首页
论坛
专栏
课程

看雪CTF.TSRC 2018 团队赛-第6题

2018-12-11 14:08 369

看雪CTF.TSRC 2018 团队赛-第6题

2018-12-11 14:08
369
1. TlsCallback中hook WinMain及GetDlgItemTextA
.text:00401E4E                 call    x_hook_WinMain
..
.text:00401E55                 push    offset CriticalSection ; lpCriticalSection
.text:00401E5A                 call    ds:InitializeCriticalSection
..
.text:00401E67                 call    x_hook_GetDlgItemTextA
..
.text:00401E6E                 push    0               ; lpThreadId
.text:00401E70                 push    0               ; dwCreationFlags
.text:00401E72                 lea     eax, [ebp+Parameter]
.text:00401E75                 push    eax             ; lpParameter
.text:00401E76                 push    offset hook_GetDlgItemTextA_thread ; lpStartAddress
.text:00401E7B                 push    0               ; dwStackSize
.text:00401E7D                 push    0               ; lpThreadAttributes
.text:00401E7F                 call    ds:CreateThread

.text:00401284                 jmp x_WinMain
user32_GetDlgItemTextA+20      jmp x_stub_GetDlgItemTextA

2. GetDlgItemTextA之后的验证
.text:00401A8F                 push    ecx
.text:00401A90                 mov     edx, g_sn
.text:00401A96                 push    edx
.text:00401A97                 call    x_check
.text:00401A9C                 add     esp, 8
.text:00401A9F                 movzx   eax, al
.text:00401AA2                 test    eax, eax
.text:00401AA4                 jz      loc_401B85
.text:00401AAA                 mov     ecx, g_sn
.text:00401AB0                 push    ecx
.text:00401AB1                 call    strlen
.text:00401AB6                 push    eax
.text:00401AB7                 mov     edx, g_sn
.text:00401ABD                 push    edx
.text:00401ABE                 call    x_hash
.text:00401AC3                 cmp     eax, 5634D252h
.text:00401AC8                 jnz     loc_401B85

.text:00401380 ; bool __cdecl x_move(int direction, int num)

check是一个九宫格拼图游戏, 
w: 上
s: 下
a: 左
d: 右

原始状态
4 1 3
7 2 5
8 6 0
=>
目标状态
1 2 3
4 5 6
7 8 0

3. 手动移一下得到sn: d6d8s7s4a1w2a5w6
4 1 3
7 2 5
8 6 0
=>
4 1 3
7 2 5
0 8 6
=>
0 1 3
4 2 5
7 8 6
=>
1 0 3
4 2 5
7 8 6
=>
1 2 3
4 0 5
7 8 6
=>
1 2 3
4 5 0
7 8 6
=>
1 2 3
4 5 6
7 8 0



[推荐]看雪企服平台,提供安全分析、定制项目开发、APP等级保护、渗透测试等安全服务!

上一主题 下一主题
最新回复 (0)
游客
登录 | 注册 方可回帖
返回