strcmp的使用与模拟实现:XCTF-攻防世界-reverse学习-no-strings-attached
strcmp的使用与模拟实现:XCTF-攻防世界-reverse学习-no-strings-attached
题目描述 文件信息查看root@kali:~/Desktop# file no-strings-attached
no-strings-attached: ELF 32-bit LSB executable Intel 80386 version 1 (SYSV) dynamically linked interpreter /lib/ld-Linux.so.2 for GNU/Linux 2.6.24 BuildID[sha1]=c8d273ed1363a1878f348d6c506048f2354849d0 not stripped
执行报错
root@kali:~/Desktop# ./no-strings-attached
Welcome to cyber malware control software.
Currently tracking 752945626 bots worldwide
no-strings-attached: malloc.c:2379: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
Aborted
拽入IDA中,shift F12
未发现有用信息
反汇编F5经过查看,authenticate()为重要函数,通过下面代码分析,S2即为我们需要的flag
s2是由decrypt()函数产生的
查看汇编代码,decrypt的返回值在eax中
GDB调试
# disass decrypt 查看汇编代码
gdb-peda$ disass decrypt
Dump of assembler code for function decrypt:
0x08048658 < 0>: push ebp
0x08048659 < 1>: mov ebp esp
0x0804865b < 3>: push ebx
0x0804865c < 4>: sub esp 0x34
0x0804865f < 7>: mov eax DWORD PTR [ebp 0x8]
0x08048662 < 10>: mov DWORD PTR [esp] eax
0x08048665 < 13>: call 0x8048520 <wcslen@plt>
0x0804866a < 18>: mov DWORD PTR [ebp-0x14] eax
0x0804866d < 21>: mov eax DWORD PTR [ebp 0xc]
0x08048670 < 24>: mov DWORD PTR [esp] eax
0x08048673 < 27>: call 0x8048520 <wcslen@plt>
0x08048678 < 32>: mov DWORD PTR [ebp-0x10] eax
0x0804867b < 35>: mov ebx DWORD PTR [ebp 0x8]
0x0804867e < 38>: mov eax DWORD PTR [ebp 0x8]
0x08048681 < 41>: mov DWORD PTR [esp] eax
0x08048684 < 44>: call 0x8048520 <wcslen@plt>
0x08048689 < 49>: add eax 0x1
0x0804868c < 52>: mov DWORD PTR [esp] eax
0x0804868f < 55>: call 0x80484e0 <malloc@plt>
0x08048694 < 60>: mov DWORD PTR [ebp-0xc] eax
0x08048697 < 63>: mov DWORD PTR [esp 0x4] ebx
0x0804869b < 67>: mov eax DWORD PTR [ebp-0xc]
0x0804869e < 70>: mov DWORD PTR [esp] eax
0x080486a1 < 73>: call 0x80484c0 <wcscpy@plt>
0x080486a6 < 78>: mov DWORD PTR [ebp-0x18] 0x0
0x080486ad < 85>: jmp 0x80486f7 <decrypt 159>
0x080486af < 87>: mov DWORD PTR [ebp-0x18] 0x0
0x080486b6 < 94>: jmp 0x80486e7 <decrypt 143>
0x080486b8 < 96>: mov eax DWORD PTR [ebp-0x1c]
0x080486bb < 99>: shl eax 0x2
0x080486be < 102>: add eax DWORD PTR [ebp-0xc]
0x080486c1 < 105>: mov edx DWORD PTR [ebp-0x1c]
0x080486c4 < 108>: shl edx 0x2
0x080486c7 < 111>: add edx DWORD PTR [ebp-0xc]
0x080486ca < 114>: mov ecx DWORD PTR [edx]
0x080486cc < 116>: mov edx DWORD PTR [ebp-0x18]
0x080486cf < 119>: shl edx 0x2
0x080486d2 < 122>: add edx DWORD PTR [ebp 0xc]
0x080486d5 < 125>: mov edx DWORD PTR [edx]
0x080486d7 < 127>: mov ebx ecx
0x080486d9 < 129>: sub ebx edx
0x080486db < 131>: mov edx ebx
0x080486dd < 133>: mov DWORD PTR [eax] edx
0x080486df < 135>: add DWORD PTR [ebp-0x1c] 0x1
0x080486e3 < 139>: add DWORD PTR [ebp-0x18] 0x1
0x080486e7 < 143>: mov eax DWORD PTR [ebp-0x18]
0x080486ea < 146>: cmp eax DWORD PTR [ebp-0x10]
0x080486ed < 149>: jge 0x80486f7 <decrypt 159>
0x080486ef < 151>: mov eax DWORD PTR [ebp-0x1c]
0x080486f2 < 154>: cmp eax DWORD PTR [ebp-0x14]
0x080486f5 < 157>: jl 0x80486b8 <decrypt 96>
0x080486f7 < 159>: mov eax DWORD PTR [ebp-0x1c]
0x080486fa < 162>: cmp eax DWORD PTR [ebp-0x14]
0x080486fd < 165>: jl 0x80486af <decrypt 87>
0x080486ff < 167>: mov eax DWORD PTR [ebp-0xc]
0x08048702 < 170>: add esp 0x34
0x08048705 < 173>: pop ebx
0x08048706 < 174>: pop ebp
0x08048707 < 175>: ret
End of assembler dump.
设置断点
gdb-peda$ b *0x08048707
Breakpoint 1 at 0x8048707
查看断点信息
gdb-peda$ i b
Num Type Disp Enb Address What
1 breakpoint keep y 0x08048707 <decrypt 175>
执行到断点
gdb-peda$ r
ESP: 0xffff58bc --> 0x8048725 (<authenticate 29>: mov DWORD PTR [ebp-0xc] eax)
EIP: 0x8048707 (<decrypt 175>: ret)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048702 <decrypt 170>: add esp 0x34
0x8048705 <decrypt 173>: pop ebx
0x8048706 <decrypt 174>: pop ebp
=> 0x8048707 <decrypt 175>: ret
0x8048708 <authenticate>: push ebp
0x8048709 <authenticate 1>: mov ebp esp
0x804870b <authenticate 3>: sub esp 0x8028
0x8048711 <authenticate 9>: mov DWORD PTR [esp 0x4] 0x8048a90
[------------------------------------stack-------------------------------------]
0000| 0xffff58bc --> 0x8048725 (<authenticate 29>: mov DWORD PTR [ebp-0xc] eax)
0004| 0xffff58c0 --> 0x8048aa8 --> 0x143a
0008| 0xffff58c4 --> 0x8048a90 --> 0x1401
0012| 0xffff58c8 --> 0x0
0016| 0xffff58cc --> 0x0
0020| 0xffff58d0 --> 0x0
0024| 0xffff58d4 --> 0x0
0028| 0xffff58d8 --> 0x0
[------------------------------------------------------------------------------]
Legend: code data rodata value
Breakpoint 1 0x08048707 in decrypt ()
查看eax 寄存器值
gdb-peda$ x/6sw $eax
0x804d010: U"9447{you_are_an_international_mystery}"
0x804d0ac: U""
0x804d0b0: U""
0x804d0b4: U""
0x804d0b8: U""
0x804d0bc: U""
6:显示6行数据
s:字符串形式
w:word(4字节)形式
flag:9447{you_are_an_international_mystery}
提交