2020 KCTF 第一题签到题 Writeup

1.初探

MFC程序，直接上xspy查找验证函数

具体信息如下:
点击查看代码
温馨提示:鼠标双击选中地址后，鼠标右键立刻复制
target window pid: 0x0000365c, thread tid: 0x00002368
hook thread tid: 0x00002368
----------获取ATL/WTL相关信息-------------
got DWLP_DLGPROC = 0xFFFF0A3F
got GWLP_WNDPROC = 0xFFFF09A5
----------获取MFC相关信息-------------
mfc version:42, static linked?: false, debug?: false
CWnd::FromHandlePermanent = 0x509480A0
CWnd = 0x0019FE30
HWND: 0x00020A16
class:0019FE30(CDialog,size=0x60)
CDialog:CWnd:CCmdTarget:CObject

[vtbl+0x00]GetRuntimeClass         = 0x00401FE2 -> 0x50934E70(MFC42.DLL+ 0x024e70 )
[vtbl+0x01]dtor                    = 0x00401440(spring2020.exe+ 0x001440 )
[vtbl+0x02]Serialize               = 0x00401D70(spring2020.exe+ 0x001d70 )
[vtbl+0x03]AssertValid             = 0x00401270(spring2020.exe+ 0x001270 )
[vtbl+0x04]Dump                    = 0x00401D70(spring2020.exe+ 0x001d70 )
[vtbl+0x05]OnCmdMsg                = 0x00401FDC -> 0x50966F70(MFC42.DLL+ 0x056f70 )
[vtbl+0x06]OnFinalRelease          = 0x00401FD6 -> 0x50948B80(MFC42.DLL+ 0x038b80 )
[vtbl+0x07]IsInvokeAllowed         = 0x00401EE6 -> 0x5093D0A0(MFC42.DLL+ 0x02d0a0 )
[vtbl+0x08]GetDispatchIID          = 0x00401EE0 -> 0x5093D0B0(MFC42.DLL+ 0x02d0b0 )
[vtbl+0x09]GetTypeInfoCount        = 0x00401EDA -> 0x5093A1E0(MFC42.DLL+ 0x02a1e0 )
[vtbl+0x0A]GetTypeLibCache         = 0x00401ED4 -> 0x5093A1E0(MFC42.DLL+ 0x02a1e0 )
[vtbl+0x0B]GetTypeLib              = 0x00401ECE -> 0x50972CF0(MFC42.DLL+ 0x062cf0 )
[vtbl+0x0C]GetMessageMap           = 0x004014C0(spring2020.exe+ 0x0014c0 )
[vtbl+0x0D]GetCommandMap           = 0x00401EC8 -> 0x50972E20(MFC42.DLL+ 0x062e20 )
[vtbl+0x0E]GetDispatchMap          = 0x00401EC2 -> 0x50972D90(MFC42.DLL+ 0x062d90 )
[vtbl+0x0F]GetConnectionMap        = 0x00401EBC -> 0x50972E10(MFC42.DLL+ 0x062e10 )
[vtbl+0x10]GetInterfaceMap         = 0x00401EB6 -> 0x50972DB0(MFC42.DLL+ 0x062db0 )
[vtbl+0x11]GetEventSinkMap         = 0x00401EB0 -> 0x50972DA0(MFC42.DLL+ 0x062da0 )
[vtbl+0x12]OnCreateAggregates      = 0x00401EAA -> 0x509472B0(MFC42.DLL+ 0x0372b0 )
[vtbl+0x13]GetInterfaceHook        = 0x00401EA4 -> 0x5093D0B0(MFC42.DLL+ 0x02d0b0 )
[vtbl+0x14]GetExtraConnectionPoints= 0x00401E9E -> 0x5093D0B0(MFC42.DLL+ 0x02d0b0 )
[vtbl+0x15]GetConnectionHook       = 0x00401E98 -> 0x5093D0B0(MFC42.DLL+ 0x02d0b0 )
[vtbl+0x16]PreSubclassWindow       = 0x00401FD0 -> 0x5093AA70(MFC42.DLL+ 0x02aa70 )
[vtbl+0x17]Create                  = 0x00401FCA -> 0x50948870(MFC42.DLL+ 0x038870 )
[vtbl+0x18]DestroyWindow           = 0x00401FC4 -> 0x50948BC0(MFC42.DLL+ 0x038bc0 )
[vtbl+0x19]PreCreateWindow         = 0x00401FBE -> 0x50948840(MFC42.DLL+ 0x038840 )
[vtbl+0x1A]CalcWindowRect          = 0x00401FB8 -> 0x5094AEB0(MFC42.DLL+ 0x03aeb0 )
[vtbl+0x1B]OnToolHitTest           = 0x00401FB2 -> 0x50948D50(MFC42.DLL+ 0x038d50 )
