首页
论坛
课程
招聘
[原创]CTF2017_fpu 分析过程
2017-10-27 13:46 1495

[原创]CTF2017_fpu 分析过程

2017-10-27 13:46
1495

CTF2017_fpu 分析过程

1.IDA分析

根据字符串常量" Please input your code: ",找到输入字符串的地方

.text:00401050 var_C           = dword ptr -0Ch

.text:00401050

.text:00401050                 sub     esp, 0Ch

.text:00401053                 push    offset aCodedByFpc_ ; " Coded by Fpc.\n\n"

.text:00401058                 call    sub_413D42

.text:0040105D                 add     esp, 4

.text:00401060                 push    offset aPleaseInputYou ; " Please input your code: "

.text:00401065                 call    sub_413D42

.text:0040106A                 add     esp, 4

.text:0040106D                 lea     eax, [esp+0Ch+var_C]

.text:00401071                 push    eax

.text:00401072                 push    offset aS       ; "%s"

.text:00401077                 call    _scanf

.text:0040107C                 lea     eax, [esp+14h+var_C]

.text:00401080                 add     esp, 14h

.text:00401083                 retn

.text:00401083 sub_401050      endp

2.随便输入12345678,找到两个处理返回值的地方

.text:0040101C                 call    sub_401090

.text:00401021                 call    sub_4010E0

void sub_401090()

{

  int v0; // [sp+4h] [bp-8h]@0

  int v1; // [sp+8h] [bp-4h]@0

  if ( v1 && v0 && v1 != v0 && 5 * (v1 - v0) + v1 == 0x8F503A42 && 13 * (v1 - v0) + v0 == 0xEF503A42 )

    --dword_41B034;

}

void sub_4010E0()

{

  int v0; // [sp+4h] [bp-8h]@0

  int v1; // [sp+8h] [bp-4h]@0

  if ( v1 && v0 && v1 != v0 && 17 * (v1 - v0) + v1 == 0xF3A94883 && 7 * (v1 - v0) + v0 == 0x33A94883 )

    --dword_41B034;

}

初次采用穷举

写了个C程序

X 和Y从0x20202020到0x7F7F7F7F7F,穷举无果。

后来根据公式化简,采用计算器

11(y-x)=c0000000  4(y-x)=70000000    y-x = 1c000000,

算出一个x= 0xe7503a42,y = 03503a42,多次验证不正确。

3.

后来拖动IDA,发现00403131可疑。

.text:00413131                 db 83h, 0C4h, 0F0h

.text:00413134                 dd 20712A70h, 0F1C75F2h, 28741C71h, 2E0671DDh, 870F574h

.text:00413134                 dd 74F17169h, 0DC167002h, 0EA74C033h, 0DC261275h,

4.经过调试发现scanf 存储字符串的地址在栈中

00401077  |.  E8 F72C0100   call ctf2017_.00413D73

0040107C  |.  8D4424 08     lea eax,dword ptr ss:[esp+0x8]

00401080  |.  83C4 14       add esp,0x14

00401083  \.  C3            retn

0018FF34   0041B08C  ASCII "%s"

0018FF38   0018FF3C  ASCII "12345678"

0018FF3C   34333231

0018FF40   38373635

0018FF44   00401000  Entry address

0018FF48   0040101C  RETURN to ctf2017_.0040101C from ctf2017_.00401050

0018FF4C   00413E3E  RETURN to ctf2017_.00413E3E from ctf2017_.00401000

返回到00413131的话,最后输入的字符需要为”11A”

这次多输入几个12341234123411A

来到00413131

00413131    83C4 F0         add esp,-0x10

00413134    70 2A           jo short ctf2017_.00413160

00413136    71 20           jno short ctf2017_.00413158

00413138    f2:75 1c        repne jne short 00413157

0041313B    0f              db 0f

0041313C    71 1C           jno short ctf2017_.0041315A

0041313E    74 28           je short ctf2017_.00413168

进过混淆,单步跟踪

........

00413184    A3 34B04100     mov dword ptr ds:[0x41B034],eax

...

004131BA    58              pop eax

004131EB    8BC8            mov ecx,eax

0041321F    58              pop eax

00413254    8BD8            mov ebx,eax

00413289    58              pop eax

004132B5    8BD0            mov edx,eax

004132AD    8BD0            mov edx,eax

004132E2    8BC1            mov eax,ecx

00413316    2BC3            sub eax,ebx

00413349    C1E0 02         shl eax,0x2

00413380    03C1            add eax,ecx

.........

004133E9    2D E217F9EA     sub eax,0xEAF917E2

((x - y) *4) + x + z== 0xEAF917E2

((x - y) *2) + (x - y) + x + z == 0xE8F508C8

((x - y) *2 + (x - y) + x - z == 0C0A3C68

2Z=  0xE8F508C8 - 0x0C0A3C68 = DCEACC60    z= 6E756630

X = 7473754A   Y = 726F65E8    z= 6E756630

结果Just0for0fun11A


[培训]12月3日2020京麒网络安全大会《物联网安全攻防实战》训练营,正在火热报名中!地点:北京 · 新云南皇冠假日酒店

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回