Article directory
Install the KeyPatch plugin
Reference: The keypatch plug-in in IDAPro V7.0 does not display the solution_yirj's blog-CSDN blog_keypatch .
pip install keystoneInstall first .
Then move the installed keystonefolder to IDAPro V7.0/pythonthe directory, and then copy the file from the keypatch/keypatch.py at master · keystone-engine/keypatch (github.com) directory to the following.keypatch.pyIDAPro V7.0/plugins
Experimental requirements
- Repair logic bug fix: Make the program only print words corresponding to your gender;
- Repair stack overflow vulnerability repair: No matter how long the input string is, it will not cause the program to crash.
experiment procedure
Observe the program, logic loopholes come from directly outputting two lines, and stack overflow loopholes come from getsfunctions.
1. Logical loopholes
Right-click the output boyand call _putschange it nopto.
2. Stack overflow vulnerability
To modify the vulnerability of a certain function, it is generally first to .eh_framerandomly select a piece of patch code in , and call 函数change it to jmp 选择的.eh_frame的起始位置. The patch code contains the statement sum at the end call 函数, jmp 函数调用的下一条指令的地址so that it is guaranteed to jump in and jump back.
Here, getsthe address of the function is 0x05A0, and getsthe address of the next instruction that calls the function is 0x0701. The starting address of where I chose to insert the patch is 0x08C2.
I don't know what method should be used to modify getsthe loopholes of the function, so I searched for a repair solution, and found a simple analysis of the syscall system call in the statement ctf in this Zhihu article -the common repair method is to change The function of the function is replaced by the system call read()function gets(), so the original function does not need to be called at the end of the patch code.
The article said that read()the system call is number 0 in the 64-bit system, and number 3 in the 32-bit system. My test environment is 64-bit Linux, so it needs to be assigned eaxto number 0 before execution syscall.
eaxAs shown in the figure below, it is assigned a value of 0 just before calling the patch code .
Therefore, the system call number is already 0, and there is no need to modify it. The patch code is as follows:
mov edx, 0Ah ;设置长度为10,
lea rsi, [rbp-0Bh] ;将字符串地址赋值给rsi
mov rdi, 0
syscall ;系统调用
jmp 0x0701 ;跳回执行流程
The position of the right 0x08C2button - KeyPatch, due to the input length limit, input first mov edx, 0Ah; lea rsi, [rbp-0Bh]; mov rdi, 0; syscall, and then change it separately jmp 0x0701.
After modification, press ' C' to change the data segment into a code segment and display it.
Part of the visible patch code is 0x08C2~0x08D4.
After the modification is complete Edit-Patch program-Apply patches to input file…, click OK.
Then run it again, and you can see that the patching requirements for the two vulnerabilities are met.
(I have removed all personal information for privacy reasons)
