【2019看雪CTF】Q2赛季 第一题 神秘来信 WP

Console题目，直接main函数f5得到如下伪代码：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // esi
  unsigned int v4; // kr00_4
  unsigned int v6; // ecx
  char input[20]; // [esp+10h] [ebp-3Ch]
  CPPEH_RECORD ms_exc; // [esp+34h] [ebp-18h]

  v3 = 0;
  sub_401410((int)"请输入序列号:\n");
  sub_4013D0("%s", input);
  v4 = strlen(input);
  if ( v4 < 7
    && input[5] == '3'
    && input[4] == '5'
    && input[3] == '3'
    && (unsigned __int8)input[2] + (unsigned __int8)input[1] + (unsigned __int8)input[0] == 0x95 )
  {
    v6 = 0;
    if ( v4 )
    {
      do
        v3 = (unsigned __int8)input[v6++] + 16 * v3 - 48;
      while ( v6 < v4 );
    }
    ms_exc.registration.TryLevel = 0;
    MEMORY[0] = 65;
    sub_401410((int)"error!\n");
    while ( 1 )
      ;
  }
  sub_401410((int)"error\n");
  return 0;
}

先是检查输入长度小于7，输入第4，5，6字节分别为'3'、'5'、'3'，前三字节ascii码之和为0x95。 然后下面的的逻辑似乎不对了。直接看asm。

.text:004012F9 loc_4012F9:                             ; CODE XREF: _main+6C↑j
.text:004012F9                 cmp     [ebp+input+5], 33h
.text:004012FD                 jnz     short loc_4012CE
.text:004012FF                 cmp     [ebp+input+4], 35h
.text:00401303                 jnz     short loc_4012CE
.text:00401305                 cmp     [ebp+input+3], 33h
.text:00401309                 jnz     short loc_4012CE
.text:0040130B                 movzx   ecx, [ebp+input]
.text:0040130F                 movzx   eax, [ebp+input+1]
.text:00401313                 add     ecx, eax
.text:00401315                 movzx   eax, [ebp+input+2]
.text:00401319                 add     ecx, eax
.text:0040131B                 cmp     ecx, 95h
.text:00401321                 jnz     short loc_4012CE
.text:00401323                 xor     ecx, ecx
.text:00401325                 test    edx, edx
.text:00401327                 jz      short loc_401342
.text:00401329                 nop     dword ptr [eax+00000000h]
.text:00401330
.text:00401330 loc_401330:                             ; CODE XREF: _main+E0↓j
.text:00401330                 movzx   eax, [ebp+ecx+input]
.text:00401335                 shl     esi, 4
.text:00401338                 add     esi, 0FFFFFFD0h
.text:0040133B                 add     esi, eax
.text:0040133D                 inc     ecx
.text:0040133E                 cmp     ecx, edx
.text:00401340                 jb      short loc_401330
.text:00401342
.text:00401342 loc_401342:                             ; CODE XREF: _main+C7↑j
.text:00401342 ;   __try { // __except at loc_401379
.text:00401342                 mov     [ebp+ms_exc.registration.TryLevel], 0
.text:00401349                 test    esi, esi
.text:0040134B                 jz      short loc_40135D
.text:0040134D                 push    eax
.text:0040134E                 call    loc_401354
.text:0040134E ; ---------------------------------------------------------------------------
.text:00401353                 db 0EBh
.text:00401354 ; ---------------------------------------------------------------------------
.text:00401354
.text:00401354 loc_401354:                             ; CODE XREF: _main+EE↑j
.text:00401354                 pop     eax
.text:00401355                 sub     eax, 0
.text:00401358                 sub     esi, eax
.text:0040135A                 div     esi
.text:0040135C                 pop     eax
.text:0040135D
.text:0040135D loc_40135D:                             ; CODE XREF: _main+EB↑j
.text:0040135D                 mov     large byte ptr ds:0, 41h
.text:00401364                 push    offset aError_0 ; "error!\n"
.text:00401369                 call    sub_401410
.text:0040136E                 add     esp, 4
.text:00401371
.text:00401371 loc_401371:                             ; CODE XREF: _main:loc_401371↓j
.text:00401371                 jmp     short loc_401371
.text:00401373 ; ---------------------------------------------------------------------------
.text:00401373
.text:00401373 loc_401373:                             ; DATA XREF: .rdata:stru_41CC98↓o
.text:00401373 ;   __except filter // owned by 401342
.text:00401373                 mov     eax, 1
.text:00401378                 retn
.text:00401379 ; ---------------------------------------------------------------------------
.text:00401379
.text:00401379 loc_401379:                             ; DATA XREF: .rdata:stru_41CC98↓o
.text:00401379 ;   __except(loc_401373) // owned by 401342
.text:00401379                 mov     esp, [ebp+ms_exc.old_esp]
.text:0040137C                 lea     edx, [ebp+input]
.text:0040137F                 lea     ecx, [edx+1]
.text:00401382
.text:00401382 loc_401382:                             ; CODE XREF: _main+127↓j
.text:00401382                 mov     al, [edx]
.text:00401384                 inc     edx
.text:00401385                 test    al, al
.text:00401387                 jnz     short loc_401382
.text:00401389                 sub     edx, ecx
.text:0040138B                 xor     ecx, ecx
.text:0040138D                 test    edx, edx
.text:0040138F                 jle     short loc_4013A7
.text:00401391
.text:00401391 loc_401391:                             ; CODE XREF: _main+145↓j
.text:00401391                 movzx   eax, [ebp+ecx+input]
.text:00401396                 add     ax, 9
.text:0040139A                 mov     word_41F300[ecx*2], ax
.text:004013A2                 inc     ecx
.text:004013A3                 cmp     ecx, edx
.text:004013A5                 jl      short loc_401391
.text:004013A7
.text:004013A7 loc_4013A7:                             ; CODE XREF: _main+12F↑j
.text:004013A7                 push    offset aSuccess ; "success!\n"
.text:004013AC                 call    sub_401410
.text:004013B1                 add     esp, 4
.text:004013B4
.text:004013B4 loc_4013B4:                             ; CODE XREF: _main:loc_4013B4↓j
.text:004013B4                 jmp     short loc_4013B4
.text:004013B4 ;   } // starts at 401342
.text:004013B4 ; } // starts at 401260

原来有异常处理。输入组合成DWORD值与几乎是定值的0x401353相减后作为除数，触发异常才能到打印'success'的路径。

所以输入就是401353。做完后看到群里说有多解，当时并未注意。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课