首页
论坛
课程
招聘
[原创]第1、3题(补)
2017-10-28 20:20 1192

[原创]第1、3题(补)

2017-10-28 20:20
1192


第一题 Hello-ctf


送分题,明码比较

00401854  |> \68 80354000   push    00403580                         ; /welcometokanxuectf2017
00401859  |.  8B55 F8       mov     edx, dword ptr [ebp-0x8]         ; |
0040185C  |.  52            push    edx                              ; |s1
0040185D  |.  E8 2E060000   call    <jmp.&MSVCRT.strcmp>             ; \strcmp

注册码:WelcomeToKanXueCtf2017


第三题 crackMe


一、查找字符串ok定位到
011F505F   .  8BF4          mov     esi, esp
011F5061   .  68 01040000   push    0x401                            ; /Count = 401 (1025.)
011F5066   .  8D85 D8F7FFFF lea     eax, dword ptr [ebp-0x828]       ; |
011F506C   .  50            push    eax                              ; |Buffer
011F506D   .  68 E9030000   push    0x3E9                            ; |ControlID = 3E9 (1001.)
011F5072   .  8B4D 08       mov     ecx, dword ptr [ebp+0x8]         ; |
011F5075   .  51            push    ecx                              ; |hWnd
011F5076   .  FF15 70F52501 call    dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA   # 获取输入 sn
011F507C   .  3BF4          cmp     esi, esp
011F507E   .  E8 CE8DFFFF   call    011EDE51
011F5083   .  8985 E0FBFFFF mov     dword ptr [ebp-0x420], eax
011F5089   .  C685 C8EFFFFF>mov     byte ptr [ebp-0x1038], 0x0
011F5090   .  68 FF030000   push    0x3FF
011F5095   .  6A 00         push    0x0
011F5097   .  8D85 C9EFFFFF lea     eax, dword ptr [ebp-0x1037]
011F509D   .  50            push    eax
011F509E   .  E8 4385FFFF   call    011ED5E6
011F50A3   .  83C4 0C       add     esp, 0xC
011F50A6   .  8D85 D0F3FFFF lea     eax, dword ptr [ebp-0xC30]
011F50AC   .  50            push    eax
011F50AD   .  68 00040000   push    0x400
011F50B2   .  8D8D D8F7FFFF lea     ecx, dword ptr [ebp-0x828]
011F50B8   .  51            push    ecx
011F50B9   .  E8 A981FFFF   call    011ED267                         # Base64解码sn
011F50BE   .  83C4 0C       add     esp, 0xC
011F50C1   .  C685 C0EBFFFF>mov     byte ptr [ebp-0x1440], 0x0
011F50C8   .  68 FF030000   push    0x3FF
011F50CD   .  6A 00         push    0x0
011F50CF   .  8D85 C1EBFFFF lea     eax, dword ptr [ebp-0x143F]
011F50D5   .  50            push    eax
011F50D6   .  E8 0B85FFFF   call    011ED5E6
011F50DB   .  83C4 0C       add     esp, 0xC
011F50DE   .  8D85 C8EFFFFF lea     eax, dword ptr [ebp-0x1038]
011F50E4   .  50            push    eax
011F50E5   .  68 00040000   push    0x400
011F50EA   .  8D8D D0F3FFFF lea     ecx, dword ptr [ebp-0xC30]
011F50F0   .  51            push    ecx
011F50F1   .  E8 7181FFFF   call    011ED267                        # 再解一次
011F50F6   .  83C4 0C       add     esp, 0xC
011F50F9   .  68 00040000   push    0x400
011F50FE   .  8D85 C0EBFFFF lea     eax, dword ptr [ebp-0x1440]
011F5104   .  50            push    eax
011F5105   .  8D8D C8EFFFFF lea     ecx, dword ptr [ebp-0x1038]
011F510B   .  51            push    ecx
011F510C   .  E8 5988FFFF   call    011ED96A                        # 摩斯电码解码
011F5111   .  83C4 0C       add     esp, 0xC
011F5114   .  C785 B4EBFFFF>mov     dword ptr [ebp-0x144C], 0x3
011F511E   .  8D85 8CEBFFFF lea     eax, dword ptr [ebp-0x1474]
011F5124   .  50            push    eax
011F5125   .  8B8D B4EBFFFF mov     ecx, dword ptr [ebp-0x144C]
011F512B   .  51            push    ecx
011F512C   .  8D95 C8EFFFFF lea     edx, dword ptr [ebp-0x1038]
011F5132   .  52            push    edx
