%s"
.text:004015A2 call scanf
.text:004015A7 mov [esp+68h+Str], ebx
.text:004015AA call sub_4012F0 ; 比较key的第8-19位是不是==X1Y0uN3tG00d,第20位是不是==H(0x48)
.text:004015AF test eax, eax
.text:004015B1 jnz short loc_4015C7
.text:004015B3 lea eax, [ebp+var_58]
.text:004015B6 mov [esp+68h+Str], eax ; Str
.text:004015B9 call puts
.text:004015BE lea esp, [ebp-8]
.text:004015C1 xor eax, eax
.text:004015C3 pop ebx
.text:004015C4 pop esi
.text:004015C5 pop ebp
.text:004015C6 retn
.text:00401588 mov [esp+68h+Str], offset Str ; "Please Input Your Key_ Now!"
.text:0040158F lea ebx, [ebp+var_28]
.text:00401592 call puts
.text:00401597 mov [esp+68h+var_64], ebx
.text:0040159B mov [esp+68h+Str], offset aS ; "%s"
.text:004015A2 call scanf
.text:004015A7 mov [esp+68h+Str], ebx
.text:004015AA call sub_4012F0 ; 比较key的第8-19位是不是==X1Y0uN3tG00d,第20位是不是==H(0x48)
.text:004015AF test eax, eax
.text:004015B1 jnz short loc_4015C7
.text:004015B3 lea eax, [ebp+var_58]
.text:004015B6 mov [esp+68h+Str], eax ; Str
.text:004015B9 call puts
.text:004015BE lea esp, [ebp-8]
.text:004015C1 xor eax, eax
.text:004015C3 pop ebx
.text:004015C4 pop esi
.text:004015C5 pop ebp
.text:004015C6 retn
2、第一步比较通过之后会跳到0x4015C7,调用了sub_401460这个函数。
1)、这个函数在401472处比较key的长度是不是等于0x18如果不等则错误
2)、在0x401493调用了函数sub_4013B0,用于校验0-7位是否符合条件
3)、在0x4014B6利用strcpy的栈溢出漏洞跳转到第二个key的输入和校验处,溢出地址可以由字符串"pause"找到;有两处引用了这个字符串,其中由0x401BC7处引用了这个字符串。再往前回溯找到0x401CE1调用了这个函数,可以得出溢出地址是0x401BF0。
1460 sub_401460 proc near ; CODE XREF: sub_4014C0+10Ap
.text:00401460
.text:00401460 Str = dword ptr -18h
.text:00401460 Source = dword ptr -14h
.text:00401460 Dest = byte ptr -10h
.text:00401460 arg_0 = dword ptr 8
.text:00401460
.text:00401460 push ebp
.text:00401461 mov ebp, esp
.text:00401463 push ebx
.text:00401464 sub esp, 14h
.text:00401467 mov ebx, [ebp+arg_0]
.text:0040146A mov [esp+18h+Str], ebx ; Str
.text:0040146D call strlen
.text:00401472 cmp eax, 18h
.text:00401475 jz short loc_401490
.text:00401477 mov [esp+18h+Str], offset aStringLengthIs ; "String Length is Wrong"
.text:0040147E call printf
.text:00401483
.text:00401483 loc_401483: ; CODE XREF: sub_401460+3Aj
.text:00401483 ; sub_401460+5Bj
.text:00401483 add esp, 14h
.text:00401486 xor eax, eax
.text:00401488 pop ebx
.text:00401489 pop ebp
.text:0040148A retn
.text:0040148A ; ---------------------------------------------------------------------------
.text:0040148B align 10h
.text:00401490
.text:00401490 loc_401490: ; CODE XREF: sub_401460+15j
.text:00401490 mov [esp+18h+Str], ebx
.text:00401493 call sub_4013B0 ; 校验第0-7位是否符合条件
.text:00401498 test eax, eax
.text:0040149A jz short loc_401483
.text:0040149C sub byte ptr [ebx+14h], 58h
.text:004014A0 lea eax, [ebp+Dest]
.text:004014A3 sub byte ptr [ebx+15h], 46h
.text:004014A7 sub byte ptr [ebx+16h], 3
.text:004014AB sub byte ptr [ebx+17h], 6Bh
.text:004014AF mov [esp+18h+Source], ebx ; Source
.text:004014B3 mov [esp+18h+Str], eax ; Dest
.text:004014B6 call strcpy
.text:004014BB jmp short loc_401483
.text:004014BB sub_401460 endp
1460 sub_401460 proc near ; CODE XREF: sub_4014C0+10Ap
.text:00401460
.text:00401460 Str = dword ptr -18h
.text:00401460 Source = dword ptr -14h
.text:00401460 Dest = byte ptr -10h
.text:00401460 arg_0 = dword ptr 8
.text:00401460
.text:00401460 push ebp
.text:00401461 mov ebp, esp
.text:00401463 push ebx
.text:00401464 sub esp, 14h
.text:00401467 mov ebx, [ebp+arg_0]
.text:0040146A mov [esp+18h+Str], ebx ; Str
.text:0040146D call strlen
.text:00401472 cmp eax, 18h
.text:00401475 jz short loc_401490
.text:00401477 mov [esp+18h+Str], offset aStringLengthIs ; "String Length is Wrong"
.text:0040147E call printf
.text:00401483
.text:00401483 loc_401483: ; CODE XREF: sub_401460+3Aj
.text:00401483 ; sub_401460+5Bj
.text:00401483 add esp, 14h
.text:00401486 xor eax, eax
.text:00401488 pop ebx
.text:00401489 pop ebp
.text:0040148A retn
.text:0040148A ; ---------------------------------------------------------------------------
.text:0040148B align 10h
.text:00401490
.text:00401490 loc_401490: ; CODE XREF: sub_401460+15j
.text:00401490 mov [esp+18h+Str], ebx
.text:00401493 call sub_4013B0 ; 校验第0-7位是否符合条件
.text:00401498 test eax, eax
.text:0040149A jz short loc_401483
.text:0040149C sub byte ptr [ebx+14h], 58h
.text:004014A0 lea eax, [ebp+Dest]
.text:004014A3 sub byte ptr [ebx+15h], 46h
.text:004014A7 sub byte ptr [ebx+16h], 3
.text:004014AB sub byte ptr [ebx+17h], 6Bh
.text:004014AF mov [esp+18h+Source], ebx ; Source
.text:004014B3 mov [esp+18h+Str], eax ; Dest
.text:004014B6 call strcpy
.text:004014BB jmp short loc_401483
.text:004014BB sub_401460 endp
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
