buuctf-findKey
exe文件
运行发现这个窗口,没有任何消息
32位
进入字符串就发现了flag{
左边红色代表没有F5成功
我们再编译一下(选中红色的全部按p)
LRESULT __stdcall sub_401640(HWND hWndParent, UINT Msg, WPARAM wParam, LPARAM lParam)
{int v5; // eaxsize_t v6; // eaxDWORD v7; // eaxint v8; // eaxint v9; // eaxint v10; // [esp+4Ch] [ebp-400h]UINT v11; // [esp+50h] [ebp-3FCh]CHAR v12[256]; // [esp+54h] [ebp-3F8h] BYREFchar v13[7]; // [esp+154h] [ebp-2F8h] BYREF__int16 v14; // [esp+15Bh] [ebp-2F1h]char v15; // [esp+15Dh] [ebp-2EFh]char Str[253]; // [esp+160h] [ebp-2ECh] BYREF__int16 v17; // [esp+25Dh] [ebp-1EFh]char v18; // [esp+25Fh] [ebp-1EDh]CHAR v19[256]; // [esp+260h] [ebp-1ECh] BYREFCHAR String[4]; // [esp+360h] [ebp-ECh] BYREFint v21; // [esp+364h] [ebp-E8h]__int16 v22; // [esp+368h] [ebp-E4h]CHAR Text[32]; // [esp+36Ch] [ebp-E0h] BYREFstruct tagRECT Rect; // [esp+38Ch] [ebp-C0h] BYREFCHAR Buffer[100]; // [esp+39Ch] [ebp-B0h] BYREFHDC hdc; // [esp+400h] [ebp-4Ch]struct tagPAINTSTRUCT Paint; // [esp+404h] [ebp-48h] BYREFint v28; // [esp+444h] [ebp-8h]int v29; // [esp+448h] [ebp-4h]LoadStringA(hInstance, 0x6Au, Buffer, 100);v11 = Msg;if ( Msg > 0x111 ){if ( v11 == 517 ){if ( strlen((const char *)String1) > 6 )ExitProcess(0);if ( strlen((const char *)String1) ){memset(v19, 0, sizeof(v19));v6 = strlen((const char *)String1);memcpy(v19, String1, v6);v7 = strlen((const char *)String1);sub_40101E(String1, v7, (LPSTR)String1);strcpy(Str, "0kk`d1a`55k222k2a776jbfgd`06cjjb");memset(&Str[33], 0, 0xDCu);v17 = 0;v18 = 0;strcpy(v13, "SS");*(_DWORD *)&v13[3] = 0;v14 = 0;v15 = 0;v8 = strlen(Str);sub_401005(v13, (int)Str, v8);if ( _strcmpi((const char *)String1, Str) ){SetWindowTextA(hWndParent, "flag{}");MessageBoxA(hWndParent, "Are you kidding me?", "^_^", 0);ExitProcess(0);}memcpy(v12, &unk_423030, 0x32u);v9 = strlen(v12);sub_401005(v19, (int)v12, v9);MessageBoxA(hWndParent, v12, 0, 0x32u);}++dword_428D54;}else{if ( v11 != 520 )return DefWindowProcA(hWndParent, Msg, wParam, lParam);if ( dword_428D54 == 16 ){strcpy(String, "ctf");v21 = 0;v22 = 0;SetWindowTextA(hWndParent, String);strcpy(Text, "Are you kidding me?");MessageBoxA(hWndParent, Text, Buffer, 0);}++dword_428D54;}}else{switch ( v11 ){case 0x111u:v29 = (unsigned __int16)wParam;v28 = HIWORD(wParam);v10 = (unsigned __int16)wParam;if ( (unsigned __int16)wParam == 104 ){DialogBoxParamA(hInstance, (LPCSTR)0x67, hWndParent, (DLGPROC)DialogFunc, 0);}else{if ( v10 != 105 )return DefWindowProcA(hWndParent, Msg, wParam, lParam);DestroyWindow(hWndParent);}break;case 2u:PostQuitMessage(0);break;case 0xFu:hdc = BeginPaint(hWndParent, &Paint);GetClientRect(hWndParent, &Rect);v5 = strlen(Buffer);DrawTextA(hdc, Buffer, v5, &Rect, 1u);EndPaint(hWndParent, &Paint);break;default:return DefWindowProcA(hWndParent, Msg, wParam, lParam);}}return 0;
}win32逆向的关键就是 messagebox 这个函数
弹窗
这两个都是输出kid
我们看中间那个
慢慢跟进就ok了
很简单了逻辑