测试文件:https://adworld.xctf.org.cn/media/task/attachments/6df7b29f8f18437887ff4be163b567d5.exe
1.准备
获取信息
- 32位文件
2.IDA打开
BOOL __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4) { HMODULE v5; // eax HICON v6; // eax HMODULE v7; // eax HCURSOR v8; // ST20_4 HWND v9; // eax CHAR String; // [esp+8h] [ebp-340h] CHAR v11[4]; // [esp+108h] [ebp-240h] char v12; // [esp+10Ch] [ebp-23Ch] char v13; // [esp+10Dh] [ebp-23Bh] char v14; // [esp+10Eh] [ebp-23Ah] char v15; // [esp+10Fh] [ebp-239h] char v16; // [esp+110h] [ebp-238h] char v17; // [esp+111h] [ebp-237h] char v18; // [esp+112h] [ebp-236h] char v19; // [esp+113h] [ebp-235h] char v20; // [esp+114h] [ebp-234h] char v21; // [esp+115h] [ebp-233h] char v22; // [esp+116h] [ebp-232h] char v23; // [esp+117h] [ebp-231h] CHAR Text; // [esp+208h] [ebp-140h] char Src[16]; // [esp+308h] [ebp-40h] __int128 v26; // [esp+318h] [ebp-30h] int v27; // [esp+328h] [ebp-20h] __int128 v28; // [esp+32Ch] [ebp-1Ch] int v29; // [esp+33Ch] [ebp-Ch] __int16 v30; // [esp+340h] [ebp-8h] if ( a2 == 16 ) { EndDialog(hDlg, 0); return 0; } if ( a2 == 272 ) { v5 = GetModuleHandleW(0); v6 = LoadIconW(v5, (LPCWSTR)'g'); SetClassLongA(hDlg, -14, (LONG)v6); v7 = GetModuleHandleW(0); v8 = LoadCursorW(v7, (LPCWSTR)'f'); v9 = GetDlgItem(hDlg, 1); SetClassLongA(v9, -12, (LONG)v8); return 1; } if ( a2 != 273 || (unsigned __int16)a3 != 1 ) return 0; memset(&String, (unsigned __int16)a3 - 1, 256u); memset(v11, 0, 0x100u); memset(&Text, 0, 0x100u); GetDlgItemTextA(hDlg, 1001, &String, 256); GetDlgItemTextA(hDlg, 1002, v11, 256); if ( strstr(&String, "@") && strstr(&String, ".") && strstr(&String, ".")[1] && strstr(&String, "@")[1] != '.' ) { v28 = xmmword_410AA0; // "Registration fai" v29 = 'erul'; *(_OWORD *)Src = xmmword_410A90; // "Registration Suc" v30 = '.'; v26 = xmmword_410A80; // "cess!Your flag" v27 = ':si'; if ( strlen(v11) != 16 // 序列号长度为16 || v11[0] != 'C' || v23 != 'X' || v11[1] != 'Z' || v11[1] + v22 != 155 // v22=65='A' || v11[2] != '9' || v11[2] + v21 != 155 // v21=98='b' || v11[3] != 'd' // v11="CZ9d" || v20 != '7' || v12 != 'm' || v19 != 'G' || v13 != 'q' || v13 + v18 != 170 // v18=57='9' || v14 != '4' || v17 != 'g' || v15 != 'c' || v16 != '8' ) { strcpy_s(&Text, 0x100u, (const char *)&v28); } else { strcpy_s(&Text, 0x100u, Src); strcat_s(&Text, 0x100u, v11); } } else { strcpy_s(&Text, 0x100u, "Your E-mail address in not valid."); } MessageBoxA(hDlg, &Text, "Registeration", 0x40u); return 1; }
3.代码分析
只要将代码认认真真看一遍,并不难。邮箱的要求在代码第53行
if ( strstr(&String, "@") && strstr(&String, ".") && strstr(&String, ".")[1] && strstr(&String, "@")[1] != '.' )
要求邮箱有'@'和'.'字符,并且这两个字符并能在一起。
序列号即v11[4]+v12+v13+...v23,可以看上面注释。
4.get flag!
CZ9dmq4c8g9G7bAX