好友
阅读权限30
听众
最后登录1970-1-1
|
原帖地址:
"几个入门级CTF题目,希望写下解题思路"
https://www.52pojie.cn/forum.php?mod=viewthread&tid=801805&page=1#pid21986217
其中第5题用IDA载入:
[Asm] 纯文本查看 复制代码 .text:00401490 ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:00401490 _main proc near ; CODE XREF: start+AF↓p
.text:00401490
.text:00401490 var_31 = byte ptr -31h
.text:00401490 var_30 = dword ptr -30h
.text:00401490 var_2C = byte ptr -2Ch
.text:00401490 var_28 = dword ptr -28h
.text:00401490 var_24 = dword ptr -24h
.text:00401490 var_1C = byte ptr -1Ch
.text:00401490 var_C = dword ptr -0Ch
.text:00401490 var_4 = dword ptr -4
.text:00401490 argc = dword ptr 4
.text:00401490 argv = dword ptr 8
.text:00401490 envp = dword ptr 0Ch
.text:00401490
.text:00401490 ; FUNCTION CHUNK AT .text:0040FCD0 SIZE 00000010 BYTES
.text:00401490
.text:00401490 ; __unwind { // _main_SEH
.text:00401490 push 0FFFFFFFFh
.text:00401492 push offset _main_SEH
.text:00401497 mov eax, large fs:0
.text:0040149D push eax
.text:0040149E mov large fs:0, esp
.text:004014A5 sub esp, 28h
.text:004014A8 mov al, [esp+34h+var_31]
.text:004014AC push ebp
.text:004014AD push esi
.text:004014AE push edi
.text:004014AF push 0
.text:004014B1 lea ecx, [esp+44h+var_2C]
.text:004014B5 mov [esp+44h+var_2C], al
.text:004014B9 call ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Tidy(bool)
.text:004014BE mov [esp+40h+var_4], 0
.text:004014C6
.text:004014C6 loc_4014C6: ; CODE XREF: _main+1C2↓j
.text:004014C6 ; _main+1D5↓j
.text:004014C6 push offset aPleaseInputYou ; "Please input your key: "
.text:004014CB push offset dword_415D00
.text:004014D0 call sub_402080
.text:004014D5 lea ecx, [esp+48h+var_2C]
.text:004014D9 push ecx
.text:004014DA push offset dword_415D90
.text:004014DF call sub_402310
.text:004014E4 mov eax, [esp+50h+var_24]
.text:004014E8 add esp, 10h
.text:004014EB xor ebp, ebp
.text:004014ED test eax, eax
.text:004014EF jbe short loc_401566
.text:004014F1 mov eax, dword_415C58
.text:004014F6
.text:004014F6 loc_4014F6: ; CODE XREF: _main+D4↓j
.text:004014F6 xor edi, edi
.text:004014F8 test eax, eax
.text:004014FA jbe short loc_40155D
.text:004014FC
.text:004014FC loc_4014FC: ; CODE XREF: _main+CB↓j
.text:004014FC cmp [esp+40h+var_24], ebp
.text:00401500 jb short loc_401521
.text:00401502 mov ecx, [esp+40h+var_28]
.text:00401506 test ecx, ecx
.text:00401508 jz short loc_401521
.text:0040150A lea ecx, [esp+40h+var_2C]
.text:0040150E call ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Freeze(void)
.text:00401513 mov edx, [esp+40h+var_28]
.text:00401517 mov eax, dword_415C58
.text:0040151C lea esi, [edx+ebp]
.text:0040151F jmp short loc_401526
.text:00401521 ; ---------------------------------------------------------------------------
.text:00401521
.text:00401521 loc_401521: ; CODE XREF: _main+70↑j
.text:00401521 ; _main+78↑j
.text:00401521 mov esi, offset unk_411100
.text:00401526
.text:00401526 loc_401526: ; CODE XREF: _main+8F↑j
.text:00401526 cmp eax, edi
.text:00401528 jb short loc_401546
.text:0040152A mov eax, dword_415C54
.text:0040152F test eax, eax
.text:00401531 jz short loc_401546
.text:00401533 mov ecx, offset byte_415C50
.text:00401538 call ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Freeze(void)
.text:0040153D mov eax, dword_415C54
.text:00401542 add eax, edi
.text:00401544 jmp short loc_40154B
.text:00401546 ; ---------------------------------------------------------------------------
.text:00401546
.text:00401546 loc_401546: ; CODE XREF: _main+98↑j
.text:00401546 ; _main+A1↑j
.text:00401546 mov eax, offset unk_411100
.text:0040154B
.text:0040154B loc_40154B: ; CODE XREF: _main+B4↑j
.text:0040154B mov cl, [eax]
.text:0040154D mov al, [esi]
.text:0040154F xor al, cl ; 算法
.text:00401551 inc edi
.text:00401552 mov [esi], al
.text:00401554 mov eax, dword_415C58
