Shulou(Shulou.com)06/01 Report--

CE that doesn't work.

There are many solutions to this problem, and I will explain them one by one.

Use OD only

Use CE only

CE+OD

Download a file

Try to click twice.

No shell

1. Use OD only

Only with OD I can only think of two ways, although only the way of the breakpoint is different, but it also represents a different way of thinking.

First, the first is the most direct and stupid, all the contents of the search string have a breakpoint, fortunately, there are not many search strings, and flag happens to be directly stored in memory, so it can be used. If you are not so lucky, you can only drop the breakpoint at the prompt string "Ten thousand clicks have flag" and flip up the code bit by bit.

Second, we know that this program is written in VB, and a dialog box will pop up. The common function of the dialog box in VB is rtcMsgBox, and you can use the plug-in of ODB to automatically move the breakpoint.

Only use the first method of OD: at every breakpoint of a string, here we only have a breakpoint under a suspicious string.

That is, lines 3, 4, 5, 6, 7

First of all, it was broken in the last one.

It looks like you're initializing variables. F9 continues to run.

Jump out of the dialog box and click OK to continue the program

Trigger a breakpoint after clicking

These three suspicious strings are together, but there is no big jump on it, or even no jump at all, and the last suspicious string is even more suspicious. continue to run the program F9, the program is not broken at the last string, indicating that this string is likely to be a string that will not appear until it has reached the condition (10,000 clicks).

There is also a big jump on this string, so the string is likely to be flag, or a string related to flag. Let's nop the big jump and see what happens.

DeZmqMUhRcP8NgJgzLPdXa

The worst part of this question, that is, the string appeared. I didn't know until recently when I published Writeup that this string, which looks like base64, is actually his distant relative, base58.

We all know that the range of base64 is number (10) + uppercase and lowercase letters (2602mm 52) + two special characters (+, /)

On the other hand, base58 removes the lowercase case of the easily mistakenly recognized number 0 ~ L, the uppercase of I and the uppercase of o, and two special characters (+, /).

Get flag

Using only the second method of OD, using the plug-in of OD, at the breakpoint under rtcMsgBox, F9 runs the program, which is cut off.

This place is no longer in the airspace of the program, here is the airspace of the library called by VB, where we can find the address of the function called by the program on the stack and enter on it to return to the airspace of the program.

Then we can slowly flip up the code, this breakpoint is suitable for use when there is no clear prompt string, when there is a prompt string, it is more convenient to use the string to find it.

CE+OD

Open the program, CE add-in

Here we don't know the type of the changed number, although it looks like an integer.

So we set the scan type to an unknown initial value and click on the first scan.

Then click the button to change the value.

Then use CE to search for changing values.

Click to scan again

This is too slow, and we can keep searching by switching between changing values and unchanged values.

In the end, there are eight results that can't be distinguished.

But that's enough, and we don't need to know so carefully. Pick one at random, double-click, pull it to the interface below, and right-click him to find out what changed the address.

Note that something like this, with a very large address, must not be the code of the program, and this is the address of the library that the program calls.

The code that starts at 40 like this is the code of the program, which depends on the base address defined in the PE header of the program, which is generally 400000.

Then we can remember this address, use OD to open the program, to have a look at this address, CE can also see, but a lot of operation is not convenient

After all, it is not specifically used to debug the application.

We use OD to attach to the process

Ctrl+g, take a look at 401D44.

It's also close to the key jump we found for the first time.

There are a lot of brown floating-point operations in between, and there is no floating-point operation after the key jump, so this may be the algorithm part, this time we will take a closer look at the algorithm part

Here are the four most important pieces of code in the algorithm part, as you can see from the 10000 stored in 0x4010A8. Before I explain floating-point mnemonics, I want to explain floating-point operations:

In processors that contain floating-point operations, there are eight registers, namely ST0-ST7, which perform floating-point operations through floating-point mnemonics, which are very similar to stacks in the order of storage from ST0 to ST7. Commonly used floating-point mnemonics are:

Fld is equivalent to push.

Fstp is equivalent to pop.

Fadd is equivalent to add.

Fsub is equivalent to sub.

Fdiv is equivalent to div.

Fmul is equivalent to mul.

Fstsw stores the status register in the register

Fcomp is equivalent to cmp.

The more specific usage I'll explain when I use it, now the breakpoint at the beginning of the floating-point operation.

Because the code span is a little large, I won't take screenshots one by one, just write down the key code.

Fld qword ptr ds: [esi+0x34]

Save from [esi+0x34] to ST0

Fadd qword ptr ds: [0x4010B0]

0x4010B0 is 200.0, or ST0+=200.0

Fstp qword ptr ds: [esi+0x34]

That is [esi+0x34] = ST0

Fstsw ax

Save the status register to ax. There is no code around that can affect the status register, so just ignore it.

Fld qword ptr ds: [esi+0x34]

That is, ST0= [ESI + 0x34]

Fdiv qword ptr ds: [0x4010B0]

That is ST0/=200.0

Fstp qword ptr ss: [esp]

That is, [esp] = ST0, what is stored here is the actual number of clicks

Fclex

Check it is called floating-point check error clearance, will not affect the result, so ignore

Fld qword ptr ds: [esi+0x34]

That is, ST0= [ESI + 0x34]

Fdiv qword ptr ds: [0x4010B0]

That is ST0/=200.0

Fcomp qword ptr ds: [0x4010A8]

That is, the comparison between ST0 and 10000

Fstsw ax

Store the status register in ax

Test ah,0x40

Comparison status register

Je 401e97

Key jump

Then how to change it depends on how you like it. You can nop the key jump directly as you did last time, or you can modify the value in 0x4010B0 to achieve the effect that one point equals several times, or you can directly modify the value in 0x4010A8 to turn ten thousand times into one. The flag processing part will not be discussed in detail.

Later, I checked that test ah,0x40 compared the cf register of the status register, that is, the carry register, so it would only trigger from 9999 to 10000.

Use only CE:

To run the program, add it with CE

Since we already know that the type of the value is double floating point (the double floating point number accounts for eight bytes and the significant number is 16 digits, the previous 200.0 can count the valid digits, even if we do not know that the type is double floating point, we can try it one by one. Usually the data storage type is only 4 bytes, single floating point, double floating point type, and occasionally single byte Boolean type), we set the scan type to unknown initial value. The numerical type is double floating point search.

Then switch the search with a changed value / unchanged value, and quickly find a very eye-catching number, except for this 2200 is followed by a lot of decimal double floating point numbers, and then use 2200 Universe 11 to get an increment of 200.

Double-click to add it to the following interface and set the size to 1999800

Then click the button of the program

It went from 11 to 100000, and you got flag.

Of course, if we know that the increment is 200, we can also search for 200X directly.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.