Shulou(Shulou.com)06/01 Report--

Https://ctf.bugku.com/challenges#love

Run it after downloading the file

Casually enter 123 to have a look

Ideas for solving the problem:

A very common program flow is to compare the input string with the string in the program to output the result. at this time, we have two choices.

1. Write a script to blow up. This is no way, extremely inefficient and unreliable, in some cases is the only way, but in this problem is not necessary, so give up.

two。 Use the software to debug the program code, or directly decompiler to get the source code, here I use OllyDbg to debug the program.

Problem solving process:

Check the shell first when you get the file.

No shell, that is, an ordinary C++-compiled file, open the file using OllyDbg

There is no clue, right select Chinese search engine-> 3. Intelligent search

Some of them look familiar.

Isn't this the string we prompted after entering the string? click on it and have a look.

You can see that there is a jump at 1035840. Inferred from the 1035842 stack string, the function called by 1035847 is similar to printf, that is, the jump at 1035840 determines whether the output is "wrong flag" or "right flag". Let's continue to look up to see what controls the execution of the key jump. Obviously, the strncmp function is called at 103582e, and on top of it, a strange string is pushed into the stack, according to the initial guess function of the program, or this is the string the program wants us to enter. Or, the string we entered is encrypted and compared. The result of strncmp determines whether the critical jump is carried out or not. Let's go to the next breakpoint at strncmp, run the program, and type 1234567890.

Comparing the data on the stack, we can see that what is stored in ecx is the encrypted string we entered, and how many characters are stored in eax, so let's continue to scroll up to find out what encrypts the string we entered (that is, ecx).

Not far from it, we found a very suspicious piece of code. We rerun the program at the next breakpoint at 10357d0, and type 1234567890 again.

After running to the breakpoint, look at the memory space near ebp-0xac and find a piece of base64 code

That is, the string we entered.

Analyze this encryption code

The python script is then constructed with the assembly code and the contrasted string "e3nifIH9b_C@n@dH"

Get flag

End

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.