-
-
[原创]看雪ctf晋级赛第六题wp-真心废物团队
-
发表于: 2019-3-24 11:55
-
所用工具:od ida vs ,od动态分析,ida静态分析,写个程序出来,
Repwn.004014C0这个函数先是一波操纵,然后出来个flag不知道有什么用,
Flag{Th3_K3y_I5_N0t_Rea11Y_K3y}
00401597 |. 895C24 04 mov dword ptr ss:[esp+0x4],ebx ; |
0040159B |. C70424 00744000 mov dword ptr ss:[esp],Repwn.00407400 ; |%s
004015A2 |. E8 49420000 call <jmp.&msvcrt.scanf> ; \scanf
004015A7 |. 891C24 mov dword ptr ss:[esp],ebx
004015AA |. E8 41FDFFFF call Repwn.004012F0
004015AF |. 85C0 test eax,eax ; |
scanf以后是Repwn.004012F0这个函数验证从第8位开始的12位字符然后调用了Repwn.00401460
Repwn.00401460结束后程序system(pause)后退出
Repwn.004012F0这个函数比较简单,分析完后是
/0x58/0x31/0x59/0x59/0x30/0x75/0x4e/0x33/0x74/0x47/0x30/0x30/0x64
????????X1Y0uN3tG00d????
关键是Repwn.00401460这个函数没有出口,出口是崩溃????
我也想冷静啊,可是这道题不允许啊!!!
前8位字符的转换
void sub_401380(char *str) //参数是我的输入
{
int v1=0;
int c[8]={0};
while ( v1 <= 7 )
c[v1] = str[v1++] - 48;
}
c=*0x408020 存前8位验证码(int类型)
int sub_4013B0(int a1) //参数是我的输入
{
int v1; // ebx
int v2; // ecx
int v3; // esi
int result; // eax
sub_401380(a1); //408020 存前8位验证码整数
/*
int i=0;
int c[8]={0};
while ( i <= 7 )
c[i] = str[i++] - 48;
*/
v1 = c[4] + 1000 * c[1] + 100 * c[2] + 10 * c[3];
v2 = c[6] + 10 * c[5];
v3 = c[8] + 10 * c[7];
if ( 2 * (v1 + v2) != 4040 || 3 * v2 / 2 + 100 * v3 != 115 )
goto LABEL_2;
result = 1;
if ( v1 - 110 * v3 != 1900 )
{
printf("Key_Is_Wrong,Please_Input_Again!");
LABEL_2:
result = 0;
}
return result;
}
2010 = c[3] + 1000 * c[0] + 100 * c[1] + 10 * c[2];
10 = c[5] + 10 * c[4];
1 = c[7] + 10 * c[6];
c[0]=0或1或2
c[3]=10或0
c[6]=0
c[7]=1
c[4]=0或1
c[5]=0或10
c[1]=0-20
c[2]=0-74
2 * (v1 + v2) = 4040
3 * v2 / 2 + 100 * v3 = 115
v1 - 110 * v3 = 1900
v1=2010 v2=10 v3=1
int _tmain(int argc, _TCHAR* argv[])
{
int v1=0;
int v2=0;
int v3=0;
int c[8] = { 0 };
c[6] = 0;
c[7] = 1;
int ss = 1;
for (c[0] = 0; c[0] <= 2; c[0]++)
for (c[1] = 0; c[1] <= 20; c[1]++)
for (c[2] = 0; c[2] <= 74; c[2]++)
for (c[3] = 0; c[3] <= 10; c[3]++)
for (c[4] = 0; c[4] <= 1; c[4]++)
for (c[5] = 0; c[5] <= 10; c[5]++)
{
if ((2010 == (c[3] + 1000 * c[0] + 100 * c[1] + 10 * c[2])) &&
(10 == (c[5] + 10 * c[4])) && (1 == (c[7] + 10 * c[6])))
{
char str[9] = { 0 };
for (int i = 0; i < 8; i++)
str[i] = char(c[i] + 48);
printf("解%-3d:%s\n",ss++, str);
}
}
puts("完成");
getchar();
}
解1 :0=v:0:01X1Y0uN3tG00d????
解2 :0=v:1001X1Y0uN3tG00d????
