strcmp的使用与模拟实现：XCTF-攻防世界-reverse学习-no-strings-attached

strcmp的使用与模拟实现：XCTF-攻防世界-reverse学习-no-strings-attached

题目描述

文件信息查看

root@kali:~/Desktop# file no-strings-attached no-strings-attached: ELF 32-bit LSB executable Intel 80386 version 1 (SYSV) dynamically linked interpreter /lib/ld-Linux.so.2 for GNU/Linux 2.6.24 BuildID[sha1]=c8d273ed1363a1878f348d6c506048f2354849d0 not stripped执行报错

root@kali:~/Desktop# ./no-strings-attached Welcome to cyber malware control software. Currently tracking 752945626 bots worldwide no-strings-attached: malloc.c:2379: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed. Aborted拽入IDA中，shift F12

未发现有用信息

反汇编F5

经过查看，authenticate()为重要函数，通过下面代码分析，S2即为我们需要的flag s2是由decrypt()函数产生的 查看汇编代码，decrypt的返回值在eax中GDB调试

# disass decrypt 查看汇编代码 gdb-peda$ disass decrypt Dump of assembler code for function decrypt: 0x08048658 < 0>: push ebp 0x08048659 < 1>: mov ebp esp 0x0804865b < 3>: push ebx 0x0804865c < 4>: sub esp 0x34 0x0804865f < 7>: mov eax DWORD PTR [ebp 0x8] 0x08048662 < 10>: mov DWORD PTR [esp] eax 0x08048665 < 13>: call 0x8048520 <wcslen@plt> 0x0804866a < 18>: mov DWORD PTR [ebp-0x14] eax 0x0804866d < 21>: mov eax DWORD PTR [ebp 0xc] 0x08048670 < 24>: mov DWORD PTR [esp] eax 0x08048673 < 27>: call 0x8048520 <wcslen@plt> 0x08048678 < 32>: mov DWORD PTR [ebp-0x10] eax 0x0804867b < 35>: mov ebx DWORD PTR [ebp 0x8] 0x0804867e < 38>: mov eax DWORD PTR [ebp 0x8] 0x08048681 < 41>: mov DWORD PTR [esp] eax 0x08048684 < 44>: call 0x8048520 <wcslen@plt> 0x08048689 < 49>: add eax 0x1 0x0804868c < 52>: mov DWORD PTR [esp] eax 0x0804868f < 55>: call 0x80484e0 <malloc@plt> 0x08048694 < 60>: mov DWORD PTR [ebp-0xc] eax 0x08048697 < 63>: mov DWORD PTR [esp 0x4] ebx 0x0804869b < 67>: mov eax DWORD PTR [ebp-0xc] 0x0804869e < 70>: mov DWORD PTR [esp] eax 0x080486a1 < 73>: call 0x80484c0 <wcscpy@plt> 0x080486a6 < 78>: mov DWORD PTR [ebp-0x18] 0x0 0x080486ad < 85>: jmp 0x80486f7 <decrypt 159> 0x080486af < 87>: mov DWORD PTR [ebp-0x18] 0x0 0x080486b6 < 94>: jmp 0x80486e7 <decrypt 143> 0x080486b8 < 96>: mov eax DWORD PTR [ebp-0x1c] 0x080486bb < 99>: shl eax 0x2 0x080486be < 102>: add eax DWORD PTR [ebp-0xc] 0x080486c1 < 105>: mov edx DWORD PTR [ebp-0x1c] 0x080486c4 < 108>: shl edx 0x2 0x080486c7 < 111>: add edx DWORD PTR [ebp-0xc] 0x080486ca < 114>: mov ecx DWORD PTR [edx] 0x080486cc < 116>: mov edx DWORD PTR [ebp-0x18] 0x080486cf < 119>: shl edx 0x2 0x080486d2 < 122>: add edx DWORD PTR [ebp 0xc] 0x080486d5 < 125>: mov edx DWORD PTR [edx] 0x080486d7 < 127>: mov ebx ecx 0x080486d9 < 129>: sub ebx edx 0x080486db < 131>: mov edx ebx 0x080486dd < 133>: mov DWORD PTR [eax] edx 0x080486df < 135>: add DWORD PTR [ebp-0x1c] 0x1 0x080486e3 < 139>: add DWORD PTR [ebp-0x18] 0x1 0x080486e7 < 143>: mov eax DWORD PTR [ebp-0x18] 0x080486ea < 146>: cmp eax DWORD PTR [ebp-0x10] 0x080486ed < 149>: jge 0x80486f7 <decrypt 159> 0x080486ef < 151>: mov eax DWORD PTR [ebp-0x1c] 0x080486f2 < 154>: cmp eax DWORD PTR [ebp-0x14] 0x080486f5 < 157>: jl 0x80486b8 <decrypt 96> 0x080486f7 < 159>: mov eax DWORD PTR [ebp-0x1c] 0x080486fa < 162>: cmp eax DWORD PTR [ebp-0x14] 0x080486fd < 165>: jl 0x80486af <decrypt 87> 0x080486ff < 167>: mov eax DWORD PTR [ebp-0xc] 0x08048702 < 170>: add esp 0x34 0x08048705 < 173>: pop ebx 0x08048706 < 174>: pop ebp 0x08048707 < 175>: ret End of assembler dump.设置断点

gdb-peda$ b *0x08048707 Breakpoint 1 at 0x8048707 查看断点信息 gdb-peda$ i b Num Type Disp Enb Address What 1 breakpoint keep y 0x08048707 <decrypt 175> 执行到断点 gdb-peda$ r ESP: 0xffff58bc --> 0x8048725 (<authenticate 29>: mov DWORD PTR [ebp-0xc] eax) EIP: 0x8048707 (<decrypt 175>: ret) EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x8048702 <decrypt 170>: add esp 0x34 0x8048705 <decrypt 173>: pop ebx 0x8048706 <decrypt 174>: pop ebp => 0x8048707 <decrypt 175>: ret 0x8048708 <authenticate>: push ebp 0x8048709 <authenticate 1>: mov ebp esp 0x804870b <authenticate 3>: sub esp 0x8028 0x8048711 <authenticate 9>: mov DWORD PTR [esp 0x4] 0x8048a90 [------------------------------------stack-------------------------------------] 0000| 0xffff58bc --> 0x8048725 (<authenticate 29>: mov DWORD PTR [ebp-0xc] eax) 0004| 0xffff58c0 --> 0x8048aa8 --> 0x143a 0008| 0xffff58c4 --> 0x8048a90 --> 0x1401 0012| 0xffff58c8 --> 0x0 0016| 0xffff58cc --> 0x0 0020| 0xffff58d0 --> 0x0 0024| 0xffff58d4 --> 0x0 0028| 0xffff58d8 --> 0x0 [------------------------------------------------------------------------------] Legend: code data rodata value Breakpoint 1 0x08048707 in decrypt ()查看eax 寄存器值

gdb-peda$ x/6sw $eax 0x804d010: U"9447{you_are_an_international_mystery}" 0x804d0ac: U"" 0x804d0b0: U"" 0x804d0b4: U"" 0x804d0b8: U"" 0x804d0bc: U"" 6：显示6行数据 s：字符串形式 w：word（4字节）形式 flag：9447{you_are_an_international_mystery}提交