[CodeEngn] Basic RCE – Level 12

http://codeengn.com/challenges/basic/12

You will see a success message after finding the key.
If you would want the Key itself to replace the success message in the MessageBox,
open up a Hex Editor and overwrite the key value in the offset range 0x???? ~ 0x????.

Q : find the key value and the offset range and write the solution in this format : key????????
(first ???? for the start and the next 4 ?s for the end).

Dễ dàng thấy ngay được goodboy cũng như quá trình kiểm tra:

[asm]0040107D > 3D BF96287A cmp eax,7A2896BF
00401082 . 75 14 jnz short <12.___badboy>
00401084 . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401086 . 68 30354000 push 12.00403530 ; |Title = “In the Bin”
0040108B . 68 3B354000 push 12.0040353B ; |Text = “Congratulation, you found the right key”
00401090 . FF75 08 push dword ptr ss:[ebp+8] ; |hOwner
00401093 . E8 02010000 call ; MessageBoxA
00401098 > > EB 6C jmp short 12.00401106[/asm]

Key = 0x7A2896BF = 2049480383.

Mở trong một hex editor bất kỳ, search goodboy:

[asm]00000D20 62 34 45 68 4F 71 69 71 00 00 00 00 78 56 34 12 b4EhOqiq….xV4.
00000D30 49 6E 20 74 68 65 20 42 69 6E 00 43 6F 6E 67 72 In the Bin.Congr
00000D40 61 74 75 6C 61 74 69 6F 6E 2C 20 79 6F 75 20 66 atulation, you f
00000D50 6F 75 6E 64 20 74 68 65 20 72 69 67 68 74 20 6B ound the right k
00000D60 65 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ey…………..[/asm]

Tiến hành thay thế nó bằng giá trị của Key (lưu ý rằng có byte x00 ở cuối):

[asm]00000D20 62 34 45 68 4F 71 69 71 00 00 00 00 78 56 34 12 b4EhOqiq….xV4.
00000D30 49 6E 20 74 68 65 20 42 69 6E 00 32 30 34 39 34 In the Bin.20494
00000D40 38 30 33 38 33 00 69 6F 6E 2C 20 79 6F 75 20 66 80383.ion, you f
00000D50 6F 75 6E 64 20 74 68 65 20 72 69 67 68 74 20 6B ound the right k
00000D60 65 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ey…………..[/asm]

Kiểm  tra lại và thấy rằng toàn bộ vùng thay thế nằm trong khoảng từ 0D3B đến 0D45 (tính cả null-byte).

→ flag = 20494803830D3B0D45.