011F5133   .  E8 4089FFFF   call    011EDA78                        # 得到hash值
011F5138   .  83C4 0C       add     esp, 0xC
011F513B   .  C785 78E7FFFF>mov     dword ptr [ebp-0x1888], 0x0
011F5145   .  EB 0F         jmp     short 011F5156
011F5147   >  8B85 78E7FFFF mov     eax, dword ptr [ebp-0x1888]
011F514D   .  83C0 01       add     eax, 0x1
011F5150   .  8985 78E7FFFF mov     dword ptr [ebp-0x1888], eax
011F5156   >  83BD 78E7FFFF>cmp     dword ptr [ebp-0x1888], 0x20
011F515D   .  7D 2C         jge     short 011F518B
011F515F   .  8B85 78E7FFFF mov     eax, dword ptr [ebp-0x1888]
011F5165   .  0FB68C05 8CEB>movzx   ecx, byte ptr [ebp+eax-0x1474]
011F516D   .  51            push    ecx
011F516E   .  68 A4B12401   push    0124B1A4                         ;  %02x
011F5173   .  8B95 78E7FFFF mov     edx, dword ptr [ebp-0x1888]
011F5179   .  8D8455 84E7FF>lea     eax, dword ptr [ebp+edx*2-0x187C>
011F5180   .  50            push    eax
011F5181   .  E8 7F8DFFFF   call    011EDF05                        # hash值格式化成字符串进行比较
011F5186   .  83C4 0C       add     esp, 0xC
011F5189   .^ EB BC         jmp     short 011F5147
011F518B   >  8D85 84E7FFFF lea     eax, dword ptr [ebp-0x187C]
011F5191   .  50            push    eax
011F5192   .  E8 FD85FFFF   call    011ED794
011F5197   .  83C4 04       add     esp, 0x4
011F519A   .  50            push    eax
011F519B   .  8D8D D8F7FFFF lea     ecx, dword ptr [ebp-0x828]
011F51A1   .  51            push    ecx
011F51A2   .  E8 ED85FFFF   call    011ED794
011F51A7   .  83C4 04       add     esp, 0x4
011F51AA   .  8DB405 D8F7FF>lea     esi, dword ptr [ebp+eax-0x828]
011F51B1   .  8D95 84E7FFFF lea     edx, dword ptr [ebp-0x187C]
011F51B7   .  52            push    edx
011F51B8   .  E8 D785FFFF   call    011ED794
011F51BD   .  83C4 04       add     esp, 0x4
011F51C0   .  2BF0          sub     esi, eax
011F51C2   .  56            push    esi
011F51C3   .  8D85 84E7FFFF lea     eax, dword ptr [ebp-0x187C]
011F51C9   .  50            push    eax
011F51CA   .  E8 5889FFFF   call    011EDB27                        # strncmp,比较输入的sn的后64位和上面得到的hash字符串
011F51CF   .  83C4 0C       add     esp, 0xC
011F51D2   .  85C0          test    eax, eax
011F51D4   .  75 3E         jnz     short 011F5214                  # 校验成功就进入下面的迷宫
011F51D6   .  E8 D97EFFFF   call    011ED0B4
011F51DB   .  8D85 C0EBFFFF lea     eax, dword ptr [ebp-0x1440]
011F51E1   .  50            push    eax                             # 经过base64两次解码,摩斯电码解码后的真实注册码
011F51E2   .  68 00B02501   push    0125B000                        # 迷宫地图
011F51E7   .  E8 BF87FFFF   call    011ED9AB                        # 走迷宫
011F51EC   .  83C4 08       add     esp, 0x8
011F51EF   .  0FB6C8        movzx   ecx, al
011F51F2   .  83F9 01       cmp     ecx, 0x1
011F51F5   .  75 1D         jnz     short 011F5214
011F51F7   .  8BF4          mov     esi, esp
011F51F9   .  6A 00         push    0x0                              ; /Style = MB_OK|MB_APPLMODAL
011F51FB   .  68 98B12401   push    0124B198                         ; |crackme
011F5200   .  68 94B12401   push    0124B194                         ; |ok
011F5205   .  6A 00         push    0x0                              ; |hOwner = NULL
011F5207   .  FF15 88F52501 call    dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
011F520D   .  3BF4          cmp     esi, esp
011F520F   .  E8 3D8CFFFF   call    011EDE51
011F5214   >  B8 01000000   mov     eax, 0x1
011F5219   .  EB 02         jmp     short 011F521D



二、迷宫地图
0125B000  00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00  .............
0125B010  01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00  ............
0125B020  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
0125B030  01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00  ............
0125B040  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
0125B050  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
0125B060  00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ...............
0125B070  01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00  ............
0125B080  01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00  .............
0125B090  01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ..............
0125B0A0  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
0125B0B0  01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ..............
0125B0C0  00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00  ..............
0125B0D0  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
0125B0E0  01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00  .............
0125B0F0  01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00  .............
0125B100  01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00  .............
0125B110  00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00  ..............
0125B120  00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ...............
0125B130  01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ..............
0125B140  01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00  ............
0125B150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0125B160  01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00  .............
0125B170  01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00  ............
0125B180  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
0125B190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0125B1A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0125B1B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0125B1C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................



简化后看得更清楚一点
每4个字节为一个点,10*10
0111111110
0011111000
1000001011
1111101001
1000101001
1010001011
1011111001
1000011100
1111000010
1111111000

三、走迷宫的方法 
跟进11ed9ab
011F5528  |>  8B45 0C       /mov     eax, dword ptr [ebp+0xC]
011F552B  |. |0FBE08        |movsx   ecx, byte ptr [eax]             # 遇到sn[i] == 0x20空格的时候就停止
011F552E  |. |83F9 20       |cmp     ecx, 0x20
011F5531  |. |0F84 2C010000 |je      011F5663                      # 这里有个bug?
011F5537  |. |837D F8 08    |cmp     dword ptr [ebp-0x8], 0x8
011F553B  |. |75 0A         |jnz     short 011F5547
011F553D  |. |837D EC 03    |cmp     dword ptr [ebp-0x14], 0x3
011F5541  |. |0F84 0E010000 |je      011F5655
011F5547  |> |8B45 0C       |mov     eax, dword ptr [ebp+0xC]
011F554A  |. |0FBE08        |movsx   ecx, byte ptr [eax]
011F554D  |. |83F9 7A       |cmp     ecx, 0x7A
011F5550  |. |75 32         |jnz     short 011F5584                # sn[i] == 'z'
011F5552  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F5555  |. |0345 D4       |add     eax, dword ptr [ebp-0x2C]
