当前位置:网站首页>CTF reverse entry question - dice
CTF reverse entry question - dice
2022-07-06 17:22:00 【TiggerRun】
Topic delivery :Beat our dice game and get the flag
0x00 Check the shell
Use PEiD Make sure the program is not shelled
0x01 OD Dynamic debugging
After opening, I first F7 F8 Debugging for a while , No idea .
The string search method is used to locate .
You can know that this is a dice problem , And throw “3-1-3-3-7” To get Flag.
And this 5 The second roll of dice is written separately , Locate the position of the code according to each dice roll , Find out cmp Follow closely jnz, We can know that this judgment is used to judge whether the thrown value is the same as the value in the program .
0x02 NOP jnz( success )
Simply and violently jnz Jump command NOP fall , The program can continue to run ~ sweet !
0x03 Modify jump ( Failure )
Of course, the principle is to use string analysis
Pass the last judgment and jump , You can locate the logic of success in the blue box , Is it possible to make the program jump directly to run here ???
Jump address 0x004029AD
You can know at the next breakpoint , The program will ask us to enter , But when we modify the assembly directly here to jump , The program crashed before it finished , It may be that the required variables are not declared ???
I just want to jump when I make a judgment for the first time , In this way, the variables of the program may have been defined .
But the results flag It's empty. .
Cause analysis :
- The jump position is not early enough ,flag Not calculated yet …
- That the road is blocked ,flag According to the front 5 A function calculates ( We all know about anti crawler encryption , Such as a treasure js Calculate some parameters in a loop all the time , Not following the process is a dead end )
I thought I could see the logic of the program after the last dice roll .
The seventh mistake jumps to 0040270A
It is found that the last sentence of the code block is to jump to 00402870
Then change the jump address of the first wrong judgment to 00402870
At this time, the prompt … something wrong, Of course there are problems , We just left 1 A function . There is another one at the end cmp. Thinking about this jnz to nop When it's over OK Come on, ha ha ha .
The reality is cruel , Final flag Failed to come out , This shows that , This flag Is from the front 5 Functions are calculated separately !!!
Just shared ideas , Although this kind of thinking did not succeed flag
边栏推荐
- Akamai浅谈风控原理与解决方案
- Idea breakpoint debugging skills, multiple dynamic diagram package teaching package meeting.
- 唯有學C不負眾望 TOP5 S1E8|S1E9:字符和字符串&&算術運算符
- 数据仓库建模使用的模型以及分层介绍
- Von Neumann architecture
- Some feelings of brushing leetcode 300+ questions
- JVM之垃圾回收器上篇
- C# WinForm系列-Button简单使用
- TCP's three handshakes and four waves
- 连接局域网MySql
猜你喜欢
随机推荐
服务器端渲染(SSR)和客户端渲染(CSR)的区别
Introduction to spring trick of ByteDance: senior students, senior students, senior students, and the author "brocade bag"
Redis installation on centos7
Only learning C can live up to expectations TOP4 S1E6: data type
[CISCN 2021 华南赛区]rsa Writeup
Wu Jun's trilogy experience (VII) the essence of Commerce
Flink 解析(七):时间窗口
Idea resolving jar package conflicts
mysql的列的数据类型详解
Assembly language segment definition
Many papers on ByteDance have been selected into CVPR 2021, and the selected dry goods are here
Set up the flutter environment pit collection
Activiti directory (I) highlights
关于Selenium启动Chrome浏览器闪退问题
Only learning C can live up to expectations top5 S1E8 | S1E9: characters and strings & arithmetic operators
Login to verify the simple use of KOA passport Middleware
关于Stream和Map的巧用
8086 memory
mysql的合计/统计函数
The daemon thread starts redis and modifies the configuration file