解3 :0=w00:01X1Y0uN3tG00d????
解4 :0=w01001X1Y0uN3tG00d????
解5 :0>l:0:01X1Y0uN3tG00d????
解6 :0>l:1001X1Y0uN3tG00d????
解7 :0>m00:01X1Y0uN3tG00d????
解8 :0>m01001X1Y0uN3tG00d????
解9 :0?b:0:01X1Y0uN3tG00d????
解10 :0?b:1001X1Y0uN3tG00d????
解11 :0?c00:01X1Y0uN3tG00d????
解12 :0?c01001X1Y0uN3tG00d????
解13 :0@X:0:01X1Y0uN3tG00d????
解14 :0@X:1001X1Y0uN3tG00d????
解15 :0@Y00:01X1Y0uN3tG00d????
解16 :0@Y01001X1Y0uN3tG00d????
解17 :0AN:0:01X1Y0uN3tG00d????
解18 :0AN:1001X1Y0uN3tG00d????
解19 :0AO00:01X1Y0uN3tG00d????
解20 :0AO01001X1Y0uN3tG00d????
解21 :0BD:0:01X1Y0uN3tG00d????
解22 :0BD:1001X1Y0uN3tG00d????
解23 :0BE00:01X1Y0uN3tG00d????
解24 :0BE01001X1Y0uN3tG00d????
解25 :0C::0:01X1Y0uN3tG00d????
解26 :0C::1001X1Y0uN3tG00d????
解27 :0C;00:01X1Y0uN3tG00d????
解28 :0C;01001X1Y0uN3tG00d????
解29 :0D0:0:01X1Y0uN3tG00d????
解30 :0D0:1001X1Y0uN3tG00d????
解31 :0D100:01X1Y0uN3tG00d????
解32 :0D101001X1Y0uN3tG00d????
解33 :13v:0:01X1Y0uN3tG00d????
解34 :13v:1001X1Y0uN3tG00d????
解35 :13w00:01X1Y0uN3tG00d????
解36 :13w01001X1Y0uN3tG00d????
解37 :14l:0:01X1Y0uN3tG00d????
解38 :14l:1001X1Y0uN3tG00d????
解39 :14m00:01X1Y0uN3tG00d????
解40 :14m01001X1Y0uN3tG00d????
解41 :15b:0:01X1Y0uN3tG00d????
解42 :15b:1001X1Y0uN3tG00d????
解43 :15c00:01X1Y0uN3tG00d????
解44 :15c01001X1Y0uN3tG00d????
解45 :16X:0:01X1Y0uN3tG00d????
解46 :16X:1001X1Y0uN3tG00d????
解47 :16Y00:01X1Y0uN3tG00d????
解48 :16Y01001X1Y0uN3tG00d????
解49 :17N:0:01X1Y0uN3tG00d????
解50 :17N:1001X1Y0uN3tG00d????
解51 :17O00:01X1Y0uN3tG00d????
解52 :17O01001X1Y0uN3tG00d????
解53 :18D:0:01X1Y0uN3tG00d????
解54 :18D:1001X1Y0uN3tG00d????
解55 :18E00:01X1Y0uN3tG00d????
解56 :18E01001X1Y0uN3tG00d????
解57 :19::0:01X1Y0uN3tG00d????
解58 :19::1001X1Y0uN3tG00d????
解59 :19;00:01X1Y0uN3tG00d????
解60 :19;01001X1Y0uN3tG00d????
解61 :1:0:0:01X1Y0uN3tG00d????
解62 :1:0:1001X1Y0uN3tG00d????
解63 :1:100:01X1Y0uN3tG00d????
解64 :1:101001X1Y0uN3tG00d????
解65 :200:0:01X1Y0uN3tG00d????
解66 :200:1001X1Y0uN3tG00d????
解67 :20100:01X1Y0uN3tG00d????
