KCTF2021[秋季赛][第七题][声名远扬]wp-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

KCTF2021[秋季赛][第七题][声名远扬]wp

发表于: 2021-12-2 08:22 15460

KCTF2021[秋季赛][第七题][声名远扬]wp

ccfer

2021-12-2 08:22

15460

ollydbg打开CrackMe.exe
翻看几分钟，尝试一些断点之后，找到处理输入的地方：
跟进去可以找到base64初始化码表的地方：
得到base64码表：prvo9CHSJOcPIb6xRVUXQz0qBGDE72LNZduaefYT5K_8-4FAhlimjkngt1yMWs3w!
往下慢慢走，调试到这里看到疑似验证点：
od里不方便调试wow64了，索性在后面一行下个断点观察一下吧
在0088D8A5断下来以后，上下翻看一下堆栈，有所发现：
看到个字符串：GYldGg-iIoJlPX9hPXpjPqfdEY21B01TBTzeGqfKNR!!
尝试用前面的base64码表做一次base64解密得到：
flag{2021-10-04-yangyangbudeyi}
哈哈，这就是传说中的软柿子。

0088D381   8D95 6CFFFFFF    LEA EDX,DWORD PTR SS:[EBP-94]            //input

0088D387   52               PUSH EDX                                 

0088D388   8D85 44FFFFFF    LEA EAX,DWORD PTR SS:[EBP-BC]            //output

0088D38E   50               PUSH EAX                                 

0088D38F   E8 9C110000      CALL CrackMe.0088E530                    //base64，非标准码表

0088D381   8D95 6CFFFFFF    LEA EDX,DWORD PTR SS:[EBP-94]            //input

0088D387   52               PUSH EDX                                 

0088D388   8D85 44FFFFFF    LEA EAX,DWORD PTR SS:[EBP-BC]            //output

0088D38E   50               PUSH EAX                                 

0088D38F   E8 9C110000      CALL CrackMe.0088E530                    //base64，非标准码表

0088E250   55               PUSH EBP                                 

0088E251   8BEC             MOV EBP,ESP                              

0088E253   6A FF            PUSH -1                                 

0088E255   68 1D8B8F00      PUSH CrackMe.008F8B1D                   

0088E25A   64:A1 00000000   MOV EAX,DWORD PTR FS:[0]                 

0088E260   50               PUSH EAX                                 

0088E261   83EC 5C          SUB ESP,5C                              

0088E264   A1 B0F08F00      MOV EAX,DWORD PTR DS:[8FF0B0]            

0088E269   33C5             XOR EAX,EBP                              

0088E26B   8945 F0          MOV DWORD PTR SS:[EBP-10],EAX            

0088E26E   50               PUSH EAX                                 

0088E26F   8D45 F4          LEA EAX,DWORD PTR SS:[EBP-C]             

0088E272   64:A3 00000000   MOV DWORD PTR FS:[0],EAX                 

0088E278   C745 A0 00000000 MOV DWORD PTR SS:[EBP-60],0             

0088E27F   6A 08            PUSH 8                                  

0088E281   8D4D E8          LEA ECX,DWORD PTR SS:[EBP-18]            

0088E284   E8 47F3FFFF      CALL CrackMe.0088D5D0                   

0088E289   C645 A4 70       MOV BYTE PTR SS:[EBP-5C],70               //自定义的base64码表

