首页
社区
课程
招聘
[原创]看雪ctf晋级赛第六题wp-真心废物团队
发表于: 2019-3-24 11:55 5964

[原创]看雪ctf晋级赛第六题wp-真心废物团队

2019-3-24 11:55
5964

所用工具:od ida vs ,od动态分析,ida静态分析,写个程序出来,





Repwn.004014C0这个函数先是一波操纵,然后出来个flag不知道有什么用,
Flag{Th3_K3y_I5_N0t_Rea11Y_K3y}

00401597  |.  895C24 04          mov dword ptr ss:[esp+0x4],ebx                ; |
0040159B  |.  C70424 00744000    mov dword ptr ss:[esp],Repwn.00407400         ; |%s
004015A2  |.  E8 49420000        call <jmp.&msvcrt.scanf>                      ; \scanf
004015A7  |.  891C24             mov dword ptr ss:[esp],ebx
004015AA  |.  E8 41FDFFFF        call Repwn.004012F0
004015AF  |.  85C0               test eax,eax                                  ; |


scanf以后是Repwn.004012F0这个函数验证从第8位开始的12位字符然后调用了Repwn.00401460
Repwn.00401460结束后程序system(pause)后退出

Repwn.004012F0这个函数比较简单,分析完后是
/0x58/0x31/0x59/0x59/0x30/0x75/0x4e/0x33/0x74/0x47/0x30/0x30/0x64

????????X1Y0uN3tG00d????


关键是Repwn.00401460这个函数没有出口,出口是崩溃????

我也想冷静啊,可是这道题不允许啊!!!


前8位字符的转换
void sub_401380(char *str)      //参数是我的输入
{
    int v1=0; 
    int c[8]={0};
    while ( v1 <= 7 )
        c[v1] = str[v1++] - 48;
}


c=*0x408020 存前8位验证码(int类型)


int sub_4013B0(int a1)                      //参数是我的输入
{
    int v1; // ebx
    int v2; // ecx
    int v3; // esi
    int result; // eax

    sub_401380(a1);                         //408020 存前8位验证码整数
    /*
    int i=0; 
    int c[8]={0};
    while ( i <= 7 )
        c[i] = str[i++] - 48;
    */

    v1 = c[4] + 1000 * c[1] + 100 * c[2] + 10 * c[3];
    v2 = c[6] + 10 * c[5];
    v3 = c[8] + 10 * c[7];
 
    if ( 2 * (v1 + v2) != 4040 || 3 * v2 / 2 + 100 * v3 != 115 )
goto LABEL_2;
    result = 1;
    if ( v1 - 110 * v3 != 1900 )
    {
        printf("Key_Is_Wrong,Please_Input_Again!");
LABEL_2:
        result = 0;
    } 
    return result;
}



2010 = c[3] + 1000 * c[0] + 100 * c[1] + 10 * c[2];   
10 = c[5] + 10 * c[4];                           
1 = c[7] + 10 * c[6];                                 


c[0]=0或1或2
c[3]=10或0
c[6]=0
c[7]=1
c[4]=0或1
c[5]=0或10
c[1]=0-20
c[2]=0-74


2 * (v1 + v2) = 4040
3 * v2 / 2 + 100 * v3 = 115
v1 - 110 * v3 = 1900


v1=2010    v2=10    v3=1

int _tmain(int argc, _TCHAR* argv[])
{
int v1=0;
int v2=0;
int v3=0;
int c[8] = { 0 };

c[6] = 0;
c[7] = 1;

int ss = 1;

for (c[0] = 0; c[0] <= 2; c[0]++)
for (c[1] = 0; c[1] <= 20; c[1]++)
for (c[2] = 0; c[2] <= 74; c[2]++)
for (c[3] = 0; c[3] <= 10; c[3]++)
for (c[4] = 0; c[4] <= 1; c[4]++)
for (c[5] = 0; c[5] <= 10; c[5]++)
{

if ((2010 == (c[3] + 1000 * c[0] + 100 * c[1] + 10 * c[2])) &&
(10 == (c[5] + 10 * c[4])) && (1 == (c[7] + 10 * c[6])))
{
char str[9] = { 0 };
for (int i = 0; i < 8; i++)
str[i] = char(c[i] + 48);
printf("解%-3d:%s\n",ss++, str);
}
}
puts("完成");
getchar();
}