解68 :20101001X1Y0uN3tG00d???? 只有这一个解没有符号
完成
int sub_401460(char *Str) //参数是我的输入
{
char Dest; // [esp+8h] [ebp-10h]
if ( strlen(Str) == 24 ) //首先验证我的输入是否为24字节
{
if ( sub_4013B0((int)Str) )
{
Str[20] -= 88; //最后4位字符的鬼操作
Str[21] -= 70;
Str[22] -= 3;
Str[23] -= 107
strcpy(&Dest, Str);
}
}
else //不是24字节就他退出了
{
printf("String Length is Wrong");
}
return 0;
}
这个函数是最后4个字符,为栈中EIP
所以指向是本程序中段
Str[20] -= 88; H
Str[21] -= 70; a
Str[22] -= 3; C
Str[23] -= 107 k
最后三个必须是aCk 才可以满足1b 40 00 ,H是一开始确定的,所以不需要管它,所以就可以拿到答案了
Repwn.004014C0这个函数先是一波操纵,然后出来个flag不知道有什么用,
Flag{Th3_K3y_I5_N0t_Rea11Y_K3y}
00401597 |. 895C24 04 mov dword ptr ss:[esp+0x4],ebx ; |
0040159B |. C70424 00744000 mov dword ptr ss:[esp],Repwn.00407400 ; |%s
004015A2 |. E8 49420000 call <jmp.&msvcrt.scanf> ; \scanf
004015A7 |. 891C24 mov dword ptr ss:[esp],ebx
004015AA |. E8 41FDFFFF call Repwn.004012F0
004015AF |. 85C0 test eax,eax ; |
scanf以后是Repwn.004012F0这个函数验证从第8位开始的12位字符然后调用了Repwn.00401460
Repwn.00401460结束后程序system(pause)后退出
Repwn.004012F0这个函数比较简单,分析完后是
/0x58/0x31/0x59/0x59/0x30/0x75/0x4e/0x33/0x74/0x47/0x30/0x30/0x64
????????X1Y0uN3tG00d????
关键是Repwn.00401460这个函数没有出口,出口是崩溃????
我也想冷静啊,可是这道题不允许啊!!!
前8位字符的转换
void sub_401380(char *str) //参数是我的输入
{
int v1=0;
int c[8]={0};
while ( v1 <= 7 )
c[v1] = str[v1++] - 48;
}
c=*0x408020 存前8位验证码(int类型)
int sub_4013B0(int a1) //参数是我的输入
{
int v1; // ebx
int v2; // ecx
int v3; // esi
int result; // eax
sub_401380(a1); //408020 存前8位验证码整数
/*
int i=0;
int c[8]={0};
while ( i <= 7 )
c[i] = str[i++] - 48;
*/
v1 = c[4] + 1000 * c[1] + 100 * c[2] + 10 * c[3];
v2 = c[6] + 10 * c[5];
v3 = c[8] + 10 * c[7];
if ( 2 * (v1 + v2) != 4040 || 3 * v2 / 2 + 100 * v3 != 115 )
goto LABEL_2;
result = 1;
if ( v1 - 110 * v3 != 1900 )
{
printf("Key_Is_Wrong,Please_Input_Again!");
LABEL_2:
result = 0;
}
return result;
}
2010 = c[3] + 1000 * c[0] + 100 * c[1] + 10 * c[2];
10 = c[5] + 10 * c[4];
1 = c[7] + 10 * c[6];
c[0]=0或1或2
c[3]=10或0
c[6]=0
c[7]=1
c[4]=0或1
c[5]=0或10
c[1]=0-20
c[2]=0-74
2 * (v1 + v2) = 4040
3 * v2 / 2 + 100 * v3 = 115
v1 - 110 * v3 = 1900
v1=2010 v2=10 v3=1
int _tmain(int argc, _TCHAR* argv[])
{
int v1=0;
int v2=0;
int v3=0;
int c[8] = { 0 };
c[6] = 0;
c[7] = 1;
int ss = 1;
for (c[0] = 0; c[0] <= 2; c[0]++)
for (c[1] = 0; c[1] <= 20; c[1]++)
for (c[2] = 0; c[2] <= 74; c[2]++)
for (c[3] = 0; c[3] <= 10; c[3]++)
for (c[4] = 0; c[4] <= 1; c[4]++)
for (c[5] = 0; c[5] <= 10; c[5]++)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2019-3-24 18:32
被湖畔砍柴人编辑
,原因: 重新提交清晰思路
|
|
|---|---|
|
|
战队名感人至深
|
|
|
|
|
|
|
|
|
|
