Zhang 渣渣_'s learning record (1) the removal of the binary bomb
Binary bomb breaking through
the big homework of our school's computer system basic course. Now I have posted the entire process of my experiment below. I hope everyone can correct me.
(Because I still have a lot of deficiencies in the process of learning, so in the following blog, I will have an article to supplement the deficiencies in this article.
Not much to say, let’s start! ! ! ! ! !
[Requirements for Major Assignment]
This major assignment is an experiment that requires a total of 7 levels to be solved. Download the compressed file, decompress it in the Debian system, disassemble the executable file bomb, analyze the assembly code and obtain relevant clues, so as to crack the input content of each level and complete the pass.
[Results of clearance]
1. Situation of clearance
2. Results of cracking operation
Figure 1 Results of cracking operation
[Code Analysis]
Provide analysis instructions for the code in the successfully cracked stage.
Phase 0
phase_0
Figure 2 Phase_0 source code and analysis
Use objdump to generate the assembly code of the bomb program. The following figure locates the assembly code in the place <phase_0> where the first level string comparison is given. It can be seen that before calling the <string_not_equal> function, the two strings to be compared are now pushed onto the stack. Push $0x804a1d7 is the first address of the built-in string, and pushl 0x8 (%ebp) is the first string entered by the user. address.
Figure 3 phase_0 gdb debugging
gdb debugs, the breakpoint is set at b 72. At this time, according to the first address 0x804a1d7 of the built-in string found in the assembly statement, use the examine command to display this string as "Simplicity favors regularity.".
Figure 4 Phase_0
enters this string when stepping through or continuing to execute the subsequent code, the result shows that the pass is successful.
The zeroth pass (phase_0) has been cracked! ! !
Phase 1
phase_1
Figure 5 Phase_1 source code and analysis
Figure 6 Phase_1 source code and analysis
First use gdb to view the type of input required for the second level:
Figure 7 phase_1gdb to view the input format
According to the gdb debugging, it is necessary to enter two integers in the second level. Due to the calculation problem when calculating the floating-point number, the method of checking the contents of the register is used to solve this problem.
The instructions that need to be used this time are: si;finish;disas;info registers. The
two viewing addresses are 0x080494f1 and 0x08049504.
The whole process is as follows:
first set the breakpoint, and then input the results of the zeroth pass and the first pass before the breakpoint. Because there is no correlation between the two levels, you can save time and enter the zeroth pass. One level should be entered according to the format obtained by gdb.
In the second step, use si to jump again. When the call function statement of the line 80494ca appears, use the finifh instruction.
The third step, after calling finish, first use spaces to make the entire code fully presented, and then on the left side you can see the current code execution place through a small arrow, observe the entire code, and find the two comparisons. the address of.
The fourth step is to use si to jump, and use the info registers to check for the first time when it comes to the first comparison.
The fifth step, after checking the first number, exit this round and re-check the process for the second time. (Scroll down, there are points to note after the two pictures, be sure to watch them patiently)
Step 6, get two numbers and verify.
Figure 8 Check the contents of the register to get the pass code of the second pass
Figure 9 Check the contents of the register to get the pass code of the second pass
The very important point to note here is (although it is a bit circumstantial, but I believe that you will be able to understand the challenge of the bomb disposal experiment):
Be patient!
After getting the input format through gdb (take my own as an example), when viewing the contents of the register for the first time, I need to enter two arbitrary integers, so that I can view what I need to enter through info registers After the first number is obtained, what needs to be done is to end the viewing process and re-enter the second viewing register content. The previous operations such as setting breakpoints are the same. The difference is that when you enter two When there is a number, you must first enter the correct number I just got, the second number can write an arbitrary integer, and then use si to jump, and use the info registers statement to view.
(The reason for this operation is that whether the first number is entered correctly or not, the subsequent statement jumps depend on it. If the first number is entered incorrectly, then it will jump to the statement where the bomb exploded. When registering, I arbitrarily input two integers. After I know the first correct number, if I continue, it will explode.)
Verify the answer to the second level, the result shows that the level has been passed
Figure 10 phase_1 passed
The first level (phase_1) has been cracked! ! !
Phase 2
Figure 11 Phase_2 source code and analysis
Figure 12 Phase_2 source code and analysis
Pay attention, pay attention!
Here we must first find out how many input numbers are, then find the loop condition, and then perform calculations to calculate it!
The details are as follows:
through the analysis of the source code, the loop condition and loop body are found, and the operation is performed on it:
number[i]=number[i-2]/2+1
, and the initial number is 0xb2=178 number[0]=178.
number[1]=178/2+1=90;
number[2]=90/2+1=46;
number[3]=46/2+1=24;
number[4]=24/2+1= 13;
number[5]=13/2+1=7.
Verify the answer of the third level, and the result shows that the level has been passed.
Figure 13 phase_2 passed
The second stage (phase_2) has been cracked! ! !
Phase 3
Figure 14 15 16 Phase_3 source code and analysis
In the case that the source program cannot be obtained, the assembly code of the program can only be obtained by disassembling the executable program. Observe the assembly code corresponding to bomb.s and analyze the function of the source program.
