攻防世界--srm-50

测试文件：https://adworld.xctf.org.cn/media/task/attachments/6df7b29f8f18437887ff4be163b567d5.exe

1.准备

获取信息

• 32位文件

2.IDA打开

BOOL __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
  HMODULE v5; // eax
  HICON v6; // eax
  HMODULE v7; // eax
  HCURSOR v8; // ST20_4
  HWND v9; // eax
  CHAR String; // [esp+8h] [ebp-340h]
  CHAR v11[4]; // [esp+108h] [ebp-240h]
  char v12; // [esp+10Ch] [ebp-23Ch]
  char v13; // [esp+10Dh] [ebp-23Bh]
  char v14; // [esp+10Eh] [ebp-23Ah]
  char v15; // [esp+10Fh] [ebp-239h]
  char v16; // [esp+110h] [ebp-238h]
  char v17; // [esp+111h] [ebp-237h]
  char v18; // [esp+112h] [ebp-236h]
  char v19; // [esp+113h] [ebp-235h]
  char v20; // [esp+114h] [ebp-234h]
  char v21; // [esp+115h] [ebp-233h]
  char v22; // [esp+116h] [ebp-232h]
  char v23; // [esp+117h] [ebp-231h]
  CHAR Text; // [esp+208h] [ebp-140h]
  char Src[16]; // [esp+308h] [ebp-40h]
  __int128 v26; // [esp+318h] [ebp-30h]
  int v27; // [esp+328h] [ebp-20h]
  __int128 v28; // [esp+32Ch] [ebp-1Ch]
  int v29; // [esp+33Ch] [ebp-Ch]
  __int16 v30; // [esp+340h] [ebp-8h]

  if ( a2 == 16 )
  {
    EndDialog(hDlg, 0);
    return 0;
  }
  if ( a2 == 272 )
  {
    v5 = GetModuleHandleW(0);
    v6 = LoadIconW(v5, (LPCWSTR)‘g‘);
    SetClassLongA(hDlg, -14, (LONG)v6);
    v7 = GetModuleHandleW(0);
    v8 = LoadCursorW(v7, (LPCWSTR)‘f‘);
    v9 = GetDlgItem(hDlg, 1);
    SetClassLongA(v9, -12, (LONG)v8);
    return 1;
  }
  if ( a2 != 273 || (unsigned __int16)a3 != 1 )
    return 0;
  memset(&String, (unsigned __int16)a3 - 1, 256u);
  memset(v11, 0, 0x100u);
  memset(&Text, 0, 0x100u);
  GetDlgItemTextA(hDlg, 1001, &String, 256);
  GetDlgItemTextA(hDlg, 1002, v11, 256);
  if ( strstr(&String, "@") && strstr(&String, ".") && strstr(&String, ".")[1] && strstr(&String, "@")[1] != ‘.‘ )
  {
    v28 = xmmword_410AA0;                       // "Registration fai"
    v29 = ‘erul‘;
    *(_OWORD *)Src = xmmword_410A90;            // "Registration Suc"
    v30 = ‘.‘;
    v26 = xmmword_410A80;                       // "cess!Your flag"
    v27 = ‘:si‘;
    if ( strlen(v11) != 16                      // 序列号长度为16
      || v11[0] != ‘C‘
      || v23 != ‘X‘
      || v11[1] != ‘Z‘
      || v11[1] + v22 != 155                    // v22=65=‘A‘
      || v11[2] != ‘9‘
      || v11[2] + v21 != 155                    // v21=98=‘b‘
      || v11[3] != ‘d‘                          // v11="CZ9d"
      || v20 != ‘7‘
      || v12 != ‘m‘
      || v19 != ‘G‘
      || v13 != ‘q‘
      || v13 + v18 != 170                       // v18=57=‘9‘
      || v14 != ‘4‘
      || v17 != ‘g‘
      || v15 != ‘c‘
      || v16 != ‘8‘ )
    {
      strcpy_s(&Text, 0x100u, (const char *)&v28);
    }
    else
    {
      strcpy_s(&Text, 0x100u, Src);
      strcat_s(&Text, 0x100u, v11);
    }
  }
  else
  {
    strcpy_s(&Text, 0x100u, "Your E-mail address in not valid.");
  }
  MessageBoxA(hDlg, &Text, "Registeration", 0x40u);
  return 1;
}

3.代码分析

只要将代码认认真真看一遍，并不难。邮箱的要求在代码第53行

 if ( strstr(&String, "@") && strstr(&String, ".") && strstr(&String, ".")[1] && strstr(&String, "@")[1] != ‘.‘ )

要求邮箱有‘@‘和‘.‘字符，并且这两个字符并能在一起。

序列号即v11[4]+v12+v13+...v23，可以看上面注释。

4.get flag！

CZ9dmq4c8g9G7bAX