011F5558  |. |83F8 0A       |cmp     eax, 0xA
011F555B  |. |7D 20         |jge     short 011F557D                # 不能超过行
011F555D  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F5560  |. |0345 D4       |add     eax, dword ptr [ebp-0x2C]
011F5563  |. |6BC0 28       |imul    eax, eax, 0x28                # 这里就可以看出0x28/4=0x0a,10个元素为一行的地图
011F5566  |. |0345 08       |add     eax, dword ptr [ebp+0x8]      # 定位到行
011F5569  |. |8B4D F8       |mov     ecx, dword ptr [ebp-0x8]
011F556C  |. |833C88 00     |cmp     dword ptr [eax+ecx*4], 0x0    # 定位到当前格子,为0才能走,为1就失败
011F5570  |. |75 09         |jnz     short 011F557B
011F5572  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F5575  |. |0345 D4       |add     eax, dword ptr [ebp-0x2C]     # 'z'是往下
011F5578  |. |8945 EC       |mov     dword ptr [ebp-0x14], eax
011F557B  |> |EB 07         |jmp     short 011F5584
011F557D  |> |32C0          |xor     al, al
011F557F  |. |E9 E1000000   |jmp     011F5665
011F5584  |> |8B45 0C       |mov     eax, dword ptr [ebp+0xC]
011F5587  |. |0FBE08        |movsx   ecx, byte ptr [eax]
011F558A  |. |83F9 6C       |cmp     ecx, 0x6C
011F558D  |. |75 45         |jnz     short 011F55D4                # 'l'是往右 
011F558F  |. |8B45 F8       |mov     eax, dword ptr [ebp-0x8]
011F5592  |. |0345 BC       |add     eax, dword ptr [ebp-0x44]
011F5595  |. |83F8 0A       |cmp     eax, 0xA
011F5598  |. |7D 3A         |jge     short 011F55D4
011F559A  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F559D  |. |6BC0 28       |imul    eax, eax, 0x28
011F55A0  |. |0345 08       |add     eax, dword ptr [ebp+0x8]
011F55A3  |. |8B4D F8       |mov     ecx, dword ptr [ebp-0x8]
011F55A6  |. |034D BC       |add     ecx, dword ptr [ebp-0x44]
011F55A9  |. |833C88 00     |cmp     dword ptr [eax+ecx*4], 0x0
011F55AD  |. |75 1E         |jnz     short 011F55CD
011F55AF  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F55B2  |. |6BC0 28       |imul    eax, eax, 0x28
011F55B5  |. |0345 08       |add     eax, dword ptr [ebp+0x8]
011F55B8  |. |8B4D F8       |mov     ecx, dword ptr [ebp-0x8]
011F55BB  |. |C70488 040000>|mov     dword ptr [eax+ecx*4], 0x4
011F55C2  |. |8B45 F8       |mov     eax, dword ptr [ebp-0x8]
011F55C5  |. |0345 BC       |add     eax, dword ptr [ebp-0x44]
011F55C8  |. |8945 F8       |mov     dword ptr [ebp-0x8], eax
011F55CB  |. |EB 07         |jmp     short 011F55D4
011F55CD  |> |32C0          |xor     al, al
011F55CF  |. |E9 91000000   |jmp     011F5665
011F55D4  |> |8B45 0C       |mov     eax, dword ptr [ebp+0xC]
011F55D7  |. |0FBE08        |movsx   ecx, byte ptr [eax]
011F55DA  |. |83F9 71       |cmp     ecx, 0x71                      # 'q'是往上
011F55DD  |. |75 3F         |jnz     short 011F561E
011F55DF  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F55E2  |. |0345 E0       |add     eax, dword ptr [ebp-0x20]
011F55E5  |. |78 37         |js      short 011F561E
011F55E7  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F55EA  |. |0345 E0       |add     eax, dword ptr [ebp-0x20]
011F55ED  |. |6BC0 28       |imul    eax, eax, 0x28
011F55F0  |. |0345 08       |add     eax, dword ptr [ebp+0x8]
