pwnable.kr(4) - flag

## Problem
Points: 7 pt

1
2
3
4
5
Papa brought me a packed present! let's open it.

Download : http://pwnable.kr/bin/flag

This is reversing task. all you need is binary
Link

Thinking

程式沒有辦法直接使用objdump或者是gdb來反組譯。
透過 hexdump -C <filename> | grep -C 1 UPX 檢查是不是有加殼。

1
2
3
000000a0  00 00 00 00 00 00 00 00  00 00 20 00 00 00 00 00  |.......... .....|
000000b0 fc ac e0 a1 55 50 58 21 1c 08 0d 16 00 00 00 00 |....UPX!........|
000000c0 21 7c 0d 00 21 7c 0d 00 90 01 00 00 92 00 00 00 |!|..!|..........|
結果顯示是有經過UPX加殼,於是upx -d <filename>脫殼。
脫殼之後就可以用gdb或者是objdump反組譯。

Code

main
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0x0000000000401164 <+0>:     push   rbp
0x0000000000401165 <+1>: mov rbp,rsp
0x0000000000401168 <+4>: sub rsp,0x10
0x000000000040116c <+8>: mov edi,0x496658
0x0000000000401171 <+13>: call 0x402080 <puts>
0x0000000000401176 <+18>: mov edi,0x64
0x000000000040117b <+23>: call 0x4099d0 <malloc>
0x0000000000401180 <+28>: mov QWORD PTR [rbp-0x8],rax
0x0000000000401184 <+32>: mov rdx,QWORD PTR [rip+0x2c0ee5] # 0x6c2070 <flag>
0x000000000040118b <+39>: mov rax,QWORD PTR [rbp-0x8]
0x000000000040118f <+43>: mov rsi,rdx
0x0000000000401192 <+46>: mov rdi,rax
0x0000000000401195 <+49>: call 0x400320
0x000000000040119a <+54>: mov eax,0x0
0x000000000040119f <+59>: leave
0x00000000004011a0 <+60>: ret

Solution

程式當中+32特別強調了flag。
直接單步執行到+39行。
接著查看rdx裏面放了什麼。

1
2
3
gdb-peda$ x /s $rdx
0x496628: "UPX...? sounds like a delivery service :)"
gdb-peda$

GET flag!

Prepare

Register

Name 16bit 32bit 64bit
Data DX EDX RDX

UPX

Reference

Assembly - Registers