[CodeEngn] Basic RCE – Level 10
http://codeengn.com/challenges/basic/10
After finding the OEP, find the OPCODE of the branch instruction going to the “goodboy routine”
The solution should be in this format : OEP + Serial
EX) 00400000EB03
Kiểm tra bằng PEiD, Packer là ASPack 2.000. Google cách unpack, ta có các thao tác sau để đến OEP:
- F8, chuột phải ESP > Follow in Dump.
- Quét chọn 2 byte đầu, chuột phải > Breakpoint > Hardware, on access > Word.
- F9, F8, F8, F8.
Ta đã dừng tại OEP = 00445834:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
00445834 55 push ebp 00445835 8BEC mov ebp,esp 00445837 83C4 F4 add esp,-0C 0044583A B8 F4564400 mov eax,10.004456F4 0044583F E8 0408FCFF call 10.00406048 00445844 A1 6C6C4400 mov eax,ds:[446C6C] 00445849 8B00 mov eax,ds:[eax] 0044584B E8 F0CCFFFF call 10.00442540 00445850 8B0D 386D4400 mov ecx,ds:[446D38] ; 10.0044784C 00445856 A1 6C6C4400 mov eax,ds:[446C6C] 0044585B 8B00 mov eax,ds:[eax] 0044585D 8B15 88514400 mov edx,ds:[445188] ; 10.004451D4 00445863 E8 F0CCFFFF call 10.00442558 |
Chuột phải > Search for > All referenced text strings, thấy ngay goodboy. Nhấn vào để tìm câu lệnh nhảy quyết định:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
004454CF E8 9CE7FBFF call 10.00403C70 004454D4 75 55 jnz short <10.___badboy> 004454D6 8D85 F4FDFFFF lea eax,ss:[ebp-20C] 004454DC 8D95 17FEFFFF lea edx,ss:[ebp-1E9] 004454E2 E8 1DE6FBFF call 10.00403B04 004454E7 8B95 F4FDFFFF mov edx,ss:[ebp-20C] 004454ED 8B87 D4020000 mov eax,ds:[edi+2D4] 004454F3 E8 B4F5FDFF call 10.00424AAC 004454F8 8B87 D8020000 mov eax,ds:[edi+2D8] 004454FE 8B55 FC mov edx,ss:[ebp-4] 00445501 E8 A6F5FDFF call 10.00424AAC 00445506 8B87 E8020000 mov eax,ds:[edi+2E8] 0044550C BA 60564400 mov edx,10.00445660 ; ASCII "Registered ... well done!" 00445511 E8 96F5FDFF call 10.00424AAC |
Nó nằm ở 004454D4, với OPCODE = 75 55.
→ flag = 004458347555.
![[CodeEngn] Basic RCE – Level 07](https://ctf.yeuchimse.com/wp-content/themes/hueman/assets/front/img/thumb-medium-empty.png)
Recent comments