stringstream 性能(XCTF-攻防世界-reverse学习-no-strings-attached)
文件信息查看
root@kali:~/Desktop# file no-strings-attached
no-strings-attached: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-Linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=c8d273ed1363a1878f348d6c506048f2354849d0, not stripped
root@kali:~/Desktop# ./no-strings-attached
Welcome to cyber malware control software.
Currently tracking 752945626 bots worldwide
no-strings-attached: malloc.c:2379: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
Aborted
未发现有用信息
反汇编F5
经过查看,authenticate()为重要函数,通过下面代码分析,S2即为我们需要的flag
s2是由decrypt()函数产生的
查看汇编代码,decrypt的返回值在eax中
# disass decrypt 查看汇编代码
gdb-peda$ disass decrypt
Dump of assembler code for function decrypt:
0x08048658 < 0>: push ebp
0x08048659 < 1>: mov ebp,esp
0x0804865b < 3>: push ebx
0x0804865c < 4>: sub esp,0x34
0x0804865f < 7>: mov eax,DWORD PTR [ebp 0x8]
0x08048662 < 10>: mov DWORD PTR [esp],eax
0x08048665 < 13>: call 0x8048520 <wcslen@plt>
0x0804866a < 18>: mov DWORD PTR [ebp-0x14],eax
0x0804866d < 21>: mov eax,DWORD PTR [ebp 0xc]
0x08048670 < 24>: mov DWORD PTR [esp],eax
0x08048673 < 27>: call 0x8048520 <wcslen@plt>
0x08048678 < 32>: mov DWORD PTR [ebp-0x10],eax
0x0804867b < 35>: mov ebx,DWORD PTR [ebp 0x8]
0x0804867e < 38>: mov eax,DWORD PTR [ebp 0x8]
0x08048681 < 41>: mov DWORD PTR [esp],eax
0x08048684 < 44>: call 0x8048520 <wcslen@plt>
0x08048689 < 49>: add eax,0x1
0x0804868c < 52>: mov DWORD PTR [esp],eax
0x0804868f < 55>: call 0x80484e0 <malloc@plt>
0x08048694 < 60>: mov DWORD PTR [ebp-0xc],eax
0x08048697 < 63>: mov DWORD PTR [esp 0x4],ebx
0x0804869b < 67>: mov eax,DWORD PTR [ebp-0xc]
0x0804869e < 70>: mov DWORD PTR [esp],eax
0x080486a1 < 73>: call 0x80484c0 <wcscpy@plt>
0x080486a6 < 78>: mov DWORD PTR [ebp-0x18],0x0
0x080486ad < 85>: jmp 0x80486f7 <decrypt 159>
0x080486af < 87>: mov DWORD PTR [ebp-0x18],0x0
0x080486b6 < 94>: jmp 0x80486e7 <decrypt 143>
0x080486b8 < 96>: mov eax,DWORD PTR [ebp-0x1c]
0x080486bb < 99>: shl eax,0x2
0x080486be < 102>: add eax,DWORD PTR [ebp-0xc]
0x080486c1 < 105>: mov edx,DWORD PTR [ebp-0x1c]
0x080486c4 < 108>: shl edx,0x2
0x080486c7 < 111>: add edx,DWORD PTR [ebp-0xc]
0x080486ca < 114>: mov ecx,DWORD PTR [edx]
0x080486cc < 116>: mov edx,DWORD PTR [ebp-0x18]
0x080486cf < 119>: shl edx,0x2
0x080486d2 < 122>: add edx,DWORD PTR [ebp 0xc]
0x080486d5 < 125>: mov edx,DWORD PTR [edx]
0x080486d7 < 127>: mov ebx,ecx
0x080486d9 < 129>: sub ebx,edx
0x080486db < 131>: mov edx,ebx
0x080486dd < 133>: mov DWORD PTR [eax],edx
0x080486df < 135>: add DWORD PTR [ebp-0x1c],0x1
0x080486e3 < 139>: add DWORD PTR [ebp-0x18],0x1
0x080486e7 < 143>: mov eax,DWORD PTR [ebp-0x18]
0x080486ea < 146>: cmp eax,DWORD PTR [ebp-0x10]
0x080486ed < 149>: jge 0x80486f7 <decrypt 159>
0x080486ef < 151>: mov eax,DWORD PTR [ebp-0x1c]
0x080486f2 < 154>: cmp eax,DWORD PTR [ebp-0x14]
0x080486f5 < 157>: jl 0x80486b8 <decrypt 96>
0x080486f7 < 159>: mov eax,DWORD PTR [ebp-0x1c]
0x080486fa < 162>: cmp eax,DWORD PTR [ebp-0x14]
0x080486fd < 165>: jl 0x80486af <decrypt 87>
0x080486ff < 167>: mov eax,DWORD PTR [ebp-0xc]
0x08048702 < 170>: add esp,0x34
0x08048705 < 173>: pop ebx
0x08048706 < 174>: pop ebp
0x08048707 < 175>: ret
End of assembler dump.
gdb-peda$ b *0x08048707
Breakpoint 1 at 0x8048707
查看断点信息
gdb-peda$ i b
Num Type Disp Enb Address What
1 breakpoint keep y 0x08048707 <decrypt 175>
执行到断点
gdb-peda$ r
ESP: 0xffff58bc --> 0x8048725 (<authenticate 29>: mov DWORD PTR [ebp-0xc],eax)
EIP: 0x8048707 (<decrypt 175>: ret)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048702 <decrypt 170>: add esp,0x34
0x8048705 <decrypt 173>: pop ebx
0x8048706 <decrypt 174>: pop ebp
=> 0x8048707 <decrypt 175>: ret
0x8048708 <authenticate>: push ebp
0x8048709 <authenticate 1>: mov ebp,esp
0x804870b <authenticate 3>: sub esp,0x8028
0x8048711 <authenticate 9>: mov DWORD PTR [esp 0x4],0x8048a90
[------------------------------------stack-------------------------------------]
0000| 0xffff58bc --> 0x8048725 (<authenticate 29>: mov DWORD PTR [ebp-0xc],eax)
0004| 0xffff58c0 --> 0x8048aa8 --> 0x143a
0008| 0xffff58c4 --> 0x8048a90 --> 0x1401
0012| 0xffff58c8 --> 0x0
0016| 0xffff58cc --> 0x0
0020| 0xffff58d0 --> 0x0
0024| 0xffff58d4 --> 0x0
0028| 0xffff58d8 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x08048707 in decrypt ()
gdb-peda$ x/6sw $eax
0x804d010: U"9447{you_are_an_international_mystery}"
0x804d0ac: U""
0x804d0b0: U""
0x804d0b4: U""
0x804d0b8: U""
0x804d0bc: U""
6:显示6行数据
s:字符串形式
w:word(4字节)形式
flag:9447{you_are_an_international_mystery}
,
免责声明:本文仅代表文章作者的个人观点,与本站无关。其原创性、真实性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容文字的真实性、完整性和原创性本站不作任何保证或承诺,请读者仅作参考,并自行核实相关内容。文章投诉邮箱:anhduc.ph@yahoo.com