0088E28D   C645 A5 72       MOV BYTE PTR SS:[EBP-5B],72             

0088E291   C645 A6 76       MOV BYTE PTR SS:[EBP-5A],76             

0088E295   C645 A7 6F       MOV BYTE PTR SS:[EBP-59],6F             

0088E299   C645 A8 39       MOV BYTE PTR SS:[EBP-58],39             

0088E29D   C645 A9 43       MOV BYTE PTR SS:[EBP-57],43             

0088E2A1   C645 AA 48       MOV BYTE PTR SS:[EBP-56],48             

0088E2A5   C645 AB 53       MOV BYTE PTR SS:[EBP-55],53             

0088E2A9   C645 AC 4A       MOV BYTE PTR SS:[EBP-54],4A             

0088E2AD   C645 AD 4F       MOV BYTE PTR SS:[EBP-53],4F             

0088E2B1   C645 AE 63       MOV BYTE PTR SS:[EBP-52],63             

0088E2B5   C645 AF 50       MOV BYTE PTR SS:[EBP-51],50             

0088E2B9   C645 B0 49       MOV BYTE PTR SS:[EBP-50],49             

0088E2BD   C645 B1 62       MOV BYTE PTR SS:[EBP-4F],62             

0088E2C1   C645 B2 36       MOV BYTE PTR SS:[EBP-4E],36             

0088E2C5   C645 B3 78       MOV BYTE PTR SS:[EBP-4D],78             

0088E2C9   C645 B4 52       MOV BYTE PTR SS:[EBP-4C],52             

0088E2CD   C645 B5 56       MOV BYTE PTR SS:[EBP-4B],56             

0088E2D1   C645 B6 55       MOV BYTE PTR SS:[EBP-4A],55             

0088E2D5   C645 B7 58       MOV BYTE PTR SS:[EBP-49],58             

0088E2D9   C645 B8 51       MOV BYTE PTR SS:[EBP-48],51             

0088E2DD   C645 B9 7A       MOV BYTE PTR SS:[EBP-47],7A             

0088E2E1   C645 BA 30       MOV BYTE PTR SS:[EBP-46],30             

0088E2E5   C645 BB 71       MOV BYTE PTR SS:[EBP-45],71             

0088E2E9   C645 BC 42       MOV BYTE PTR SS:[EBP-44],42             

0088E2ED   C645 BD 47       MOV BYTE PTR SS:[EBP-43],47             

0088E2F1   C645 BE 44       MOV BYTE PTR SS:[EBP-42],44             

0088E2F5   C645 BF 45       MOV BYTE PTR SS:[EBP-41],45             

0088E2F9   C645 C0 37       MOV BYTE PTR SS:[EBP-40],37             

0088E2FD   C645 C1 32       MOV BYTE PTR SS:[EBP-3F],32             

0088E301   C645 C2 4C       MOV BYTE PTR SS:[EBP-3E],4C             

0088E305   C645 C3 4E       MOV BYTE PTR SS:[EBP-3D],4E             

0088E309   C645 C4 5A       MOV BYTE PTR SS:[EBP-3C],5A             

0088E30D   C645 C5 64       MOV BYTE PTR SS:[EBP-3B],64             

0088E311   C645 C6 75       MOV BYTE PTR SS:[EBP-3A],75             

0088E315   C645 C7 61       MOV BYTE PTR SS:[EBP-39],61             

0088E319   C645 C8 65       MOV BYTE PTR SS:[EBP-38],65             

0088E31D   C645 C9 66       MOV BYTE PTR SS:[EBP-37],66             

0088E321   C645 CA 59       MOV BYTE PTR SS:[EBP-36],59             

0088E325   C645 CB 54       MOV BYTE PTR SS:[EBP-35],54             

0088E329   C645 CC 35       MOV BYTE PTR SS:[EBP-34],35             

0088E32D   C645 CD 4B       MOV BYTE PTR SS:[EBP-33],4B             

