pwnable.kr(4) - flag

Posted on 2018-05-24 Edited on 2025-04-30 In CTF , pwnable.kr , Toddler's Bottle Views:

## Problem
Points: 7 pt

Papa brought me a packed present! let's open it.

Download : http://pwnable.kr/bin/flag

This is reversing task. all you need is binary

Link

Thinking

程式沒有辦法直接使用objdump或者是gdb來反組譯。
透過 hexdump -C <filename> | grep -C 1 UPX 檢查是不是有加殼。

1
2
3

000000a0  00 00 00 00 00 00 00 00  00 00 20 00 00 00 00 00  |.......... .....|
000000b0  fc ac e0 a1 55 50 58 21  1c 08 0d 16 00 00 00 00  |....UPX!........|
000000c0  21 7c 0d 00 21 7c 0d 00  90 01 00 00 92 00 00 00  |!|..!|..........|

結果顯示是有經過UPX加殼，於是upx -d <filename>脫殼。
脫殼之後就可以用gdb或者是objdump反組譯。

Code

main

0x0000000000401164 <+0>:     push   rbp
0x0000000000401165 <+1>:     mov    rbp,rsp
0x0000000000401168 <+4>:     sub    rsp,0x10
0x000000000040116c <+8>:     mov    edi,0x496658
0x0000000000401171 <+13>:    call   0x402080 <puts>
0x0000000000401176 <+18>:    mov    edi,0x64
0x000000000040117b <+23>:    call   0x4099d0 <malloc>
0x0000000000401180 <+28>:    mov    QWORD PTR [rbp-0x8],rax
0x0000000000401184 <+32>:    mov    rdx,QWORD PTR [rip+0x2c0ee5]        # 0x6c2070 <flag>
0x000000000040118b <+39>:    mov    rax,QWORD PTR [rbp-0x8]
0x000000000040118f <+43>:    mov    rsi,rdx
0x0000000000401192 <+46>:    mov    rdi,rax
0x0000000000401195 <+49>:    call   0x400320
0x000000000040119a <+54>:    mov    eax,0x0
0x000000000040119f <+59>:    leave  
0x00000000004011a0 <+60>:    ret

Solution

程式當中+32特別強調了flag。
直接單步執行到+39行。
接著查看rdx裏面放了什麼。

1
2
3

gdb-peda$ x /s $rdx
0x496628:       "UPX...? sounds like a delivery service :)"
gdb-peda$

GET flag!

Prepare

Register

Name	16bit	32bit	64bit
Data	DX	EDX	RDX

UPX

Reference

Assembly - Registers