.text:00401559 cmp edi, eax
.text:0040155B jb short loc_4014FC
.text:0040155D
.text:0040155D loc_40155D: ; CODE XREF: _main+6A↑j
.text:0040155D mov ecx, [esp+40h+var_24]
.text:00401561 inc ebp
.text:00401562 cmp ebp, ecx
.text:00401564 jb short loc_4014F6
.text:00401566
.text:00401566 loc_401566: ; CODE XREF: _main+5F↑j
.text:00401566 mov dl, [esp+40h+var_2C]
.text:0040156A sub esp, 10h
.text:0040156D mov esi, esp
.text:0040156F mov [esp+50h+var_30], esp
.text:00401573 push 0
.text:00401575 mov ecx, esi
.text:00401577 mov [esi], dl
.text:00401579 call ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Tidy(bool)
.text:0040157E mov eax, ds:dword_411104
.text:00401583 lea ecx, [esp+50h+var_2C]
.text:00401587 push eax
.text:00401588 push 0
.text:0040158A push ecx
.text:0040158B mov ecx, esi
.text:0040158D call sub_4018D0
.text:00401592 lea edx, [esp+50h+var_1C]
.text:00401596 push edx
.text:00401597 call sub_4012A0 ; base64
.text:0040159C add esp, 14h
.text:0040159F mov ecx, ds:dword_411104
.text:004015A5 mov byte ptr [esp+40h+var_4], 1
.text:004015AA push ecx
.text:004015AB push 0
.text:004015AD push eax
.text:004015AE lea ecx, [esp+4Ch+var_2C]
.text:004015B2 call sub_4018D0
.text:004015B7 push 1
.text:004015B9 lea ecx, [esp+44h+var_1C]
.text:004015BD mov byte ptr [esp+44h+var_4], 0
.text:004015C2 call ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Tidy(bool)
.text:004015C7 mov eax, dword_415C44
.text:004015CC mov ebp, dword_415C48
.text:004015D2 test eax, eax
.text:004015D4 jnz short loc_4015DB
.text:004015D6 mov eax, offset unk_411100
.text:004015DB
.text:004015DB loc_4015DB: ; CODE XREF: _main+144↑j
.text:004015DB mov edx, [esp+40h+var_24]
.text:004015DF cmp edx, ebp
.text:004015E1 mov ecx, edx
.text:004015E3 jb short loc_4015E7
.text:004015E5 mov ecx, ebp
.text:004015E7
.text:004015E7 loc_4015E7: ; CODE XREF: _main+153↑j
.text:004015E7 mov esi, [esp+40h+var_28]
.text:004015EB mov edi, eax
.text:004015ED xor eax, eax
.text:004015EF repe cmpsb
.text:004015F1 jz short loc_4015F8
.text:004015F3 sbb eax, eax
.text:004015F5 sbb eax, 0FFFFFFFFh
.text:004015F8
.text:004015F8 loc_4015F8: ; CODE XREF: _main+161↑j
.text:004015F8 test eax, eax
.text:004015FA jnz short loc_401609
.text:004015FC cmp edx, ebp
.text:004015FE jb short loc_401609
.text:00401600 cmp edx, ebp
.text:00401602 setnz al
.text:00401605 test eax, eax
.text:00401607 jz short loc_40166A
.text:00401609
.text:00401609 loc_401609: ; CODE XREF: _main+16A↑j
.text:00401609 ; _main+16E↑j
.text:00401609 push offset aTryItAgain ; "Try it again."
.text:0040160E push offset dword_415D00
.text:00401613 call sub_402080
.text:00401618 add esp, 8
.text:0040161B mov esi, eax
.text:0040161D mov ecx, esi
.text:0040161F push 0Ah
.text:00401621 call sub_401760
.text:00401626 mov edx, [esi]
.text:00401628 xor edi, edi
.text:0040162A mov eax, [edx+4]
.text:0040162D add eax, esi
.text:0040162F test byte ptr [eax+4], 6
.text:00401633 jnz short loc_401649
.text:00401635 mov eax, [eax+28h]
.text:00401638 mov ecx, eax
.text:0040163A mov edx, [eax]
.text:0040163C call dword ptr [edx+2Ch]
.text:0040163F cmp eax, 0FFFFFFFFh
.text:00401642 jnz short loc_401649
.text:00401644 mov edi, 4
.text:00401649
.text:00401649 loc_401649: ; CODE XREF: _main+1A3↑j
.text:00401649 ; _main+1B2↑j
.text:00401649 mov eax, [esi]
.text:0040164B mov ecx, [eax+4]
.text:0040164E add ecx, esi
.text:00401650 test edi, edi
.text:00401652 jz loc_4014C6
.text:00401658 mov edx, [ecx+4]
.text:0040165B push 0
.text:0040165D or edx, edi
.text:0040165F push edx
.text:00401660 call sub_401BA0
.text:00401665 jmp loc_4014C6
.text:0040166A ; ---------------------------------------------------------------------------
.text:0040166A
.text:0040166A loc_40166A: ; CODE XREF: _main+177↑j
.text:0040166A push offset aSuccess ; "Success."