0088E331   C645 CE 5F       MOV BYTE PTR SS:[EBP-32],5F             

0088E335   C645 CF 38       MOV BYTE PTR SS:[EBP-31],38             

0088E339   C645 D0 2D       MOV BYTE PTR SS:[EBP-30],2D             

0088E33D   C645 D1 34       MOV BYTE PTR SS:[EBP-2F],34             

0088E341   C645 D2 46       MOV BYTE PTR SS:[EBP-2E],46             

0088E345   C645 D3 41       MOV BYTE PTR SS:[EBP-2D],41             

0088E349   C645 D4 68       MOV BYTE PTR SS:[EBP-2C],68             

0088E34D   C645 D5 6C       MOV BYTE PTR SS:[EBP-2B],6C             

0088E351   C645 D6 69       MOV BYTE PTR SS:[EBP-2A],69             

0088E355   C645 D7 6D       MOV BYTE PTR SS:[EBP-29],6D             

0088E359   C645 D8 6A       MOV BYTE PTR SS:[EBP-28],6A             

0088E35D   C645 D9 6B       MOV BYTE PTR SS:[EBP-27],6B             

0088E361   C645 DA 6E       MOV BYTE PTR SS:[EBP-26],6E             

0088E365   C645 DB 67       MOV BYTE PTR SS:[EBP-25],67             

0088E369   C645 DC 74       MOV BYTE PTR SS:[EBP-24],74             

0088E36D   C645 DD 31       MOV BYTE PTR SS:[EBP-23],31             

0088E371   C645 DE 79       MOV BYTE PTR SS:[EBP-22],79             

0088E375   C645 DF 4D       MOV BYTE PTR SS:[EBP-21],4D             

0088E379   C645 E0 57       MOV BYTE PTR SS:[EBP-20],57             

0088E37D   C645 E1 73       MOV BYTE PTR SS:[EBP-1F],73             

0088E381   C645 E2 33       MOV BYTE PTR SS:[EBP-1E],33             

0088E385   C645 E3 77       MOV BYTE PTR SS:[EBP-1D],77             

0088E389   C645 E4 21       MOV BYTE PTR SS:[EBP-1C],21

0088E250   55               PUSH EBP                                 

0088E251   8BEC             MOV EBP,ESP                              

0088E253   6A FF            PUSH -1                                 

0088E255   68 1D8B8F00      PUSH CrackMe.008F8B1D                   

0088E25A   64:A1 00000000   MOV EAX,DWORD PTR FS:[0]                 

0088E260   50               PUSH EAX                                 

0088E261   83EC 5C          SUB ESP,5C                              

0088E264   A1 B0F08F00      MOV EAX,DWORD PTR DS:[8FF0B0]            

0088E269   33C5             XOR EAX,EBP                              

0088E26B   8945 F0          MOV DWORD PTR SS:[EBP-10],EAX            

0088E26E   50               PUSH EAX                                 

0088E26F   8D45 F4          LEA EAX,DWORD PTR SS:[EBP-C]             

0088E272   64:A3 00000000   MOV DWORD PTR FS:[0],EAX                 

0088E278   C745 A0 00000000 MOV DWORD PTR SS:[EBP-60],0             

0088E27F   6A 08            PUSH 8                                  

0088E281   8D4D E8          LEA ECX,DWORD PTR SS:[EBP-18]            

0088E284   E8 47F3FFFF      CALL CrackMe.0088D5D0                   

0088E289   C645 A4 70       MOV BYTE PTR SS:[EBP-5C],70               //自定义的base64码表

