-
-
[原创]KCTF 2019 Q1 第6题----Repwn
-
发表于: 2019-3-24 10:39 3523
-
1、根据字符串“Please Input Your Key_ Now!“找到输入key的代码在0x0x4015A2,在4015AA处调用了sub_4012F0用于比较key的第8-19位和20位
.text:00401588 mov [esp+68h+Str], offset Str ; "Please Input Your Key_ Now!" .text:0040158F lea ebx, [ebp+var_28] .text:00401592 call puts .text:00401597 mov [esp+68h+var_64], ebx .text:0040159B mov [esp+68h+Str], offset aS ; "%s" .text:004015A2 call scanf .text:004015A7 mov [esp+68h+Str], ebx .text:004015AA call sub_4012F0 ; 比较key的第8-19位是不是==X1Y0uN3tG00d,第20位是不是==H(0x48) .text:004015AF test eax, eax .text:004015B1 jnz short loc_4015C7 .text:004015B3 lea eax, [ebp+var_58] .text:004015B6 mov [esp+68h+Str], eax ; Str .text:004015B9 call puts .text:004015BE lea esp, [ebp-8] .text:004015C1 xor eax, eax .text:004015C3 pop ebx .text:004015C4 pop esi .text:004015C5 pop ebp .text:004015C6 retn
.text:00401588 mov [esp+68h+Str], offset Str ; "Please Input Your Key_ Now!" .text:0040158F lea ebx, [ebp+var_28] .text:00401592 call puts .text:00401597 mov [esp+68h+var_64], ebx .text:0040159B mov [esp+68h+Str], offset aS ; "%s" .text:004015A2 call scanf .text:004015A7 mov [esp+68h+Str], ebx .text:004015AA call sub_4012F0 ; 比较key的第8-19位是不是==X1Y0uN3tG00d,第20位是不是==H(0x48) .text:004015AF test eax, eax .text:004015B1 jnz short loc_4015C7 .text:004015B3 lea eax, [ebp+var_58] .text:004015B6 mov [esp+68h+Str], eax ; Str .text:004015B9 call puts .text:004015BE lea esp, [ebp-8] .text:004015C1 xor eax, eax .text:004015C3 pop ebx .text:004015C4 pop esi .text:004015C5 pop ebp .text:004015C6 retn
2、第一步比较通过之后会跳到0x4015C7,调用了sub_401460这个函数。
1)、这个函数在401472处比较key的长度是不是等于0x18如果不等则错误
2)、在0x401493调用了函数sub_4013B0,用于校验0-7位是否符合条件
3)、在0x4014B6利用strcpy的栈溢出漏洞跳转到第二个key的输入和校验处,溢出地址可以由字符串"pause"找到;有两处引用了这个字符串,其中由0x401BC7处引用了这个字符串。再往前回溯找到0x401CE1调用了这个函数,可以得出溢出地址是0x401BF0。
1460 sub_401460 proc near ; CODE XREF: sub_4014C0+10Ap .text:00401460 .text:00401460 Str = dword ptr -18h .text:00401460 Source = dword ptr -14h .text:00401460 Dest = byte ptr -10h .text:00401460 arg_0 = dword ptr 8 .text:00401460 .text:00401460 push ebp .text:00401461 mov ebp, esp .text:00401463 push ebx .text:00401464 sub esp, 14h .text:00401467 mov ebx, [ebp+arg_0] .text:0040146A mov [esp+18h+Str], ebx ; Str .text:0040146D call strlen .text:00401472 cmp eax, 18h .text:00401475 jz short loc_401490 .text:00401477 mov [esp+18h+Str], offset aStringLengthIs ; "String Length is Wrong" .text:0040147E call printf .text:00401483 .text:00401483 loc_401483: ; CODE XREF: sub_401460+3Aj .text:00401483 ; sub_401460+5Bj .text:00401483 add esp, 14h .text:00401486 xor eax, eax .text:00401488 pop ebx .text:00401489 pop ebp .text:0040148A retn .text:0040148A ; --------------------------------------------------------------------------- .text:0040148B align 10h .text:00401490 .text:00401490 loc_401490: ; CODE XREF: sub_401460+15j .text:00401490 mov [esp+18h+Str], ebx .text:00401493 call sub_4013B0 ; 校验第0-7位是否符合条件 .text:00401498 test eax, eax .text:0040149A jz short loc_401483 .text:0040149C sub byte ptr [ebx+14h], 58h .text:004014A0 lea eax, [ebp+Dest] .text:004014A3 sub byte ptr [ebx+15h], 46h .text:004014A7 sub byte ptr [ebx+16h], 3 .text:004014AB sub byte ptr [ebx+17h], 6Bh .text:004014AF mov [esp+18h+Source], ebx ; Source .text:004014B3 mov [esp+18h+Str], eax ; Dest .text:004014B6 call strcpy .text:004014BB jmp short loc_401483 .text:004014BB sub_401460 endp
1460 sub_401460 proc near ; CODE XREF: sub_4014C0+10Ap .text:00401460 .text:00401460 Str = dword ptr -18h .text:00401460 Source = dword ptr -14h .text:00401460 Dest = byte ptr -10h .text:00401460 arg_0 = dword ptr 8 .text:00401460 .text:00401460 push ebp .text:00401461 mov ebp, esp .text:00401463 push ebx .text:00401464 sub esp, 14h .text:00401467 mov ebx, [ebp+arg_0] .text:0040146A mov [esp+18h+Str], ebx ; Str .text:0040146D call strlen .text:00401472 cmp eax, 18h .text:00401475 jz short loc_401490 .text:00401477 mov [esp+18h+Str], offset aStringLengthIs ; "String Length is Wrong" .text:0040147E call printf .text:00401483 .text:00401483 loc_401483: ; CODE XREF: sub_401460+3Aj .text:00401483 ; sub_401460+5Bj .text:00401483 add esp, 14h .text:00401486 xor eax, eax .text:00401488 pop ebx .text:00401489 pop ebp .text:0040148A retn .text:0040148A ; --------------------------------------------------------------------------- .text:0040148B align 10h .text:00401490 .text:00401490 loc_401490: ; CODE XREF: sub_401460+15j .text:00401490 mov [esp+18h+Str], ebx .text:00401493 call sub_4013B0 ; 校验第0-7位是否符合条件 .text:00401498 test eax, eax .text:0040149A jz short loc_401483 .text:0040149C sub byte ptr [ebx+14h], 58h .text:004014A0 lea eax, [ebp+Dest] .text:004014A3 sub byte ptr [ebx+15h], 46h .text:004014A7 sub byte ptr [ebx+16h], 3 .text:004014AB sub byte ptr [ebx+17h], 6Bh .text:004014AF mov [esp+18h+Source], ebx ; Source .text:004014B3 mov [esp+18h+Str], eax ; Dest .text:004014B6 call strcpy .text:004014BB jmp short loc_401483 .text:004014BB sub_401460 endp
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏记录
参与人
雪币
留言
时间
一笑人间万事
为你点赞~
2023-1-27 05:01
MTRush
为你点赞~
2020-8-25 11:39
qux
为你点赞~
2019-3-27 23:04
赞赏
他的文章
看原图
赞赏
雪币:
留言: