首页
论坛
课程
招聘
雪    币: 266
活跃值: 活跃值 (19)
能力值: ( LV10,RANK:170 )
在线值:
发帖
回帖
粉丝

[原创]CTF2018第二题WP

2018-12-3 15:40 676

[原创]CTF2018第二题WP

2018-12-3 15:40
676
这个题比较简单,先是根据字符串"Please Input"定位到
00C019B0 | 55                    | push ebp                                                       |
00C019B1 | 8B EC                 | mov ebp,esp                                                    |
00C019B3 | 81 EC CC 00 00 00     | sub esp,CC                                                     |
00C019B9 | 53                    | push ebx                                                       |
00C019BA | 56                    | push esi                                                       |
00C019BB | 57                    | push edi                                                       |
00C019BC | 8D BD 34 FF FF FF     | lea edi,dword ptr ss:[ebp-CC]                                  |
00C019C2 | B9 33 00 00 00        | mov ecx,33                                                     | 0x33:'3'
00C019C7 | B8 CC CC CC CC        | mov eax,CCCCCCCC                                               |
00C019CC | F3 AB                 | repe stosd                                                     |
00C019CE | B9 07 60 D5 00        | mov ecx,exam.D56007                                            |
00C019D3 | E8 DC BD FE FF        | call exam.BED7B4                                               |
00C019D8 | 68 BC 25 D1 00        | push exam.D125BC                                               | 0xD125BC:"Please Input:"
00C019DD | 68 E0 31 D5 00        | push exam.D531E0                                               |
00C019E2 | E8 5F B3 FE FF        | call exam.BECD46                                               |
00C019E7 | 83 C4 08              | add esp,8                                                      |
00C019EA | 6A 1E                 | push 1E                                                        |
00C019EC | 68 68 30 D5 00        | push exam.D53068                                               |
00C019F1 | 68 9C 22 D1 00        | push exam.D1229C                                               | 0xD1229C:"%s"
00C019F6 | E8 F3 A6 FE FF        | call exam.BEC0EE                                               |
这里就是获取输入的,然后接下来就是计算输入字符串的长度,并对字符串长度做检测
00C019FB | 83 C4 0C              | add esp,C                                                      |
00C019FE | 68 68 30 D5 00        | push exam.D53068                                               | 0xD53068:"1234567A99"
00C01A03 | E8 9E 8F FE FF        | call exam.BEA9A6                                               | 计算字符串长度
00C01A08 | 83 C4 04              | add esp,4                                                      |
00C01A0B | 89 45 F8              | mov dword ptr ss:[ebp-8],eax                                   |
00C01A0E | 83 7D F8 1E           | cmp dword ptr ss:[ebp-8],1E                                    | 用字符串长度和0x1e做比较
00C01A12 | 7F 06                 | jg exam.C01A1A                                                 |
00C01A14 | 83 7D F8 0A           | cmp dword ptr ss:[ebp-8],A                                     | 用字符串长度和0x0a做比较
00C01A18 | 7D 16                 | jge exam.C01A30                                                |
00C01A1A | 68 CC 25 D1 00        | push exam.D125CC                                               |
00C01A1F | E8 B7 8C FE FF        | call exam.BEA6DB                                               |
00C01A24 | 83 C4 04              | add esp,4                                                      |
00C01A27 | 6A 00                 | push 0                                                         |
00C01A29 | E8 46 A8 FE FF        | call exam.BEC274                                               |
00C01A2E | EB 4E                 | jmp exam.C01A7E                                                |
从上面的代码可以看出,输入的字符串长度要在0x0a~0x1e之间,大于0x1e或小于0x0a就会报输入错误,这里是第一个检测点,接着往下看
00C01A30 | 68 68 30 D5 00        | push exam.D53068                                               | 0xD53068:"1234567A99"
00C01A35 | 6A 1E                 | push 1E                                                        |
00C01A37 | A1 88 30 D5 00        | mov eax,dword ptr ds:[D53088]                                  | 0x00D53088:"@O0"
00C01A3C | 50                    | push eax                                                       |
00C01A3D | E8 7D CB FE FF        | call exam.BEE5BF                                               | copy输入字符串到0xD53088处
00C01A42 | 83 C4 0C              | add esp,C                                                      |
00C01A45 | B8 01 00 00 00        | mov eax,1                                                      |
00C01A4A | 6B C8 07              | imul ecx,eax,7                                                 | 把eax*7的结果赋给ecx
00C01A4D | 8B 15 88 30 D5 00     | mov edx,dword ptr ds:[D53088]                                  | 0x00D53088:"@O0"
00C01A53 | 0F BE 04 0A           | movsx eax,byte ptr ds:[edx+ecx]                                | 取出输入字符串的第8个字符
00C01A57 | 83 F8 41              | cmp eax,41                                                     | 看第8个字符是否为'A'
