[原创]签到题wp-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]签到题wp

发表于: 2022-5-18 12:12 3107

[原创]签到题wp

wx_123456

2022-5-18 12:12

3107

ida打开，check的消息处理有一段乱码，估计被加密了。

动态调试，如果输入了正确的序列号，代码就会被解密。接着再反编译，思路就很明确了。

int __cdecl sub_401340(HWND hDlg)
{
  int result; // eax
  int Value; // [esp+20h] [ebp-3B8h]
  int v3; // [esp+2Ch] [ebp-3ACh]
  int v4; // [esp+34h] [ebp-3A4h]
  signed int v5; // [esp+38h] [ebp-3A0h]
  int v6; // [esp+3Ch] [ebp-39Ch]
  HWND hWnd; // [esp+4Ch] [ebp-38Ch]
  HWND hWnda; // [esp+4Ch] [ebp-38Ch]
  char Buffer; // [esp+54h] [ebp-384h] BYREF
  char v10[199]; // [esp+55h] [ebp-383h] BYREF
  CHAR v11; // [esp+11Ch] [ebp-2BCh] BYREF
  char v12[199]; // [esp+11Dh] [ebp-2BBh] BYREF
  char v13[36]; // [esp+1E4h] [ebp-1F4h] BYREF
  int v14[50]; // [esp+208h] [ebp-1D0h] BYREF
  CHAR String; // [esp+2D0h] [ebp-108h] BYREF
  char v16[199]; // [esp+2D1h] [ebp-107h] BYREF
  char v17[16]; // [esp+398h] [ebp-40h] BYREF
  char Destination; // [esp+3A8h] [ebp-30h] BYREF
  int v19; // [esp+3A9h] [ebp-2Fh]
  int v20; // [esp+3ADh] [ebp-2Bh]
  int v21; // [esp+3B1h] [ebp-27h]
  int v22; // [esp+3B5h] [ebp-23h]
  __int16 v23; // [esp+3B9h] [ebp-1Fh]
  char v24; // [esp+3BBh] [ebp-1Dh]
  CPPEH_RECORD ms_exc; // [esp+3C0h] [ebp-18h]
 
  v11 = 0;
  memset(v12, 0, sizeof(v12));
  LOBYTE(v14[0]) = 0;
  memset((char *)v14 + 1, 0, 0xC7u);
  Buffer = 0;
  memset(v10, 0, sizeof(v10));
  String = 0;
  memset(v16, 0, sizeof(v16));
  strcpy(v17, "www.pediy.com");
  Destination = 0;
  v19 = 0;
  v20 = 0;
  v21 = 0;
  v22 = 0;
  v23 = 0;
  v24 = 0;
  strcpy(v13, "23456781ABCDEFGHJKLMNPQRSTUVWXYZ");
  v5 = GetDlgItemTextA(hDlg, 1001, &String, 201);
  v6 = GetDlgItemTextA(hDlg, 1000, &v11, 201);
  if ( v5 > 14 || v6 == 0 )
  {
    SetDlgItemTextA(hDlg, 1001, "Wrong Serial!");
    hWnd = GetDlgItem(hDlg, 1014);
    EnableWindow(hWnd, 0);
    result = 0;
  }
  else
  {
    v14[0] = *(_DWORD *)&v16[9];
    v3 = sub_4034AD((int)v14);//序列号的后四位
    if ( dword_413000 )
      sub_4017E0(loc_4015D2, &loc_401767 - (_UNKNOWN *)loc_4015D2, v3);//解密代码
    ms_exc.registration.TryLevel = 0;
    Value = sub_401260(&v11, v6);
    strncpy(&Destination, &String, v5 - 4);
    _ultoa(Value, &Buffer, 10);
    dword_413000 = 0;
    v4 = strcmp(&Buffer, &Destination);//Buffer即序列号的前十位
    if ( v4 )
      v4 = v4 < 0 ? -1 : 1;
    if ( v4 )
      SetDlgItemTextA(hDlg, 1001, "Wrong Serial!");
    else
      SetDlgItemTextA(hDlg, 1001, "Success!");//成功
    hWnda = GetDlgItem(hDlg, 1014);
    EnableWindow(hWnda, 0);
    ms_exc.registration.TryLevel = -2;
    result = 0;
  }
  return result;
}