学逆向论坛

找回密码
立即注册

只需一步,快速开始

发新帖

2万

积分

41

好友

1168

主题
发表于 2020-5-3 00:14:50 | 查看: 2780| 回复: 0

相关题目:

[md]# M-x 5x5

We can start by examining the given executable, and seeing that the `sym.flip` function is something
like the following:

```c
void flip(char* board, int position, int size) {
  int x = position & 0xf;
  int y = position >> 4;
  if (y > 0) {
    board[y - 1] ^= 1 << x;
  }
  int mask = 0b11;
  if (x > 0) {
    mask = 0b111 << (x - 1);
  }
  board[y] ^= mask;
  if (y < 15) {
    board[y + 1] ^= 1 << x;
  }
}
```

For 8x8 Lights out, we can turn any position into any other position (the proof and method for
doing this, while not trivial, is left as an exercise to the reader). This also means that we
can take any position XOR anything, even if we do not what position it is.

Here we can see that we can write as normally four bytes outside of the buffer, which we can see
is the register `$rbp`, stored on the stack for the return to `main`. In `main`, there is a `char`
pointer, which initially points to the text `"Bye!"`, and will be changed to `"Good job, you won!"`
if the `play_game` function returns a one, which it never will. This pointer is stored in `$rbp-0x8`
in `main`. What we can do is to change the `$rbp` stored on the stack, which in turn makes `$rbp-0x8`
point to any location we want.

For our expoit, we will make `$rbp-0x8` point to the board, which is `$rbp-0x8` in the `play_game`
function. Dynamic analysis can show us that the difference between `$rbp` in `main` and `play_game` is
exactly `0x20`. As we don't know the value of `$rbp` at any point, due to ASLR in the server, we will
either have to guess it, or try every possibility. We know that `$rbp` is aligned to 8 bytes, as
it would cause a segfault otherwise. Brute forcing, we can see that we need to XOR by `0x20`, `0x60`,
`0xe0` or `0x1e0` to subtract by `0x20`, depending on the value of `$rbp`. Once we've XOR:ed `$rbp`
with the correct value, we only need to change the board to be a pointer to the flag string, which is
trivial.

Now we only need to guess what the value of `$rbp` is, and use the corresponding XOR. This should take
around 4 attempts, and then the service should print the flag for us.[/md]



游客,如果您要查看本帖隐藏内容请回复
温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046

小黑屋|手机版|站务邮箱|学逆向论坛 ( 粤ICP备2021023307号 )|网站地图

GMT+8, 2024-11-22 18:42 , Processed in 0.136947 second(s), 39 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表