00C01A5A | 74 14                 | je exam.C01A70                                                 | 是就跳转
00C01A5C | 68 CC 25 D1 00        | push exam.D125CC                                               |
00C01A61 | E8 75 8C FE FF        | call exam.BEA6DB                                               |
00C01A66 | 83 C4 04              | add esp,4                                                      |
00C01A69 | 6A 00                 | push 0                                                         |
00C01A6B | E8 04 A8 FE FF        | call exam.BEC274                                               |
00C01A70 | A1 88 30 D5 00        | mov eax,dword ptr ds:[D53088]                                  | 0x00D53088:"@O0"
00C01A75 | 50                    | push eax                                                       |
00C01A76 | E8 29 B9 FE FF        | call exam.BED3A4                                               | 对输入字符串进行处理
00C01A7B | 83 C4 04              | add esp,4                                                      |
00C01A7E | 33 C0                 | xor eax,eax                                                    |
00C01A80 | 5F                    | pop edi                                                        |
00C01A81 | 5E                    | pop esi                                                        |
00C01A82 | 5B                    | pop ebx                                                        |
00C01A83 | 81 C4 CC 00 00 00     | add esp,CC                                                     |
00C01A89 | 3B EC                 | cmp ebp,esp                                                    |
00C01A8B | E8 A5 BE FE FF        | call exam.BED935                                               |
00C01A90 | 8B E5                 | mov esp,ebp                                                    |
00C01A92 | 5D                    | pop ebp                                                        |
00C01A93 | C3                    | ret                                                            |
上面这段代码先把输入的字符串copy到0x0D53088处,然后再检测输入字符串的第8个字符,看是不是0x41(大写的字母A),如果是,就跳转到字符串处理函数,否则就报输入错误,接下来看字符串处理函数
00BFDBD0 | 55                    | push ebp                                                       |
00BFDBD1 | 8B EC                 | mov ebp,esp                                                    |
00BFDBD3 | 81 EC CC 00 00 00     | sub esp,CC                                                     |
00BFDBD9 | 53                    | push ebx                                                       |
00BFDBDA | 56                    | push esi                                                       |
00BFDBDB | 57                    | push edi                                                       |
00BFDBDC | 8D BD 34 FF FF FF     | lea edi,dword ptr ss:[ebp-CC]                                  |
00BFDBE2 | B9 33 00 00 00        | mov ecx,33                                                     | ecx:"1234567A99", 0x33:'3'
00BFDBE7 | B8 CC CC CC CC        | mov eax,CCCCCCCC                                               |
00BFDBEC | F3 AB                 | repe stosd                                                     |
00BFDBEE | B9 07 60 D5 00        | mov ecx,exam.D56007                                            | ecx:"1234567A99"
00BFDBF3 | E8 BC FB FE FF        | call exam.BED7B4                                               |
00BFDBF8 | B8 01 00 00 00        | mov eax,1                                                      |
00BFDBFD | 6B C8 07              | imul ecx,eax,7                                                 | ecx:"1234567A99"
00BFDC00 | 8B 55 08              | mov edx,dword ptr ss:[ebp+8]                                   |
00BFDC03 | C6 04 0A 23           | mov byte ptr ds:[edx+ecx],23                                   | 把输入字符串的第8个字符改为'#'
00BFDC07 | C7 45 F8 00 00 00 00  | mov dword ptr ss:[ebp-8],0                                     |
上面的代码主要就是把输入字符串的第8个字符改为'#',接下来就对输入字符串进行加密处理,代码如下
00BFDC10 | 8B 45 F8              | mov eax,dword ptr ss:[ebp-8]                                   |
00BFDC13 | 83 C0 01              | add eax,1                                                      | eax:"1234567#99"
00BFDC16 | 89 45 F8              | mov dword ptr ss:[ebp-8],eax                                   |
00BFDC19 | 8B 45 08              | mov eax,dword ptr ss:[ebp+8]                                   | [ebp+8]:"1234567#99"
00BFDC1C | 50                    | push eax                                                       | eax:"1234567#99"
00BFDC1D | E8 84 CD FE FF        | call exam.BEA9A6                                               | 计算字符串长度
00BFDC22 | 83 C4 04              | add esp,4                                                      |
00BFDC25 | 39 45 F8              | cmp dword ptr ss:[ebp-8],eax                                   |
00BFDC28 | 73 16                 | jae exam.BFDC40                                                |
00BFDC2A | 8B 45 08              | mov eax,dword ptr ss:[ebp+8]                                   | 把字符串首地址给eax
00BFDC2D | 03 45 F8              | add eax,dword ptr ss:[ebp-8]                                   | 加上要获取的字符偏移
00BFDC30 | 0F BE 08              | movsx ecx,byte ptr ds:[eax]                                    | 取出当前字符
00BFDC33 | 83 F1 1F              | xor ecx,1F                                                     | 将取出的字符与0x1f异或
00BFDC36 | 8B 55 08              | mov edx,dword ptr ss:[ebp+8]                                   | [ebp+8]:"1234567#99"
00BFDC39 | 03 55 F8              | add edx,dword ptr ss:[ebp-8]                                   |
00BFDC3C | 88 0A                 | mov byte ptr ds:[edx],cl                                       | 将字符串中的字符替换成加密后的数据
00BFDC3E | EB D0                 | jmp exam.BFDC10                                                |
00BFDC40 | 8B 45 08              | mov eax,dword ptr ss:[ebp+8]                                   | [ebp+8]:"1234567#99"
00BFDC43 | 5F                    | pop edi                                                        |
00BFDC44 | 5E                    | pop esi                                                        |
00BFDC45 | 5B                    | pop ebx                                                        |
00BFDC46 | 81 C4 CC 00 00 00     | add esp,CC                                                     |
00BFDC4C | 3B EC                 | cmp ebp,esp                                                    |
00BFDC4E | E8 E2 FC FE FF        | call exam.BED935                                               |
00BFDC53 | 8B E5                 | mov esp,ebp                                                    |
00BFDC55 | 5D                    | pop ebp                                                        |
00BFDC56 | C3                    | ret                                                            |
上面主要是对输入字符串进行加密处理(每个字符分别和0x1f进行异或),接下来就对加密后的字符下数据访问断点,然后直接运行程序,就来到了如下位置
00CA7DE0 | 8B 54 24 04           | mov edx,dword ptr ss:[esp+4]                                   | 原始密码
00CA7DE4 | 8B 4C 24 08           | mov ecx,dword ptr ss:[esp+8]                                   | 输入字符串加密后的数据地址
00CA7DE8 | F7 C2 03 00 00 00     | test edx,3                                                     | edx:"urj}pux<}n{iqyrh"
00CA7DEE | 75 40                 | jne exam.CA7E30                                                |
00CA7DF0 | 8B 02                 | mov eax,dword ptr ds:[edx]                                     | edx:"urj}pux<}n{iqyrh"
00CA7DF2 | 3A 01                 | cmp al,byte ptr ds:[ecx]                                       | ecx:".-,+*)(<&&"
00CA7DF4 | 75 32                 | jne exam.CA7E28                                                |
00CA7DF6 | 84 C0                 | test al,al                                                     |
00CA7DF8 | 74 26                 | je exam.CA7E20                                                 |
00CA7DFA | 3A 61 01              | cmp ah,byte ptr ds:[ecx+1]                                     | ecx+1:"-,+*)(<&&"
00CA7DFD | 75 29                 | jne exam.CA7E28                                                |
00CA7DFF | 84 E4                 | test ah,ah                                                     |
00CA7E01 | 74 1D                 | je exam.CA7E20                                                 |
00CA7E03 | C1 E8 10              | shr eax,10                                                     |
00CA7E06 | 3A 41 02              | cmp al,byte ptr ds:[ecx+2]                                     | ecx+2:",+*)(<&&"
00CA7E09 | 75 1D                 | jne exam.CA7E28                                                |
00CA7E0B | 84 C0                 | test al,al                                                     |
00CA7E0D | 74 11                 | je exam.CA7E20                                                 |
00CA7E0F | 3A 61 03              | cmp ah,byte ptr ds:[ecx+3]                                     | ecx+3:"+*)(<&&"
00CA7E12 | 75 14                 | jne exam.CA7E28                                                |
00CA7E14 | 83 C1 04              | add ecx,4                                                      | ecx:".-,+*)(<&&"
00CA7E17 | 83 C2 04              | add edx,4                                                      | edx:"urj}pux<}n{iqyrh"
00CA7E1A | 84 E4                 | test ah,ah                                                     |
00CA7E1C | 75 D2                 | jne exam.CA7DF0                                                |
00CA7E1E | 8B FF                 | mov edi,edi                                                    |
00CA7E20 | 33 C0                 | xor eax,eax                                                    |
00CA7E22 | C3                    | ret                                                            |
上面就是用输入字符串加密后的数据和原始密码加密后的数据进行比较,因此我们可以从这里得到原始密码加密后的数据为"urj}pux<}n{iqyrh",又根据上面得知,加密数据是由密码字符和0x1f异或得到,因此我们可以将加密后的数据分别和0x1f异或,就可得到加密前的密码,还原代码如下
const char *buffer = "urj}pux<}n{iqyrh";
char result[20] = { 0 };

for (int i = 0; i < strlen(buffer); i++)
{
	char ch = buffer[i];
	result[i] = ch ^ 0x1f;
}
得到加密前的密码之后,记得把第8个字符替换为'A',最后得到的就是本题答案


HWS计划·2020安全精英夏令营来了!我们在华为松山湖欧洲小镇等你

最新回复 (0)
游客
登录 | 注册 方可回帖
返回