0088E28D   C645 A5 72       MOV BYTE PTR SS:[EBP-5B],72             

0088E291   C645 A6 76       MOV BYTE PTR SS:[EBP-5A],76             

0088E295   C645 A7 6F       MOV BYTE PTR SS:[EBP-59],6F             

0088E299   C645 A8 39       MOV BYTE PTR SS:[EBP-58],39             

0088E29D   C645 A9 43       MOV BYTE PTR SS:[EBP-57],43             

0088E2A1   C645 AA 48       MOV BYTE PTR SS:[EBP-56],48             

0088E2A5   C645 AB 53       MOV BYTE PTR SS:[EBP-55],53             

0088E2A9   C645 AC 4A       MOV BYTE PTR SS:[EBP-54],4A             

0088E2AD   C645 AD 4F       MOV BYTE PTR SS:[EBP-53],4F             

0088E2B1   C645 AE 63       MOV BYTE PTR SS:[EBP-52],63             

0088E2B5   C645 AF 50       MOV BYTE PTR SS:[EBP-51],50             

0088E2B9   C645 B0 49       MOV BYTE PTR SS:[EBP-50],49             

0088E2BD   C645 B1 62       MOV BYTE PTR SS:[EBP-4F],62             

0088E2C1   C645 B2 36       MOV BYTE PTR SS:[EBP-4E],36             

0088E2C5   C645 B3 78       MOV BYTE PTR SS:[EBP-4D],78             

0088E2C9   C645 B4 52       MOV BYTE PTR SS:[EBP-4C],52             

0088E2CD   C645 B5 56       MOV BYTE PTR SS:[EBP-4B],56             

0088E2D1   C645 B6 55       MOV BYTE PTR SS:[EBP-4A],55             

0088E2D5   C645 B7 58       MOV BYTE PTR SS:[EBP-49],58             

0088E2D9   C645 B8 51       MOV BYTE PTR SS:[EBP-48],51             

0088E2DD   C645 B9 7A       MOV BYTE PTR SS:[EBP-47],7A             

0088E2E1   C645 BA 30       MOV BYTE PTR SS:[EBP-46],30             

0088E2E5   C645 BB 71       MOV BYTE PTR SS:[EBP-45],71             

0088E2E9   C645 BC 42       MOV BYTE PTR SS:[EBP-44],42             

0088E2ED   C645 BD 47       MOV BYTE PTR SS:[EBP-43],47             

0088E2F1   C645 BE 44       MOV BYTE PTR SS:[EBP-42],44             

0088E2F5   C645 BF 45       MOV BYTE PTR SS:[EBP-41],45             

0088E2F9   C645 C0 37       MOV BYTE PTR SS:[EBP-40],37             

0088E2FD   C645 C1 32       MOV BYTE PTR SS:[EBP-3F],32             

0088E301   C645 C2 4C       MOV BYTE PTR SS:[EBP-3E],4C             

0088E305   C645 C3 4E       MOV BYTE PTR SS:[EBP-3D],4E             

0088E309   C645 C4 5A       MOV BYTE PTR SS:[EBP-3C],5A             

0088E30D   C645 C5 64       MOV BYTE PTR SS:[EBP-3B],64             

0088E311   C645 C6 75       MOV BYTE PTR SS:[EBP-3A],75             

0088E315   C645 C7 61       MOV BYTE PTR SS:[EBP-39],61             

0088E319   C645 C8 65       MOV BYTE PTR SS:[EBP-38],65             

0088E31D   C645 C9 66       MOV BYTE PTR SS:[EBP-37],66             

0088E321   C645 CA 59       MOV BYTE PTR SS:[EBP-36],59             

0088E325   C645 CB 54       MOV BYTE PTR SS:[EBP-35],54             

0088E329   C645 CC 35       MOV BYTE PTR SS:[EBP-34],35             

0088E32D   C645 CD 4B       MOV BYTE PTR SS:[EBP-33],4B             

0088E331   C645 CE 5F       MOV BYTE PTR SS:[EBP-32],5F             

				登录后可查看完整内容
			
[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・1

免费・3

支持

最新回复 (3)
海风月影雪币： 7309 活跃值： (3788) 能力值： (RANK：1130 ) 在线值：发帖 93 回帖 2308 粉丝 119 关注私信	海风月影 22 2 楼翻看幾分鐘，太强大了還能在堆棧還找到明文，學習了 2021-12-3 19:02 0
kanxue 雪币： 47147 活跃值： (20430) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 539 关注私信	kanxue 8 3 楼战略上：要选硬柿子捏战术上：要挑软柿子捏 2021-12-3 19:51 0
QiuJYu 雪币： 2823 活跃值： (3731) 能力值： ( LV11，RANK：182 ) 在线值：发帖 5 回帖 43 粉丝 157 关注私信	QiuJYu 4 4 楼太强了 2021-12-5 23:48 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

ccfer

发帖

1529

回帖

2473

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
海风月影雪币： 7309 活跃值： (3788) 能力值： (RANK：1130 ) 在线值：发帖 93 回帖 2308 粉丝 119 关注私信	海风月影 22 2 楼翻看幾分鐘，太强大了還能在堆棧還找到明文，學習了 2021-12-3 19:02 0
kanxue 雪币： 47147 活跃值： (20430) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 539 关注私信	kanxue 8 3 楼战略上：要选硬柿子捏战术上：要挑软柿子捏 2021-12-3 19:51 0
QiuJYu 雪币： 2823 活跃值： (3731) 能力值： ( LV11，RANK：182 ) 在线值：发帖 5 回帖 43 粉丝 157 关注私信	QiuJYu 4 4 楼太强了 2021-12-5 23:48 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复