题目链接
https://github.com/tower111/software
junkcode
查看check函数
pwndbg> disassemble check
Dump of assembler code for function check:
0x080484fb <+0>: push ebp
0x080484fc <+1>: mov ebp,esp
0x080484fe <+3>: sub esp,0x18
0x08048501 <+6>: mov eax,ds:0x804a02c
0x08048506 <+11>: sub esp,0xc
0x08048509 <+14>: push eax
0x0804850a <+15>: call 0x80483d0 <strlen@plt>
0x0804850f <+20>: add esp,0x10
0x08048512 <+23>: mov DWORD PTR [ebp-0xc],eax
0x08048515 <+26>: sub esp,0xc
0x08048518 <+29>: push DWORD PTR [ebp+0x8]
0x0804851b <+32>: call 0x80483d0 <strlen@plt>
0x08048520 <+37>: add esp,0x10
0x08048523 <+40>: mov edx,eax
0x08048525 <+42>: mov eax,DWORD PTR [ebp-0xc]
0x08048528 <+45>: cmp edx,eax #这里校验长度
0x0804852a <+47>: jae 0x8048533 <check+56>
0x0804852c <+49>: mov eax,0x0
0x08048531 <+54>: jmp 0x8048581 <check+134>
0x08048533 <+56>: mov DWORD PTR [ebp-0x10],0x0
0x0804853a <+63>: jmp 0x8048574 <check+121>
0x0804853c <+65>: mov edx,DWORD PTR [ebp-0x10]
0x0804853f <+68>: mov eax,DWORD PTR [ebp+0x8]
0x08048542 <+71>: add eax,edx
=> 0x08048544 <+73>: sub eax,0x158b08b6
0x08048549 <+78>: sub al,0xa0
0x0804854b <+80>: add al,0x8
0x0804854d <+82>: mov eax,DWORD PTR [ebp-0x10]
0x08048550 <+85>: add eax,edx
0x08048552 <+87>: movzx eax,BYTE PTR [eax]
0x08048555 <+90>: xor ecx,eax
0x08048557 <+92>: mov edx,DWORD PTR ds:0x804a030
0x0804855d <+98>: mov eax,DWORD PTR [ebp-0x10]
0x08048560 <+101>: add eax,edx
0x08048562 <+103>: movzx eax,BYTE PTR [eax]
0x08048565 <+106>: cmp cl,al #这里进行字符校验
0x08048567 <+108>: je 0x8048570 <check+117>
0x08048569 <+110>: mov eax,0x0
0x0804856e <+115>: jmp 0x8048581 <check+134>
0x08048570 <+117>: add DWORD PTR [ebp-0x10],0x1
0x08048574 <+121>: mov eax,DWORD PTR [ebp-0x10]
0x08048577 <+124>: cmp eax,DWORD PTR [ebp-0xc]
0x0804857a <+127>: jl 0x804853c <check+65>
0x0804857c <+129>: mov eax,0x1
0x08048581 <+134>: leave
0x08048582 <+135>: ret
断在长度比较处确定字符长度
EAX 0x17
EBX 0x0
ECX 0x320c
EDX 0x80x17长度为23
接下来查看al和cl的值
先找al
0x08048557 <+92>: mov edx,DWORD PTR ds:0x804a030
0x0804855d <+98>: mov eax,DWORD PTR [ebp-0x10]
=> 0x08048560 <+101>: and edx,eax
0x08048562 <+103>: movzx eax,BYTE PTR [eax]
0x08048565 <+106>: cmp cl,al
EAX 0x0
EBX 0x0
ECX 0xbe
EDX 0x80486e8 ◂— xchg eax, esi /* 0xd8ca8b96 */
EDI 0x0
ESI 0xf7fa7000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1d7d6c
EBP 0xffffce18 —▸ 0xffffce78 ◂— 0x0
ESP 0xffffce00 —▸ 0xffffce78 ◂— 0x0
EIP 0x8048560 (check+101) ◂— and edx, eax /* 0xb60fd023 */
──────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────
► 0x8048560 <check+101> and edx, eaxeax是计数器,edx是基地址
pwndbg> x /50xb $edx
0x80486e8: 0x96 0x8b 0xca 0xd8 0x72 0xf9 0xe8 0xc0
0x80486f0: 0xf7 0x0d 0x46 0x40 0x29 0x42 0xa2 0x9f
0x80486f8: 0x3e 0x2c 0x34 0x71 0xb2 0x9e 0xda 0x00
0x8048700: 0x67 0x65 0x74 0x20 0x6d 0x65 0x20 0x66
0x8048708: 0x6c 0x61 0x67 0x3a 0x00 0x47 0x4f 0x4f
0x8048710: 0x44 0x00 0x42 0x41 0x44 0x00 0x00 0x00
0x8048718: 0x01 0x1b前32位就是al
cl跟al的操作方法类似
0x08048547 <+76>: mov edx,DWORD PTR ds:0x804a02c
0x0804854d <+82>: mov eax,DWORD PTR [ebp-0x10]
0x08048550 <+85>: add eax,edx
0x08048552 <+87>: movzx eax,BYTE PTR [eax]
0x08048555 <+90>: xor ecx,eax可以猜测,这里的ecx是输入的值
pwndbg> x /xw 0x804a02c
0x804a02c <ptr1>: 0x080486d0
pwndbg> x /50xb 0x080486d0
0x80486d0: 0xdf 0xd8 0x8d 0xa3 0x18 0xac 0x86 0x8b
0x80486d8: 0xa8 0x6e 0x76 0x24 0x4c 0x1d 0xcc 0xaf
0x80486e0: 0x4a 0x73 0x5e 0x24 0xdc 0xd5 0xa7 0x00
0x80486e8: 0x96 0x8b 0xca 0xd8 0x72 0xf9 0xe8 0xc0
0x80486f0: 0xf7 0x0d 0x46 0x40 0x29 0x42 0xa2 0x9f
0x80486f8: 0x3e 0x2c 0x34 0x71 0xb2 0x9e 0xda 0x00
0x8048700: 0x67 0x65最终的结果应该是这两个地方的值异或了。
a1=[0x96,0x8b ,0xca, 0xd8, 0x72, 0xf9, 0xe8, 0xc0,0xf7, 0x0d, 0x46, 0x40, 0x29, 0x42, 0xa2, 0x9f,0x3e, 0x2c, 0x34, 0x71, 0xb2, 0x9e, 0xda]
a2=[0xdf, 0xd8, 0x8d, 0xa3, 0x18, 0xac, 0x86, 0x8b,0xa8, 0x6e, 0x76, 0x24, 0x4c, 0x1d, 0xcc, 0xaf,0x4a, 0x73, 0x5e, 0x24, 0xdc, 0xd5, 0xa7]
flag=""
for i in range(len(a1)):
flag+=chr(a1[i]^a2[i])
print flagbabynote
https://tower111.github.io/2018/08/30/ISG-babynote/