Reference article:
re study notes (28) Attack and defense world-re-no-strings-attached_Forgo7ten's blog-CSDN blog
No-strings-attached introductory questions in the world of attack and defense_no-strings-attached in the world of attack and defense_Muyi·Lin's blog-CSDN blog My solution:
throw it into Exepeinfo to check the shell and other information:
As shown in the figure, the 32-bit ELF Linux file is thrown into IDA32-bit as usual to view the code information and follow the Main function:
Follow up the authenticate() function
There is a decrypt function here. The Chinese name is encryption. If it is not in the import table, it means that it is not a system function. The subsequent if judgment condition is input. There is also a comparison wcscmp function. The next two wprintfs are success and access respectively. Success and rejection. String address.
The fgetws function obtains 0x2000 characters from the input stream stdin and gives it to ws, which means that s2 is the key. s2 is obtained by the decrypt function. decrypt is a user-defined function. Here I learned the English name of the non-system function. The hint is given, so here is the comparison between the encryption operation and the input. As long as the input is the same as the encrypted s2, strings such as success or access will be printed, and the flag is naturally included in the encryption function.
Then start to tune:
There is a problem that has stuck with me for a long time, that is, the 32-bit debugging file cannot be opened in Ubuntu, and some configurations need to be installed.Reference article:
Can be solved
The program completes the call at 08048720 and stores the return value in eax.
Then assign eax to [ebp+s2], which is the string s2.
F8 single-steps to 08048725
and then jumps to the address stored in eax.
In fact, you can also see the flags here, just write them out one by one, but you can also extract the data and get them together.
Refer to the script written by others:
Data extraction:
unsigned int data[38] = {
0x00000039, 0x00000034, 0x00000034, 0x00000037, 0x0000007B, 0x00000079, 0x0000006F, 0x00000075,
0x0000005F, 0x00000061, 0x00000072, 0x00000065, 0x0000005F, 0x00000061, 0x0000006E, 0x0000005F,
0x00000069, 0x0000006E, 0x00000074, 0x00000065, 0x00000072, 0x0000006E, 0x00000061, 0x00000074,
0x00000069, 0x0000006F, 0x0000006E, 0x00000061, 0x0000006C, 0x0000005F, 0x0000006D, 0x00000079,
0x00000073, 0x00000074, 0x00000065, 0x00000072, 0x00000079, 0x0000007D
};
Then convert it into characters which is flag
#include <stdio.h>
int main()
{
unsigned int data[38] = {
0x00000039, 0x00000034, 0x00000034, 0x00000037, 0x0000007B, 0x00000079, 0x0000006F, 0x00000075,
0x0000005F, 0x00000061, 0x00000072, 0x00000065, 0x0000005F, 0x00000061, 0x0000006E, 0x0000005F,
0x00000069, 0x0000006E, 0x00000074, 0x00000065, 0x00000072, 0x0000006E, 0x00000061, 0x00000074,
0x00000069, 0x0000006F, 0x0000006E, 0x00000061, 0x0000006C, 0x0000005F, 0x0000006D, 0x00000079,
0x00000073, 0x00000074, 0x00000065, 0x00000072, 0x00000079, 0x0000007D
};
for(int i=0;i<38;i++)
printf("%c",data[i]);
return 0;
}
flag is
9447{you_are_an_international_mystery}
总结:If it is not included in the import table (import), it means that it is not a system function. The English name of the non-system function will be the hint given by the title.
1.2. Dynamic debugging is similar to memory debugging, looking for data and intermediate variables in memory
3. IDA assigns values to unresolved variable names according to its own rules. That is to say, the variable in IDA is named s2, but in fact there is no variable name s2 in the program, so we can only check the register. After all, the function is Return to the eax register first and then move it to the variable.