[CodeEngn] Basic RCE – Level 10
http://codeengn.com/challenges/basic/10
After finding the OEP, find the OPCODE of the branch instruction going to the “goodboy routine”
The solution should be in this format : OEP + Serial
EX) 00400000EB03
Kiểm tra bằng PEiD, Packer là ASPack 2.000. Google cách unpack, ta có các thao tác sau để đến OEP:
- F8, chuột phải ESP > Follow in Dump.
- Quét chọn 2 byte đầu, chuột phải > Breakpoint > Hardware, on access > Word.
- F9, F8, F8, F8.
Ta đã dừng tại OEP = 00445834:
[asm]00445834 55 push ebp
00445835 8BEC mov ebp,esp
00445837 83C4 F4 add esp,-0C
0044583A B8 F4564400 mov eax,10.004456F4
0044583F E8 0408FCFF call 10.00406048
00445844 A1 6C6C4400 mov eax,ds:[446C6C]
00445849 8B00 mov eax,ds:[eax]
0044584B E8 F0CCFFFF call 10.00442540
00445850 8B0D 386D4400 mov ecx,ds:[446D38] ; 10.0044784C
00445856 A1 6C6C4400 mov eax,ds:[446C6C]
0044585B 8B00 mov eax,ds:[eax]
0044585D 8B15 88514400 mov edx,ds:[445188] ; 10.004451D4
00445863 E8 F0CCFFFF call 10.00442558[/asm]
Chuột phải > Search for > All referenced text strings, thấy ngay goodboy. Nhấn vào để tìm câu lệnh nhảy quyết định:
[asm]004454CF E8 9CE7FBFF call 10.00403C70
004454D4 75 55 jnz short <10.___badboy>
004454D6 8D85 F4FDFFFF lea eax,ss:[ebp-20C]
004454DC 8D95 17FEFFFF lea edx,ss:[ebp-1E9]
004454E2 E8 1DE6FBFF call 10.00403B04
004454E7 8B95 F4FDFFFF mov edx,ss:[ebp-20C]
004454ED 8B87 D4020000 mov eax,ds:[edi+2D4]
004454F3 E8 B4F5FDFF call 10.00424AAC
004454F8 8B87 D8020000 mov eax,ds:[edi+2D8]
004454FE 8B55 FC mov edx,ss:[ebp-4]
00445501 E8 A6F5FDFF call 10.00424AAC
00445506 8B87 E8020000 mov eax,ds:[edi+2E8]
0044550C BA 60564400 mov edx,10.00445660 ; ASCII “Registered … well done!”
00445511 E8 96F5FDFF call 10.00424AAC[/asm]
Nó nằm ở 004454D4, với OPCODE = 75 55.
→ flag = 004458347555.
![[CodeEngn] Basic RCE – Level 09](https://ctf.yeuchimse.com/wp-content/themes/hueman/assets/front/img/thumb-medium-empty.png)
Recent comments