CE easy to use
This problem solution has a good variety, I will explain one by one.
Only OD
Only CE
CE + OD
download file
Try double-tap
No shell
1. only OD
I just want to OD only two ways out, although in different ways but at the breakpoint, but also represents a different way of thinking.
First, the first one is the most direct and most stupid, all content in the search string are at a breakpoint, but fortunately the search string is not a lot here, and flag happens to be stored directly in memory, so you can use . If not so lucky, then it can only prompt string "Click a million times have flag" at the breakpoint, turned up a little bit of code.
Second, we know that this program uses VB to write, and will pop up a dialog box in VB rationale commonly used functions as rtcMsgBox, you can use the plugin to automatically ODB breakpoint,
OD only first approach: every string in the break, here we only break in the string of suspicious
That is the first line of 3,4,5,6,7
![clip_image012[1]](https://s1.51cto.com/images/blog/201908/14/807d2fc7b6d198313fb83098d978f1c4.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image012[1]")
First off in the last,
Appear to be initialized variable, F9 continue to run
![clip_image004[1]](https://s1.51cto.com/images/blog/201908/14/9698dba6a7136b00dac59b2956322148.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image004[1]")
Out of the dialog box, click OK to continue program
![clip_image006[1]](https://s1.51cto.com/images/blog/201908/14/84b98a334995ede2359a6e9d400289da.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image006[1]")
After clicking the breakpoint is triggered,
The three suspicious strings together, but it was not on the big jump, jump or no, that last a suspicious string more suspicious, F9 to continue running the program, the program does not break at the end of a string , the description string this string is likely to achieve the conditions (click on ten thousand times) will appear,
This string above there is a big jump, it is very likely that the string is a flag, or flag-related strings, we have the big jump nop out, see what appears
DeZmqMUhRcP8NgJgzLPdXa
This problem is most pit where the string appeared to do this is off topic here before, until recently a Writeup know, this looks like a base64 string is actually his distant relative, base58
We know that the number range base64 (10) case letters + (26 * 2 = 52) + two special characters (+, /)
Base58 is excluded and digital easily be misrecognized 0, L lowercase, uppercase and o i capital, there are two special characters (+, /)
Get flag
OD with only the second method, the use of plug-OD, at a breakpoint rtcMsgBox, F9 run the program, to be off
这个地方已经不属于程序的领空了,这里是VB调用的库的领空,在这个位置我们在栈里可以找到程序调用函数的地址,在其上回车以回到程序领空
然后我们就可以苦哈哈地慢慢往上翻代码了,这个下断点的方式适合在没有明确的提示字符串的时候使用,在有提示字符串的时候还是用字符串来查找比较方便。
CE+OD
打开程序,CE附加程序,
这里我们不知道这个变化的数字的类型,虽然看起来很像整型
![clip_image008[1]](https://s1.51cto.com/images/blog/201908/14/b87bd55495207d25eb7f21edb7a0ef6f.jpg?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image008[1]")
所以我们设置扫描类型为未知的初始值,点击首次扫描
然后点击按钮,变化一下数值
再用CE搜索变化的数值
点击再次扫描
这样太慢了,我们可以用变动的数值和未变动的数值切换来不断搜索
最后剩了八个结果实在分辨不出来了
不过这就够了,我们也不需要知道那么细致,随便选一个,双击,拉到下面的界面里,右键他选择 找出是什么改写了这个地址
注意像这样的,地址特别大的,一定不是程序的代码,这个是程序调用的库的地址
像这样40打头的才是程序的代码,具体要看程序的PE头里定义的基地址,一般为400000。
然后我们就可以记住这个地址,用OD打开程序,到这个地址看看,CE也可以看,但是很多操作不方便
毕竟不是专门用来调试程序的应用。
我们用OD附加到进程上,
ctrl+g 到401D44看看
距离我们第一次找到的关键跳转也很近,
这之间有大量的棕色的浮点数运算,而关键跳转之后再无浮点运算,所以这可能就是算法部分,这次我们仔细分析下算法部分,
这里可以说是算法部分最重要的四条代码了,从0x4010A8存储的10000就能看出来,在我解释浮点助记符之前,我要先解释一下浮点运算:
在包含浮点运算的处理器里,有8个寄存器,分别是ST0-ST7,他们通过浮点助记符来进行浮点运算,他们的使用方法与栈很类似,存储的顺序从ST0开始到ST7,常用的浮点助记符有:
fld 相当于push
fstp 相当于pop
fadd 相当于add
fsub 相当于sub
fdiv 相当于div
fmul 相当于mul
fstsw 把状态寄存器存入寄存器里
fcomp 相当于cmp
再具体点的用法我会在用的时候解释,现在在最开始的浮点运算处下断点
因为代码跨度有点大,我就不一一截图了,只把关键代码写下来
fld qword ptr ds:[esi+0x34]
把从[esi+0x34]存入ST0
fadd qword ptr ds:[0x4010B0]
0x4010B0是200.0,即ST0+=200.0
fstp qword ptr ds:[esi+0x34]
即[esi+0x34] = ST0
fstsw ax
把状态寄存器存入ax,周围并没有可以影响到状态寄存器的代码,所以忽略就行
fld qword ptr ds:[esi+0x34]
即ST0=[esi+0x34]
fdiv qword ptr ds:[0x4010B0]
即ST0/=200.0
fstp qword ptr ss:[esp]
即[esp]=ST0,这里存储的就是实际的点击数了
fclex
查了一下是叫做浮点检查错误清除,不会影响结果所以忽略
fld qword ptr ds:[esi+0x34]
即ST0=[esi+0x34],
fdiv qword ptr ds:[0x4010B0]
即ST0/=200.0
fcomp qword ptr ds:[0x4010A8]
即ST0与10000比较
fstsw ax
把状态寄存器存入ax
test ah,0x40
比对状态寄存器,
je 401e97
关键跳转
然后怎么改就看个人喜欢了,可以像上次一样直接nop掉关键跳转,也可以修改0x4010B0里的值来达到点一次等于数次的效果,也可以直接修改0x4010A8里的值,让一万次变成1次。flag处理部分不再赘述。
后来我查了一下,test ah,0x40 比对的是状态寄存器的cf寄存器,即进位寄存器,所以他只会在从9999进位到10000时触发,
只用CE:
运行程序,用CE附加上
由于我们已经知道了数值的类型为双浮点(双浮点数占八个字节,有效数字16位,之前的200.0可以数一下有效数字就知道了,即使不知道类型为双浮点也可以一个个试,通常数据存储类型只有4字节,单浮点,双浮点类型,偶尔也有单字节的布尔类型),我们设置扫描类型为未知的初始值,数值类型为双浮点搜索,
Value does not change the value of the switch and then change / search quickly searched for a very loud value, in addition to this 2200 is followed by a two-decimal floating-point number, and then get incremental 200 with 2200/11,
Double-click to join him the following screen, set the size to 1,999,800
Then click on the button of the program
From 11 to become 100,000, resulting flag
Of course, if we knew increments of 200, can also directly search 200 * X
