[CodeEngn] Basic RCE – Level 14
http://codeengn.com/challenges/basic/14
Find the Serial when the Name of CodeEngn
(This problem has several answers, and the answer should be a 5 digit number. Brute forcing is required.)
Ex: 11111
Packer là UPX, tiến hành unpack và mở bằng OllyDbg, dễ dàng tìm được gooboy:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
0040133A |. 3BC6 cmp eax,esi 0040133C |. 75 15 jnz short <14.___badboy> 0040133E |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL 00401340 |. 68 62344000 push 14.00403462 ; |Title = "Key/CrackMe #2 " 00401345 |. 68 B8344000 push 14.004034B8 ; |Text = " Good Job, I Wish You the Very Best" 0040134A |. 6A 00 push 0 ; |hOwner = NULL 0040134C |. E8 9D000000 call <jmp.&USER32.MessageBoxA> ; MessageBoxA 00401351 |. EB 13 jmp short 14.00401366 00401353 >|> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL 00401355 |. 68 62344000 push 14.00403462 ; |Title = "Key/CrackMe #2 " 0040135A |. 68 86344000 push 14.00403486 ; |Text = " You Have Enter A Wrong Serial, Please Try Again " 0040135F |. 6A 00 push 0 ; |hOwner = NULL 00401361 |. E8 88000000 call <jmp.&USER32.MessageBoxA> ; MessageBoxA 00401366 |> EB 15 jmp short 14.0040137D |
Đặt BP ở 0040133A và F9, điền username:key= CodeEngn:123456, nhấn Check:
|
1 2 3 4 5 6 7 8 9 |
EAX 0001E240 ECX 00000000 EDX 00403139 ASCII "23456" EBX 00000010 ESP 0018FBA8 EBP 0018FBA8 ESI 00012D91 EDI 00000000 EIP 0040133A 14.0040133A |
Trong đó thấy ngay EAX = 0x001E240 = 123456 chính là key ta nhập vào, vậy thì ESI = 0x0012D91 = 76193 là…
“Brute forcing is required”? 
→ flag = 76193.
![[CodeEngn] Basic RCE – Level 09](https://ctf.yeuchimse.com/wp-content/themes/hueman/assets/front/img/thumb-medium-empty.png)
Recent comments