解1  :0=v:0:01X1Y0uN3tG00d????
解2  :0=v:1001X1Y0uN3tG00d????
解3  :0=w00:01X1Y0uN3tG00d????
解4  :0=w01001X1Y0uN3tG00d????
解5  :0>l:0:01X1Y0uN3tG00d????
解6  :0>l:1001X1Y0uN3tG00d????
解7  :0>m00:01X1Y0uN3tG00d????
解8  :0>m01001X1Y0uN3tG00d????
解9  :0?b:0:01X1Y0uN3tG00d????
解10 :0?b:1001X1Y0uN3tG00d????
解11 :0?c00:01X1Y0uN3tG00d????
解12 :0?c01001X1Y0uN3tG00d????
解13 :0@X:0:01X1Y0uN3tG00d????
解14 :0@X:1001X1Y0uN3tG00d????
解15 :0@Y00:01X1Y0uN3tG00d????
解16 :0@Y01001X1Y0uN3tG00d????
解17 :0AN:0:01X1Y0uN3tG00d????
解18 :0AN:1001X1Y0uN3tG00d????
解19 :0AO00:01X1Y0uN3tG00d????
解20 :0AO01001X1Y0uN3tG00d????
解21 :0BD:0:01X1Y0uN3tG00d????
解22 :0BD:1001X1Y0uN3tG00d????
解23 :0BE00:01X1Y0uN3tG00d????
解24 :0BE01001X1Y0uN3tG00d????
解25 :0C::0:01X1Y0uN3tG00d????
解26 :0C::1001X1Y0uN3tG00d????
解27 :0C;00:01X1Y0uN3tG00d????
解28 :0C;01001X1Y0uN3tG00d????
解29 :0D0:0:01X1Y0uN3tG00d????
解30 :0D0:1001X1Y0uN3tG00d????
解31 :0D100:01X1Y0uN3tG00d????
解32 :0D101001X1Y0uN3tG00d????
解33 :13v:0:01X1Y0uN3tG00d????
解34 :13v:1001X1Y0uN3tG00d????
解35 :13w00:01X1Y0uN3tG00d????
解36 :13w01001X1Y0uN3tG00d????
解37 :14l:0:01X1Y0uN3tG00d????
解38 :14l:1001X1Y0uN3tG00d????
解39 :14m00:01X1Y0uN3tG00d????
解40 :14m01001X1Y0uN3tG00d????
解41 :15b:0:01X1Y0uN3tG00d????
解42 :15b:1001X1Y0uN3tG00d????
解43 :15c00:01X1Y0uN3tG00d????
解44 :15c01001X1Y0uN3tG00d????
解45 :16X:0:01X1Y0uN3tG00d????
解46 :16X:1001X1Y0uN3tG00d????
解47 :16Y00:01X1Y0uN3tG00d????
解48 :16Y01001X1Y0uN3tG00d????
解49 :17N:0:01X1Y0uN3tG00d????
解50 :17N:1001X1Y0uN3tG00d????
解51 :17O00:01X1Y0uN3tG00d????
解52 :17O01001X1Y0uN3tG00d????
解53 :18D:0:01X1Y0uN3tG00d????
解54 :18D:1001X1Y0uN3tG00d????
解55 :18E00:01X1Y0uN3tG00d????
解56 :18E01001X1Y0uN3tG00d????
解57 :19::0:01X1Y0uN3tG00d????
解58 :19::1001X1Y0uN3tG00d????
解59 :19;00:01X1Y0uN3tG00d????
解60 :19;01001X1Y0uN3tG00d????
解61 :1:0:0:01X1Y0uN3tG00d????
解62 :1:0:1001X1Y0uN3tG00d????
解63 :1:100:01X1Y0uN3tG00d????
解64 :1:101001X1Y0uN3tG00d????
解65 :200:0:01X1Y0uN3tG00d????
解66 :200:1001X1Y0uN3tG00d????
解67 :20100:01X1Y0uN3tG00d????
解68 :20101001X1Y0uN3tG00d????       只有这一个解没有符号
完成

int sub_401460(char *Str)           //参数是我的输入
{
  char Dest; // [esp+8h] [ebp-10h]

  if ( strlen(Str) == 24 )                  //首先验证我的输入是否为24字节  
  {
    if ( sub_4013B0((int)Str) )
    {
      Str[20] -= 88;                        //最后4位字符的鬼操作
      Str[21] -= 70;
      Str[22] -= 3;
      Str[23] -= 107
      strcpy(&Dest, Str);
    }
  }
  else                                      //不是24字节就他退出了
  {
    printf("String Length is Wrong");
  }
  return 0;
}
这个函数是最后4个字符,为栈中EIP
    所以指向是本程序中段

      Str[20] -= 88;     H                  
      Str[21] -= 70;   a
      Str[22] -= 3;     C
      Str[23] -= 107    k

最后三个必须是aCk 才可以满足1b 40 00 ,H是一开始确定的,所以不需要管它,所以就可以拿到答案了
Repwn.004014C0这个函数先是一波操纵,然后出来个flag不知道有什么用,
Flag{Th3_K3y_I5_N0t_Rea11Y_K3y}

00401597  |.  895C24 04          mov dword ptr ss:[esp+0x4],ebx                ; |
0040159B  |.  C70424 00744000    mov dword ptr ss:[esp],Repwn.00407400         ; |%s
004015A2  |.  E8 49420000        call <jmp.&msvcrt.scanf>                      ; \scanf
004015A7  |.  891C24             mov dword ptr ss:[esp],ebx
004015AA  |.  E8 41FDFFFF        call Repwn.004012F0
004015AF  |.  85C0               test eax,eax                                  ; |


scanf以后是Repwn.004012F0这个函数验证从第8位开始的12位字符然后调用了Repwn.00401460
Repwn.00401460结束后程序system(pause)后退出

Repwn.004012F0这个函数比较简单,分析完后是
/0x58/0x31/0x59/0x59/0x30/0x75/0x4e/0x33/0x74/0x47/0x30/0x30/0x64

????????X1Y0uN3tG00d????


关键是Repwn.00401460这个函数没有出口,出口是崩溃????

我也想冷静啊,可是这道题不允许啊!!!


前8位字符的转换
void sub_401380(char *str)      //参数是我的输入
{
    int v1=0; 
    int c[8]={0};
    while ( v1 <= 7 )
        c[v1] = str[v1++] - 48;
}


c=*0x408020 存前8位验证码(int类型)


int sub_4013B0(int a1)                      //参数是我的输入
{
    int v1; // ebx
    int v2; // ecx
    int v3; // esi
    int result; // eax

    sub_401380(a1);                         //408020 存前8位验证码整数
    /*
    int i=0; 
    int c[8]={0};
    while ( i <= 7 )
        c[i] = str[i++] - 48;
    */

    v1 = c[4] + 1000 * c[1] + 100 * c[2] + 10 * c[3];
    v2 = c[6] + 10 * c[5];
    v3 = c[8] + 10 * c[7];
 
    if ( 2 * (v1 + v2) != 4040 || 3 * v2 / 2 + 100 * v3 != 115 )
goto LABEL_2;
    result = 1;
    if ( v1 - 110 * v3 != 1900 )
    {
        printf("Key_Is_Wrong,Please_Input_Again!");
LABEL_2:
        result = 0;
    } 
    return result;
}



2010 = c[3] + 1000 * c[0] + 100 * c[1] + 10 * c[2];   
10 = c[5] + 10 * c[4];                           
1 = c[7] + 10 * c[6];                                 


c[0]=0或1或2
c[3]=10或0
c[6]=0
c[7]=1
c[4]=0或1
c[5]=0或10
c[1]=0-20
c[2]=0-74


2 * (v1 + v2) = 4040
3 * v2 / 2 + 100 * v3 = 115
v1 - 110 * v3 = 1900


v1=2010    v2=10    v3=1

int _tmain(int argc, _TCHAR* argv[])
{
int v1=0;
int v2=0;
int v3=0;
int c[8] = { 0 };

c[6] = 0;
c[7] = 1;

int ss = 1;

for (c[0] = 0; c[0] <= 2; c[0]++)
for (c[1] = 0; c[1] <= 20; c[1]++)
for (c[2] = 0; c[2] <= 74; c[2]++)
for (c[3] = 0; c[3] <= 10; c[3]++)
for (c[4] = 0; c[4] <= 1; c[4]++)
for (c[5] = 0; c[5] <= 10; c[5]++)

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2019-3-24 18:32 被湖畔砍柴人编辑 ,原因: 重新提交清晰思路
收藏
免费 1
支持
分享
最新回复 (4)
雪    币: 914
活跃值: (2468)
能力值: ( LV5,RANK:68 )
在线值:
发帖
回帖
粉丝
2
战队名感人至深
2019-3-25 16:23
0
雪    币: 2862
活跃值: (70)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
3
2019-3-25 19:07
0
雪    币: 19097
活跃值: (1345)
能力值: ( LV15,RANK:936 )
在线值:
发帖
回帖
粉丝
4
梳碧湖畔砍柴人 厉害
2019-3-25 21:55
0
雪    币: 2862
活跃值: (70)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
5
还是砍柴靠谱哈哈
2019-3-26 07:54
0
游客
登录 | 注册 方可回帖
返回
//