学逆向论坛

找回密码
立即注册

只需一步,快速开始

发新帖

2万

积分

41

好友

1171

主题

[Reverse] 步步为营wp

发表于 2021-3-26 16:45:00 | 查看: 3847| 回复: 0

相关题目:

♦ 步步为营





We are given a binary.

$ file r200.bin 
r200.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=22e68980e521b43c90688ed0693df78150b10211, stripped

This one has the same ptrace protection as in r100.We use the same technique to bypass ptrace check.

gdb-peda$ b *0x40087d
Breakpoint 1 at 0x40087d
gdb-peda$ r
.
.
gdb-peda$ set $rax=0

Now the decompiling doesn't help much. We move to manually testing the flow path of binary.

   mov    DWORD PTR [rbp-0x20],0x5
   mov    DWORD PTR [rbp-0x1c],0x2
   mov    DWORD PTR [rbp-0x18],0x7
   mov    DWORD PTR [rbp-0x14],0x2
   mov    DWORD PTR [rbp-0x10],0x5
   mov    DWORD PTR [rbp-0xc],0x6

This seems interesting. A little bit of analysis shows

0x4007af:   mov    rax,QWORD PTR [rip+0x2008ca]        # 0x601080

On examining memory at 0x601080 and nearby areas we see the obvious.

gdb-peda$ x/2xw 0x602010
0x602010:   0x00000001  0x0000006e
gdb-peda$ x/2xw 0x602030
0x602030:   0x00000002  0x0000006f
gdb-peda$ x/2xw 0x602050
0x602050:   0x00000003  0x00000070
gdb-peda$ x/2xw 0x602070
0x602070:   0x00000004  0x00000071

We see that 0x6e(n) is mapped to 0, 0x6f(o) to 2 and so on.
so 5,2,7,2,5,6 gives us rotors

Flag

rotors

温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046

小黑屋|手机版|站务邮箱|学逆向论坛 ( 粤ICP备2021023307号 )|网站地图

GMT+8, 2024-12-22 13:28 , Processed in 0.180214 second(s), 36 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表