[CodeEngn] Basic RCE – Level 10

http://codeengn.com/challenges/basic/10

After finding the OEP, find the OPCODE of the branch instruction going to the “goodboy routine”
The solution should be in this format : OEP + Serial
EX) 00400000EB03

Kiểm tra bằng PEiD, Packer là ASPack 2.000. Google cách unpack, ta có các thao tác sau để đến OEP:

  1. F8, chuột phải ESP > Follow in Dump.
  2. Quét chọn 2 byte đầu, chuột phải > Breakpoint > Hardware, on access > Word.
  3. F9, F8, F8, F8.

Ta đã dừng tại OEP = 00445834:

[asm]00445834 55 push ebp
00445835 8BEC mov ebp,esp
00445837 83C4 F4 add esp,-0C
0044583A B8 F4564400 mov eax,10.004456F4
0044583F E8 0408FCFF call 10.00406048
00445844 A1 6C6C4400 mov eax,ds:[446C6C]
00445849 8B00 mov eax,ds:[eax]
0044584B E8 F0CCFFFF call 10.00442540
00445850 8B0D 386D4400 mov ecx,ds:[446D38] ; 10.0044784C
00445856 A1 6C6C4400 mov eax,ds:[446C6C]
0044585B 8B00 mov eax,ds:[eax]
0044585D 8B15 88514400 mov edx,ds:[445188] ; 10.004451D4
00445863 E8 F0CCFFFF call 10.00442558[/asm]

Chuột phải > Search for > All referenced text strings, thấy ngay goodboy. Nhấn vào để tìm câu lệnh nhảy quyết định:

[asm]004454CF E8 9CE7FBFF call 10.00403C70
004454D4 75 55 jnz short <10.___badboy>
004454D6 8D85 F4FDFFFF lea eax,ss:[ebp-20C]
004454DC 8D95 17FEFFFF lea edx,ss:[ebp-1E9]
004454E2 E8 1DE6FBFF call 10.00403B04
004454E7 8B95 F4FDFFFF mov edx,ss:[ebp-20C]
004454ED 8B87 D4020000 mov eax,ds:[edi+2D4]
004454F3 E8 B4F5FDFF call 10.00424AAC
004454F8 8B87 D8020000 mov eax,ds:[edi+2D8]
004454FE 8B55 FC mov edx,ss:[ebp-4]
00445501 E8 A6F5FDFF call 10.00424AAC
00445506 8B87 E8020000 mov eax,ds:[edi+2E8]
0044550C BA 60564400 mov edx,10.00445660 ; ASCII “Registered … well done!”
00445511 E8 96F5FDFF call 10.00424AAC[/asm]

Nó nằm ở 004454D4, với OPCODE = 75 55.

→ flag = 004458347555.

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *