The serial-150 WP\IDA remote dynamic debugging in the offensive and defensive world master zone is suitable for novices
1. Shelling analysis
I found it was a 64-bit ELF file, dragged it into IDA64 for static analysis, and couldn't find the entry function. It was judged that it was a code confusion, but I'm a bit more troubled and don't know how to change the structure, so I can only use IDA remote dynamic debugging.
2. IDA remote dynamic debugging-connection
I stepped on a pit here. I couldn't connect to the Linux virtual machine with IDA. I checked a lot of information. At first I thought that the firewall was not turned off. The kali I used ufw disable
turned off the firewall with instructions , but it still couldn't connect.
Then I saw a document that said that IDA needs to be remotely and dynamically debugged. There is a very important prerequisite, that is, the host can ping the virtual machine. I pinged it. Sure enough, the ping fails. The virtual machine can ping the host, but the host pings. No virtual machine. After reading a lot of blogs, I did not solve it. After several twists and turns, I finally found the reason. The operation is as follows (I use VMware):
Add the previous steps of remote connection:
first step
Second step
Run Linux_server64 (command: Linux_server64) in the virtual machine. If the following figure appears, the operation is successful:
third step
1. File name
2. File address
3. Do not fill in
4. Virtual machine IP address (use ifconfig to check the IP in the Linux terminal)
5. Virtual machine password, which can be left blank
3. IDA remote dynamic debugging-debugging
(1) Start debugging:
(2)
Click the 1 button first, when the program stops, click the 2 button, then enter any character string in the virtual machine terminal, then press Enter, press F8 in IDA (but step by step), Until the address changes to the beginning of 4,
you can find that the cmp instruction appears. This is a key place. We can know that the length of the flag is 10h or 16, through the assembly instruction. Set a breakpoint here
(3) F8 to continue debugging
through this The cmp command can determine that the first character of the flag is E;
continue to debug and
focus on it! ! ! ! ! This picture contains a lot of information, ptr[rbp-200h] is the first character entered, ptr[rbp-1F1h] is the last character entered (why? Because 200h-1F1h=15D), you can know through the add command, Here, the first character and the last character are added, and then compared with 9Bh, because the first character is E, then based on this, by subtracting, the last character should be V.
(4) Repeat the steps (2) and (3) to get the complete flag
EZ9dmq4c8g9G7bAV