.text:0040166F push offset dword_415D00
.text:00401674 call sub_402080
.text:00401679 add esp, 8
.text:0040167C mov esi, eax
.text:0040167E mov ecx, esi
.text:00401680 push 0Ah
.text:00401682 call sub_401760
.text:00401687 mov eax, [esi]
.text:00401689 xor edi, edi
.text:0040168B mov ecx, [eax+4]
.text:0040168E lea eax, [ecx+esi]
.text:00401691 mov cl, [ecx+esi+4]
.text:00401695 test cl, 6
.text:00401698 jnz short loc_4016AE
.text:0040169A mov eax, [eax+28h]
.text:0040169D mov ecx, eax
.text:0040169F mov edx, [eax]
.text:004016A1 call dword ptr [edx+2Ch]
.text:004016A4 cmp eax, 0FFFFFFFFh
.text:004016A7 jnz short loc_4016AE
.text:004016A9 mov edi, 4
.text:004016AE
.text:004016AE loc_4016AE: ; CODE XREF: _main+208↑j
.text:004016AE ; _main+217↑j
.text:004016AE mov eax, [esi]
.text:004016B0 mov ecx, [eax+4]
.text:004016B3 add ecx, esi
.text:004016B5 test edi, edi
.text:004016B7 jz short loc_4016C6
.text:004016B9 mov edx, [ecx+4]
.text:004016BC push 0
.text:004016BE or edx, edi
.text:004016C0 push edx
.text:004016C1 call sub_401BA0
.text:004016C6
.text:004016C6 loc_4016C6: ; CODE XREF: _main+227↑j
.text:004016C6 push offset aPause ; "pause"
.text:004016CB call _system
.text:004016D0 mov ecx, [esp+44h+var_28]
.text:004016D4 add esp, 4
.text:004016D7 test ecx, ecx
.text:004016D9 jz short loc_401709
.text:004016DB mov al, [ecx-1]
.text:004016DE test al, al
.text:004016E0 jz short loc_4016FF
.text:004016E2 cmp al, 0FFh
.text:004016E4 jz short loc_4016FF
.text:004016E6 dec al
.text:004016E8 mov [ecx-1], al
.text:004016EB xor eax, eax
.text:004016ED mov ecx, [esp+40h+var_C]
.text:004016F1 mov large fs:0, ecx
.text:004016F8 pop edi
.text:004016F9 pop esi
.text:004016FA pop ebp
.text:004016FB add esp, 34h
.text:004016FE retn
.text:004016FF ; ---------------------------------------------------------------------------
.text:004016FF
.text:004016FF loc_4016FF: ; CODE XREF: _main+250↑j
.text:004016FF ; _main+254↑j
.text:004016FF dec ecx
.text:00401700 push ecx ; void *
.text:00401701 call ??3@YAXPAX@Z ; operator delete(void *)
.text:00401706 add esp, 4
.text:00401709
.text:00401709 loc_401709: ; CODE XREF: _main+249↑j
.text:00401709 mov ecx, [esp+40h+var_C]
.text:0040170D pop edi
.text:0040170E pop esi
.text:0040170F xor eax, eax
.text:00401711 mov large fs:0, ecx
.text:00401718 pop ebp
.text:00401719 add esp, 34h
.text:0040171C retn
.text:0040171C ; } // starts at 401490
.text:0040171C _main endp
搜索字符串发现 "Try it again.","Success."定位到代码
[Asm] 纯文本查看 复制代码 .text:00401600 cmp edx, ebp
.text:00401602 setnz al
.text:00401605 test eax, eax
.text:00401607 jz short loc_40166A
al 为“0” 跳转成功则"Success."
再向上找:
[Asm] 纯文本查看 复制代码 .text:0040154B mov cl, [eax]
.text:0040154D mov al, [esi]
.text:0040154F xor al, cl ; 算法
.text:00401551 inc edi
.text:00401552 mov [esi], al
.text:00401554 mov eax, dword_415C58
.text:00401559 cmp edi, eax
.text:0040155B jb short loc_4014FC
经调试发现算法
注册码依次和字符串"main"异或,然后base64编码和“ bWdqbHBPOEY/VHM6Uj9UfD9FeF5Cdg==“ 比较。
逆向比较有趣,先对“ bWdqbHBPOEY/VHM6Uj9UfD9FeF5Cdg==“解码。得到 "MGJL&?;293?2~bd9am`gxa?`g" 接着对00401579 下断。
[Asm] 纯文本查看 复制代码 004014E4 mov eax, [esp+50h+var_24]
获得flag.
|
免费评分
-
查看全部评分
|
发表于 2018-10-6 10:17
发表于 2018-10-6 11:05
|
发表于 2018-10-6 11:16