Figure 17 View through gdb to determine the output of two integers
The input format here may also be "%d %c %d" (my friend's is), but they are all the same, as long as the initial conditions and loops are found well, it is not difficult to crack this level.
Combined with the source code, it can be found that the internal requirement of the program for the first number to be input is that the value after subtracting 52 is less than 9, and the second input number should be judged according to the value of the first input integer to determine which branch the program goes to. Execute to determine which value should be entered for the second number.
Suppose the input value is 55, and then use calculations to view the table base address in gdb.
Figure 18 gdb view table base address
Check the jump in bomb.s according to the found 0x08049607, and then get the corresponding result 176, the verification is successful.
(You must be optimistic about your jump)
Figure 19 phase_3 passed
The third stage (phase_3) has been cracked! ! !
Stage 4
Figure 20 21 22 23 phase_4 and func4 source code and analysis
Gdb performs debugging to ensure that the estimated numbers are correct.
Figure 24 25 Verification of the correctness of the calculated numbers.
In fact, my method here is more inclined to violent disassembly. The whole process is similar to the first level in the previous article, which is obtained by checking the contents of the register. (I will supplement the inadequacies here, or if a friend has other methods, you can also privately trust me, let's discuss it together!)
Verify the result of the fourth level:
Figure 26 Cracking the fourth level
The fourth level (phase_4) has been cracked! ! !
Phase 5
Figure 27 28 phase_5 source code and analysis
A loop is used here, which may be awkward at first, so I first used gdb to check what is stored in the specified address in the code, so there is the following picture:
Figure 29 The content stored in the first specified address
Figure 30 Contents stored in the second specified address
At first glance, what is this all, a closer look, the characters in the second address are all in the first, what does this mean?
So I thought of loops, pointers, and indexes!
It should be based on the cycle to find a few characters in a bunch of characters,
and then there is the following figure,
Figure 31 , which shows the address to find the index
It is known from Figure 31 that the pass code for this pass is ichf`knl. The
verification result is correct:
Figure 32 phase_5 passed
In fact, what I see here is to give a number, and then find out that the sum of eight or nine numbers less than another number is the given number, and then look for the index similar to the kind of handwritten by me, then look at ASCII The stopwatch just translates the numbers.
The fifth level (phase_5) has been cracked! ! !
Phase 6
Figure 33 34 35 36 37 Phase_6 source code and analysis
In this pass, analyze the source code and find that the final output result is to arrange the numbers in ascending order and then output:
Figure 38 Set breakpoints and then view
After verifying the obtained numbers, I learned that the final result is 5 2 4 7 1 3 6
Figure 39 phase_6 passed
(there is actually a little violent disassembly here, friends who are interested can discuss it with me!) The
sixth level (Phase_6) has been cracked! ! !
Stage 7
The stage 7 here is to crack the hidden level. I actually didn't find this at the beginning. This hidden level was discovered by my friend.
Figure 40 41 hidden gate entrance
Analyze the compilation of the hidden pass, and then view the content in the clear address through gdb, and finally know that the entrance of the hidden pass is phase_4, the password is mcReh
Figure 42 The hidden pass password and its format
A small point is included here. The password of the hidden pass is immediately after the two integers, combined with the previous cracking and analysis (I tried it out with my bare hands), in the first case, if the hidden pass code is added to phase_1 at the same time After ;phase_3;phase_4, the hidden level can be entered, but if you add a password to either phase_1 or phase_3, the level can pass, but you can’t enter the hidden level (that is, if you don’t add it after phase_4, you can’t enter Hidden off.) Therefore, the second case is that you can enter the hidden off only by adding the password of the hidden off after phase_4. This is also the result of the analysis combined with the compilation.
My guess here is that the pointer scan is done one by one. If you add something after the same format, the pointer should be scanned out, and you think it is correct, but if you add something after the different format, the pointer will think you The cracking is wrong (srds is my guess, if you have different opinions, you can communicate with me)
Figure 43 44 Comparison of the first and second cases
(the verification of my guess is here, but it may not be correct.)
Rush to the hidden gate Secret_phase
Figure 45 46 47 48 Hidden off
It's actually quite complicated here, but don't be afraid, we have gdb.
Find the address first, and then use gdb to see what's inside.
Figure 49 50 gdb view
Then I analyzed the following together with the code:
A 2+1=5-->A=2 means* A<B
A 2=2 -->A=1 Yes* A>B
A*2+1=1-->A=0 means* A <B (Assuming that AB is called in fun7) of the
three recursions, the code of "If * A<B use (A+8) as the address to enter the recursion" is executed twice in the three recursions, and the code of "If * A>b is executed once, the ( A+4) Enter the recursive series code as an address. Use gdb to query the stored value and find:
0x2f=47
Verification result:
Figure 51 Hidden off crack
The hidden phase (secret_phase) has been cracked! ! !
Overall customs clearance map:
Figure 52 Official customs clearance
At this point, all levels have been passed! ! !
Wow haha! Binary bomb cracking is officially over! All in all, I hope it will be helpful to everyone. If anyone wants to discuss this experiment with me, welcome to play with me!
——Zhang Zha Zha_