[vtbl+0x1C]GetScrollBarCtrl        = 0x00401FAC -> 0x5093D0B0(MFC42.DLL+ 0x02d0b0 )
[vtbl+0x1D]WinHelpA                = 0x00401FA6 -> 0x50949450(MFC42.DLL+ 0x039450 )
[vtbl+0x1E]ContinueModal           = 0x00401FA0 -> 0x5094C230(MFC42.DLL+ 0x03c230 )
[vtbl+0x1F]EndModalLoop            = 0x00401F9A -> 0x5094C240(MFC42.DLL+ 0x03c240 )
[vtbl+0x20]OnCommand               = 0x00401F94 -> 0x5094A280(MFC42.DLL+ 0x03a280 )
[vtbl+0x21]OnNotify                = 0x00401F8E -> 0x5094A340(MFC42.DLL+ 0x03a340 )
[vtbl+0x22]GetSuperWndProcAddr     = 0x00401F88 -> 0x50948CA0(MFC42.DLL+ 0x038ca0 )
[vtbl+0x23]DoDataExchange          = 0x00401480(spring2020.exe+ 0x001480 )
[vtbl+0x24]BeginModalState         = 0x00401D90(spring2020.exe+ 0x001d90 )
[vtbl+0x25]EndModalState           = 0x00401DC0(spring2020.exe+ 0x001dc0 )
[vtbl+0x26]PreTranslateMessage     = 0x00401F82 -> 0x50966EC0(MFC42.DLL+ 0x056ec0 )
[vtbl+0x27]OnAmbientProperty       = 0x00401F7C -> 0x50971CB0(MFC42.DLL+ 0x061cb0 )
[vtbl+0x28]WindowProc              = 0x00401F76 -> 0x50949600(MFC42.DLL+ 0x039600 )
[vtbl+0x29]OnWndMsg                = 0x00401F70 -> 0x50949770(MFC42.DLL+ 0x039770 )
[vtbl+0x2A]DefWindowProcA          = 0x00401F6A -> 0x50948C30(MFC42.DLL+ 0x038c30 )
[vtbl+0x2B]PostNcDestroy           = 0x00401F64 -> 0x5093AA70(MFC42.DLL+ 0x02aa70 )
[vtbl+0x2C]OnChildNotify           = 0x00401F5E -> 0x5094B250(MFC42.DLL+ 0x03b250 )
[vtbl+0x2D]CheckAutoCenter         = 0x00401F58 -> 0x50967B80(MFC42.DLL+ 0x057b80 )
[vtbl+0x2E]IsFrameWnd              = 0x00401F52 -> 0x5093A1E0(MFC42.DLL+ 0x02a1e0 )
[vtbl+0x2F]SetOccDialogInfo        = 0x00401F4C -> 0x50967560(MFC42.DLL+ 0x057560 )
[vtbl+0x30]DoModal                 = 0x00401F0A -> 0x50967720(MFC42.DLL+ 0x057720 )
[vtbl+0x31]OnInitDialog            = 0x004014E0(spring2020.exe+ 0x0014e0 )
[vtbl+0x32]OnSetFont               = 0x00401F40 -> 0x5093AA60(MFC42.DLL+ 0x02aa60 )
[vtbl+0x33]OnOK                    = 0x00401990(spring2020.exe+ 0x001990 )
[vtbl+0x34]OnCancel                = 0x00401F34 -> 0x50967B70(MFC42.DLL+ 0x057b70 )
[vtbl+0x35]PreInitDialog           = 0x00401F2E -> 0x5093AA70(Mhttps://www.cnblogs.com/FC42.DLL+ 0x02aa70 )

message map=0x00403320(spring2020.exe+ 0x003320 )
msg map entries at 0x00403328(spring2020.exe+ 0x003328 )
OnMsg:WM_SYSCOMMAND(0112),func= 0x004015B0(spring2020.exe+ 0x0015b0 )
OnMsg:WM_PAINT(000f),func= 0x00401630(spring2020.exe+ 0x001630 )
OnMsg:WM_QUERYDRAGICON(0037),func= 0x00401730(spring2020.exe+ 0x001730 )
OnMsg:WM_LBUTTONUP(0202),func= 0x00401A60(spring2020.exe+ 0x001a60 )
OnMsg:WM_CANCELMODE(001f),func= 0x00401A90(spring2020.exe+ 0x001a90 )
关键：[vtbl+0x33]OnOK = 0x00401990(spring2020.exe+ 0x001990 )，直接上IDA
2.Keygen

由逻辑可以清楚知道serial 为 160 161均可。
posted @ 2022-08-10 01:14 i1tao 阅读(259) 评论(0) 编辑收藏举报
刷新页面返回顶部
2020 KCTF 第一题 签到题 Writeup

1.初探

2.Keygen

公告

2020 KCTF 第一题签到题 Writeup
