https://ctf.bugku.com/challenges#love
After downloading the file to run it and see
just input a 123 look at
problem-solving ideas:
very common program flow is to compare the input string string in the program to output the results, this time we have two choices.
1. Write a script to blasting. This is not the way, extremely inefficient and unreliable, and in some cases is the only way, but it is not necessary in this question, it is discarded.
2. Use the software to debug code, or directly to anti-compiler to obtain the source code, where I used to OllyDbg debugger.
Problem-solving process:
to get the file to check first shell
without a shell, is the common c ++ compiled file, open the file using OllyDbg
No clue, right click and choose Chinese search engine -> 3 intelligent search
There are several very familiar
It is not that we enter the string you string prompt, point to go see
You can see there is a jump at 1,035,840 to 1,035,842 inferred push the string, the function call is 1035847 printf function is similar to, that is jump 1,035,840 determines the output is "wrong flag" or " right flag ", we continue to look up, look for what is the key to control the jump execution. Obviously, it called strncmp function 103582e place, and in which, pressed into a strange string into the stack, according to guess the beginning of program functions, either, this is the program we want to string input. Either is a comparison of the string we enter the encrypted string. Strncmp the result of the decision to perform the key to jump or not. We have a break in strncmp, run the program, enter 1234567890.
Contrast the stack of data can be drawn, ecx string is stored in an encrypted string we enter, eax stores in comparison to the number of characters that we continue to turn up, look what our character is input string (i.e., ECX) encryption.
On which is not far, we have found some very suspicious code, we breakpoint, re-run the program in place 10357d0, again enter 1234567890
After the breakpoint, see the memory space near ebp-0xac, we found some base64 Code
That is our input string
This encrypted code analysis
Is then constructed by this script python assembler code and a comparison string "e3nifIH9b_C @ n @ dH"
obtained In Flag
End