动态调试练习题WP
练习平台为NSSCTF
[HNCTF 2022 WEEK2]getflag
丢IDA,然后搜索字符串,找到验证点击次数的函数
int check()
{
if ( click > 99999999 )
return getflag();
sprintf(chk, "Click %d more times to get flag", 100000000 - click);
return MessageBoxA(0, chk, "Failed", 0);
}
在 if ( click > 99999999 ) 打断点,然后运行
点击get flag,查看ida
.text:004015F1 sub esp, 18h
.text:004015F4 mov eax, ds:_click
.text:004015F9 cmp eax, 5F5E0FFh
.text:004015FE jg short loc_40164F
停在了mov eax, ds:_click
按下F8步进到cmp ,把eax修改成比5F5E0FF 大的值比如0X5FFFFFF然后按F9继续运行,即可得到flag
[HNCTF 2022 Week1]CrackMe
拿到题目,发现它有一个要求
得到CreakMe的注册码。
直接运行程序,获得字符串然后跳转到对应位置
INT_PTR __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
HFONT FontA; // eax
__int16 v5; // ax
UINT DlgItemTextA; // eax
int v8; // ecx
const CHAR *v9; // [esp-8h] [ebp-8h]
int v10; // [esp-4h] [ebp-4h]
if ( a2 == 272 )
{
dword_4030F0 = (int)hDlg;
dword_4038F8 = (int)GetDlgItem(hDlg, 1001);
SetFocus((HWND)dword_4038F8);
SendDlgItemMessageA(hDlg, 1001, 0xC5u, 0x14u, 0);
sub_401214(hDlg);
FontA = CreateFontA(23, 0, 0, 0, 10, 0, 0, 0, 1u, 0, 0, 0, 0, pszFaceName);
if ( FontA )
wParam = (WPARAM)FontA;
else
wParam = 0;
SendDlgItemMessageA(hDlg, 1003, 0x30u, wParam, 1);
SendDlgItemMessageA(hDlg, 1000, 0x30u, wParam, 1);
return 1;
}
if ( a2 == 16 )
{
EndDialog(hDlg, 0);
return 1;
}
if ( a2 != 273 )
return 0;
v5 = a3;
if ( HIWORD(a3) )
return 1;
if ( (_WORD)a3 == 1003 )
v5 = MessageBoxExA(hDlg, aTheRulesArePat, Caption, 0, 0);
if ( v5 != 1000 )
return 1;
dword_403900 = 0;
byte_403904 = 0;
DlgItemTextA = GetDlgItemTextA(hDlg, 1001, String, 21);
if ( DlgItemTextA >= 5 )
{
dword_4038FC = DlgItemTextA;
v8 = 0;
do
{
byte_403904 = String[v8];
v10 = v8 + 1;
v9 = &String2[dword_403900];
wsprintfA(&String2[dword_403900], "%u", (dword_4038FC * (v8 + 1) + 23) ^ 0xF);
dword_403900 += lstrlenA(v9);
v8 = v10;
}
while ( byte_403904 );
if ( (unsigned __int16)GetDlgItemTextA(hDlg, 1002, String1, 500) )
{
if ( lstrcmpA(String1, String2) )
MessageBoxA(0, aThisSerialSuck, Caption, 0);
else
MessageBoxA(0, Text, Caption, 0);
ExitProcess(0);
}
MessageBoxExA(0, aEnterASerial, Caption, 0, 0);
return 1;
}
else
{
MessageBoxExA(hDlg, aYourNameIsTooS, Caption, 0, 0);
return 1;
}
}
在
if ( lstrcmpA(String1, String2) )
MessageBoxA(0, aThisSerialSuck, Caption, 0);
else
MessageBoxA(0, Text, Caption, 0);
ExitProcess(0);
打下断点,得到用户为CrackMe时String2 也就是注册码的值
但是刚到这里时String2是错误的值,等运行到ExitProcess(0) 时我才读取到了正确的值
浙公网安备 33010602011771号