比較完整的做題記錄吧,很基礎,當作過一遍題目,大佬請飄過
題目
分析過程
丟到PE裡面,是一個64位的ELF
丟到IDA裡面,檢視字串,發現線索
但是雙擊進去,不是彙編。是一個只讀的rodata段
左邊函式也不多,發現沒有main函式,先點進去啟動的start函式看看,發現main函式
點進去直接是標紅的彙編,下面是一堆花指令
先看看最前面的彙編
採用的是rbp定址,rsp提升0x200H,開闢出一段緩衝空間
接下面兩端不會改變棧,就是根據計數器rcx,重複執行
用gdb除錯一下更直觀,當執行到rep指令時候,重複 'n' 步過,RCX的值遞減到0為止,RDI的值以'0x8h'遞增
執行程式看看。(嫌棄名字太長,改成1)
最近剛好在學pwn,用pwn工具看看main函式
下面還有一些,我沒繼續截圖了
結合IDA,發現花指令的地址是 0x400A00
而在gdb中發現 0x400A00 地址處是存在彙編的,中間還有一些(bad)部分
後來我看大佬的wp。發現可能是IDA的問題,有很多大佬的wp沒有花指令部分
下面紅框部分,在IDA中是 'E',用於比較輸入內容合不合要求的,是關鍵部分,但是gdb中很難看出來,這個工具不行
後面也是看wp,說存在動態函式,在執行中會發生改變,需要IDA動調
IDA動調
準備工作,沒有window debugger,只能LInux debugger
不知道哪裡是關鍵彙編,以防萬一從main函式彙編第一句開始斷點
一直F8步過,跳出下面的框就選YES
發現停在下面一行就動不了
與此同時,kali中
可以看出這裡就是輸入了,隨便輸入一個,回車繼續除錯
繼續F8,再點一次YES後繼續F8,來到下面地方
著重看下面的彙編:
- rbp-200h:也就是rsp棧頂指標所指向的地方,是新開闢出的緩衝區的頂部,結合其彙編指令上面就是輸入,猜測裡面放了我們輸入的東西,
- call _strlen:很明顯是一個有關輸入字串長度的函式
- cmp rax, 10h:這個指令更多用作比較,如果rax儲存的值與0x10h相等,ZF=1
- jz short near ptr loc_400A3B+1:jz指令在ZF=1的時候跳轉
這段彙編的作用:判斷輸入的字串的長度是不是0x10h,也就是16
重新除錯,輸入一個長度為16的字串,比如:abcdefghijklmnop
符合跳轉條件,到下面地方
雙擊看看棧
發現是輸入的第一個字元,並且需要等於 'E'
重新除錯,輸入:Ebcdefghijklmnop
條件符合,跳轉實現,來到下面
分別看看[rbp-200h]與[rbp-1F1h]的棧
edx裡面放的是第一個字元
eax裡面放的是最後一個字元
add eax, edx
cmp eax, 9Bh
兩者相加要等於 0x9B h
所以最後一個字元為:V
重新除錯,輸入:EbcdefghijklmnoV,來到新的地方
看看棧,rbp-1FFh是輸入的第二個字元,且要等於 'Z'
重新除錯,輸入:EZcdefghijklmnoV,來到新的地方
這判斷邏輯不就和之前是一樣嗎?
看看rbp-1F2h的棧位置,是倒數第二個字元,且正數第二與倒數第二相加要等於9Bh
所以倒數第二個字元是:A
後面的邏輯都是一樣的:給出一個字元,是正數第幾個,然後用0x9Bh減去,就獲得了倒數第幾個
這裡就不累贅羅列出來
直接把除錯記錄放出來
IDA Linux 64-bit remote debug server(ST) v7.5.26. Hex-Rays (c) 2004-2020 Listening on 0.0.0.0:23946... 2024-05-02 01:55:05 [1] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! 123456 Serial number is not valid! 2024-05-02 02:30:53 [1] Closing connection from 192.168.136.1... 2024-05-02 02:31:01 [2] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! abcdefghijklmnop Serial number is not valid! 2024-05-02 02:35:46 [2] Closing connection from 192.168.136.1... 2024-05-02 02:35:48 [3] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! Ebcdefghijklmnop Serial number is not valid! 2024-05-02 02:46:00 [3] Closing connection from 192.168.136.1... 2024-05-02 02:46:01 [4] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EbcdefghijklmnoV Serial number is not valid! 2024-05-02 02:48:59 [4] Closing connection from 192.168.136.1... 2024-05-02 02:49:00 [5] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZcdefghijklmnoV Serial number is not valid! 2024-05-02 02:56:47 [5] Closing connection from 192.168.136.1... 2024-05-02 02:56:50 [6] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZcdefghijklmnAV Serial number is not valid! 2024-05-02 02:57:42 [6] Closing connection from 192.168.136.1... 2024-05-02 02:57:43 [7] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9defghijklmnAV Serial number is not valid! 2024-05-02 02:58:30 [7] Closing connection from 192.168.136.1... 2024-05-02 02:58:32 [8] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9defghijklmbAV Serial number is not valid! 2024-05-02 02:59:31 [8] Closing connection from 192.168.136.1... 2024-05-02 02:59:32 [9] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9defghijkl7bAV Serial number is not valid! 2024-05-02 03:00:22 [9] Closing connection from 192.168.136.1... 2024-05-02 03:00:23 [10] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9dmfghijkG7bAV Serial number is not valid! 2024-05-02 03:01:15 [10] Closing connection from 192.168.136.1... 2024-05-02 03:01:16 [11] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9dmqghij9G7bAV Serial number is not valid! 2024-05-02 03:02:17 [11] Closing connection from 192.168.136.1... 2024-05-02 03:02:17 [12] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9dmq4hig9G7bAV Serial number is not valid! 2024-05-02 03:03:09 [12] Closing connection from 192.168.136.1... 2024-05-02 03:03:10 [13] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9dmq4c8g9G7bAV Serial number is valid :) 2024-05-02 03:04:09 [13] Closing connection from 192.168.136.1...
flag
EZ9dmq4c8g9G7bAV