011F55F3  |. |8B4D F8       |mov     ecx, dword ptr [ebp-0x8]
011F55F6  |. |833C88 00     |cmp     dword ptr [eax+ecx*4], 0x0
011F55FA  |. |75 1E         |jnz     short 011F561A
011F55FC  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F55FF  |. |6BC0 28       |imul    eax, eax, 0x28
011F5602  |. |0345 08       |add     eax, dword ptr [ebp+0x8]
011F5605  |. |8B4D F8       |mov     ecx, dword ptr [ebp-0x8]
011F5608  |. |C70488 040000>|mov     dword ptr [eax+ecx*4], 0x4
011F560F  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F5612  |. |0345 E0       |add     eax, dword ptr [ebp-0x20]
011F5615  |. |8945 EC       |mov     dword ptr [ebp-0x14], eax
011F5618  |. |EB 04         |jmp     short 011F561E
011F561A  |> |32C0          |xor     al, al
011F561C  |. |EB 47         |jmp     short 011F5665
011F561E  |> |8B45 0C       |mov     eax, dword ptr [ebp+0xC]
011F5621  |. |0FBE08        |movsx   ecx, byte ptr [eax]
011F5624  |. |83F9 70       |cmp     ecx, 0x70                     # 'p'是往左
011F5627  |. |75 2C         |jnz     short 011F5655
011F5629  |. |8B45 F8       |mov     eax, dword ptr [ebp-0x8]
011F562C  |. |0345 C8       |add     eax, dword ptr [ebp-0x38]
011F562F  |. |78 24         |js      short 011F5655
011F5631  |. |8B45 EC       |mov     eax, dword ptr [ebp-0x14]
011F5634  |. |6BC0 28       |imul    eax, eax, 0x28
011F5637  |. |0345 08       |add     eax, dword ptr [ebp+0x8]
011F563A  |. |8B4D F8       |mov     ecx, dword ptr [ebp-0x8]
011F563D  |. |034D C8       |add     ecx, dword ptr [ebp-0x38]
011F5640  |. |833C88 00     |cmp     dword ptr [eax+ecx*4], 0x0
011F5644  |. |75 0B         |jnz     short 011F5651
011F5646  |. |8B45 F8       |mov     eax, dword ptr [ebp-0x8]
011F5649  |. |0345 C8       |add     eax, dword ptr [ebp-0x38]
011F564C  |. |8945 F8       |mov     dword ptr [ebp-0x8], eax
011F564F  |. |EB 04         |jmp     short 011F5655
011F5651  |> |32C0          |xor     al, al
011F5653  |. |EB 10         |jmp     short 011F5665
011F5655  |> |8B45 0C       |mov     eax, dword ptr [ebp+0xC]
011F5658  |. |83C0 01       |add     eax, 0x1
011F565B  |. |8945 0C       |mov     dword ptr [ebp+0xC], eax
011F565E  |.^\E9 C5FEFFFF   \jmp     011F5528
011F5663  |>  B0 01         mov     al, 0x1                        # 返回1就成功了
011F5665  |>  5F            pop     edi
011F5666  |.  5E            pop     esi
011F5667  |.  5B            pop     ebx
011F5668  |.  81C4 14010000 add     esp, 0x114
011F566E  |.  3BEC          cmp     ebp, esp
011F5670  |.  E8 DC87FFFF   call    011EDE51
011F5675  |.  8BE5          mov     esp, ebp
011F5677  |.  5D            pop     ebp
011F5678  \.  C3            retn


四、最后
这不算走迷宫吧
只要不踩1就成功了,也没有长度限制,没有判断最后一定要从左上角走到右上角,只是判断了输入的位置不能为1而已
所以注册码只要一个'z'就成功了。
 base64和摩斯电码都是标准的,两层base64
base64(base64(morse_code('z'))) = 'TFMwdUxpQT0='
再加上后面64位的校验值(可以通过调试得到明文比较)"b92a72497b685c31013347a7276f371f8cf91085ab8322009bfed2df41d94f94"
得到一组注册码

TFMwdUxpQT0=b92a72497b685c31013347a7276f371f8cf91085ab8322009bfed2df41d94f94


五、附

里面各种函数里都穿插着很多反调试的检测,nop掉后保存下来比较好调试




[培训]12月3日2020京麒网络安全大会《物联网安全攻防实战》训练营,正在火热报名中!地点:北京 · 新云南皇冠假日酒店

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回