## Problem
Points: 7 pt
1
2
3
4
5
| Papa brought me a packed present! let's open it.
Download : http://pwnable.kr/bin/flag
This is reversing task. all you need is binary
|
Thinking
程式沒有辦法直接使用objdump或者是gdb來反組譯。
透過 hexdump -C <filename> | grep -C 1 UPX
檢查是不是有加殼。
1
2
3
| 000000a0 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 |.......... .....|
000000b0 fc ac e0 a1 55 50 58 21 1c 08 0d 16 00 00 00 00 |....UPX!........|
000000c0 21 7c 0d 00 21 7c 0d 00 90 01 00 00 92 00 00 00 |!|..!|..........|
|
結果顯示是有經過
UPX加殼,於是
upx -d <filename>脫殼。
脫殼之後就可以用
gdb或者是
objdump反組譯。
Code
main1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| 0x0000000000401164 <+0>: push rbp
0x0000000000401165 <+1>: mov rbp,rsp
0x0000000000401168 <+4>: sub rsp,0x10
0x000000000040116c <+8>: mov edi,0x496658
0x0000000000401171 <+13>: call 0x402080 <puts>
0x0000000000401176 <+18>: mov edi,0x64
0x000000000040117b <+23>: call 0x4099d0 <malloc>
0x0000000000401180 <+28>: mov QWORD PTR [rbp-0x8],rax
0x0000000000401184 <+32>: mov rdx,QWORD PTR [rip+0x2c0ee5] # 0x6c2070 <flag>
0x000000000040118b <+39>: mov rax,QWORD PTR [rbp-0x8]
0x000000000040118f <+43>: mov rsi,rdx
0x0000000000401192 <+46>: mov rdi,rax
0x0000000000401195 <+49>: call 0x400320
0x000000000040119a <+54>: mov eax,0x0
0x000000000040119f <+59>: leave
0x00000000004011a0 <+60>: ret
|
Solution
程式當中+32特別強調了flag。
直接單步執行到+39行。
接著查看rdx裏面放了什麼。
1
2
3
| gdb-peda$ x /s $rdx
0x496628: "UPX...? sounds like a delivery service :)"
gdb-peda$
|
GET flag!
Prepare
Register
| Name |
16bit |
32bit |
64bit |
| Data |
DX |
EDX |
RDX |
UPX
Reference
Assembly
- Registers