当前位置: 首页 > news >正文

动态调试练习题WP

news 2026/3/27 7:27:20

练习平台为NSSCTF

[HNCTF 2022 WEEK2]getflag

丢IDA,然后搜索字符串,找到验证点击次数的函数

int check()
{if ( click > 99999999 )return getflag();sprintf(chk, "Click %d more times to get flag", 100000000 - click);return MessageBoxA(0, chk, "Failed", 0);
}

if ( click > 99999999 ) 打断点,然后运行

点击get flag,查看ida

.text:004015F1 sub     esp, 18h
.text:004015F4 mov     eax, ds:_click
.text:004015F9 cmp     eax, 5F5E0FFh
.text:004015FE jg      short loc_40164F

停在了mov eax, ds:_click

按下F8步进到cmp ,把eax修改成比5F5E0FF 大的值比如0X5FFFFFF然后按F9继续运行,即可得到flag

[HNCTF 2022 Week1]CrackMe

拿到题目,发现它有一个要求

得到CreakMe的注册码。

直接运行程序,获得字符串然后跳转到对应位置

INT_PTR __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{HFONT FontA; // eax__int16 v5; // axUINT DlgItemTextA; // eaxint v8; // ecxconst CHAR *v9; // [esp-8h] [ebp-8h]int v10; // [esp-4h] [ebp-4h]if ( a2 == 272 ){dword_4030F0 = (int)hDlg;dword_4038F8 = (int)GetDlgItem(hDlg, 1001);SetFocus((HWND)dword_4038F8);SendDlgItemMessageA(hDlg, 1001, 0xC5u, 0x14u, 0);sub_401214(hDlg);FontA = CreateFontA(23, 0, 0, 0, 10, 0, 0, 0, 1u, 0, 0, 0, 0, pszFaceName);if ( FontA )wParam = (WPARAM)FontA;elsewParam = 0;SendDlgItemMessageA(hDlg, 1003, 0x30u, wParam, 1);SendDlgItemMessageA(hDlg, 1000, 0x30u, wParam, 1);return 1;}if ( a2 == 16 ){EndDialog(hDlg, 0);return 1;}if ( a2 != 273 )return 0;v5 = a3;if ( HIWORD(a3) )return 1;if ( (_WORD)a3 == 1003 )v5 = MessageBoxExA(hDlg, aTheRulesArePat, Caption, 0, 0);if ( v5 != 1000 )return 1;dword_403900 = 0;byte_403904 = 0;DlgItemTextA = GetDlgItemTextA(hDlg, 1001, String, 21);if ( DlgItemTextA >= 5 ){dword_4038FC = DlgItemTextA;v8 = 0;do{byte_403904 = String[v8];v10 = v8 + 1;v9 = &String2[dword_403900];wsprintfA(&String2[dword_403900], "%u", (dword_4038FC * (v8 + 1) + 23) ^ 0xF);dword_403900 += lstrlenA(v9);v8 = v10;}while ( byte_403904 );if ( (unsigned __int16)GetDlgItemTextA(hDlg, 1002, String1, 500) ){if ( lstrcmpA(String1, String2) )MessageBoxA(0, aThisSerialSuck, Caption, 0);elseMessageBoxA(0, Text, Caption, 0);ExitProcess(0);}MessageBoxExA(0, aEnterASerial, Caption, 0, 0);return 1;}else{MessageBoxExA(hDlg, aYourNameIsTooS, Caption, 0, 0);return 1;}
}


if ( lstrcmpA(String1, String2) )MessageBoxA(0, aThisSerialSuck, Caption, 0);elseMessageBoxA(0, Text, Caption, 0);ExitProcess(0);

打下断点,得到用户为CrackMeString2 也就是注册码的值

但是刚到这里时String2是错误的值,等运行到ExitProcess(0) 时我才读取到了正确的值

http://www.jsqmd.com/news/41383/

相关文章:

  • Godot学习第一天
  • 用递归的方式解决n阶幻方
  • imm docker 备份/迁移
  • abc326-d 题解
  • 搭建一个CTF比赛平台的经过
  • 11_15
  • 四、Agent原理与ReAct 架构详解 ——《动手学Agent应用开发》学习心得
  • InterStellar
  • 三、Agent 应用开发与落地全景 ——《动手学Agent应用开发》学习心得
  • 每日反思(2025_11_15)
  • 业财一体化五步法 - 智慧园区
  • 猫树
  • 『回忆录』高二上半期考试
  • 多项式牛顿迭代
  • 轮胎内喷涂优惠工具趋势分析报告
  • Vibe coding All In One
  • 路径计数与反射容斥
  • 多项式复合逆与拉格朗日反演
  • Day21浮动
  • Spring AI Alibaba 项目源码学习(七)-Agent、BaseAgent、ReactAgent 分析
  • AtCoder Beginner Contest 432 ABCDEG 题目解析
  • fireworks
  • KEYDIY KD ZB28-3 Universal Hyundai Smart Remote Key (5pcs/lot) – Reliable Replacement
  • Yanhua Mini ACDP-2 A303 Volvo 2022+ IMMO License for ACDP-2 Module20
  • 西电TIC带鱼杯新生训练赛复盘
  • 20251115 - 从零到1详细剖析STM32的CAN架构【以STM32F407为例】
  • 2025.11.15 测试
  • 鸿蒙应用审核被拒?常见原因与避坑指南来了
  • C++篇(13)计算器实现 - 指南
  • 20232306 2025-2026-1 《网络与系统攻防技术》实验五实验报告