攻防世界 serial-150 IDA动调
比较完整的做题记录吧,很基础,当作过一遍题目,大佬请飘过
题目
分析过程
丢到PE里面,是一个64位的ELF
丢到IDA里面,查看字符串,发现线索
但是双击进去,不是汇编。是一个只读的rodata段
左边函数也不多,发现没有main函数,先点进去启动的start函数看看,发现main函数
点进去直接是标红的汇编,下面是一堆花指令
先看看最前面的汇编
采用的是rbp寻址,rsp提升0x200H,开辟出一段缓冲空间
接下面两端不会改变栈,就是根据计数器rcx,重复执行
用gdb调试一下更直观,当执行到rep指令时候,重复 'n' 步过,RCX的值递减到0为止,RDI的值以'0x8h'递增
运行程序看看。(嫌弃名字太长,改成1)
最近刚好在学pwn,用pwn工具看看main函数
下面还有一些,我没继续截图了
结合IDA,发现花指令的地址是 0x400A00
而在gdb中发现 0x400A00 地址处是存在汇编的,中间还有一些(bad)部分
后来我看大佬的wp。发现可能是IDA的问题,有很多大佬的wp没有花指令部分
下面红框部分,在IDA中是 'E',用于比较输入内容合不合要求的,是关键部分,但是gdb中很难看出来,这个工具不行
后面也是看wp,说存在动态函数,在运行中会发生改变,需要IDA动调
IDA动调
准备工作,没有window debugger,只能LInux debugger
不知道哪里是关键汇编,以防万一从main函数汇编第一句开始断点
一直F8步过,跳出下面的框就选YES
发现停在下面一行就动不了
与此同时,kali中
可以看出这里就是输入了,随便输入一个,回车继续调试
继续F8,再点一次YES后继续F8,来到下面地方
着重看下面的汇编:
- rbp-200h:也就是rsp栈顶指针所指向的地方,是新开辟出的缓冲区的顶部,结合其汇编指令上面就是输入,猜测里面放了我们输入的东西,
- call _strlen:很明显是一个有关输入字符串长度的函数
- cmp rax, 10h:这个指令更多用作比较,如果rax存储的值与0x10h相等,ZF=1
- jz short near ptr loc_400A3B+1:jz指令在ZF=1的时候跳转
这段汇编的作用:判断输入的字符串的长度是不是0x10h,也就是16
重新调试,输入一个长度为16的字符串,比如:abcdefghijklmnop
符合跳转条件,到下面地方
双击看看栈
发现是输入的第一个字符,并且需要等于 'E'
重新调试,输入:Ebcdefghijklmnop
条件符合,跳转实现,来到下面
分别看看[rbp-200h]与[rbp-1F1h]的栈
edx里面放的是第一个字符
eax里面放的是最后一个字符
add eax, edx
cmp eax, 9Bh
两者相加要等于 0x9B h
所以最后一个字符为:V
重新调试,输入:EbcdefghijklmnoV,来到新的地方
看看栈,rbp-1FFh是输入的第二个字符,且要等于 'Z'
重新调试,输入:EZcdefghijklmnoV,来到新的地方
这判断逻辑不就和之前是一样吗?
看看rbp-1F2h的栈位置,是倒数第二个字符,且正数第二与倒数第二相加要等于9Bh
所以倒数第二个字符是:A
后面的逻辑都是一样的:给出一个字符,是正数第几个,然后用0x9Bh减去,就获得了倒数第几个
这里就不累赘罗列出来
直接把调试记录放出来
IDA Linux 64-bit remote debug server(ST) v7.5.26. Hex-Rays (c) 2004-2020 Listening on 0.0.0.0:23946... 2024-05-02 01:55:05 [1] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! 123456 Serial number is not valid! 2024-05-02 02:30:53 [1] Closing connection from 192.168.136.1... 2024-05-02 02:31:01 [2] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! abcdefghijklmnop Serial number is not valid! 2024-05-02 02:35:46 [2] Closing connection from 192.168.136.1... 2024-05-02 02:35:48 [3] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! Ebcdefghijklmnop Serial number is not valid! 2024-05-02 02:46:00 [3] Closing connection from 192.168.136.1... 2024-05-02 02:46:01 [4] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EbcdefghijklmnoV Serial number is not valid! 2024-05-02 02:48:59 [4] Closing connection from 192.168.136.1... 2024-05-02 02:49:00 [5] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZcdefghijklmnoV Serial number is not valid! 2024-05-02 02:56:47 [5] Closing connection from 192.168.136.1... 2024-05-02 02:56:50 [6] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZcdefghijklmnAV Serial number is not valid! 2024-05-02 02:57:42 [6] Closing connection from 192.168.136.1... 2024-05-02 02:57:43 [7] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9defghijklmnAV Serial number is not valid! 2024-05-02 02:58:30 [7] Closing connection from 192.168.136.1... 2024-05-02 02:58:32 [8] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9defghijklmbAV Serial number is not valid! 2024-05-02 02:59:31 [8] Closing connection from 192.168.136.1... 2024-05-02 02:59:32 [9] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9defghijkl7bAV Serial number is not valid! 2024-05-02 03:00:22 [9] Closing connection from 192.168.136.1... 2024-05-02 03:00:23 [10] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9dmfghijkG7bAV Serial number is not valid! 2024-05-02 03:01:15 [10] Closing connection from 192.168.136.1... 2024-05-02 03:01:16 [11] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9dmqghij9G7bAV Serial number is not valid! 2024-05-02 03:02:17 [11] Closing connection from 192.168.136.1... 2024-05-02 03:02:17 [12] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9dmq4hig9G7bAV Serial number is not valid! 2024-05-02 03:03:09 [12] Closing connection from 192.168.136.1... 2024-05-02 03:03:10 [13] Accepting connection from 192.168.136.1... Looking for GNU DWARF file at "/usr/lib/debug/.build-id/77/e92e8b1bd4f26641bab4dbf563037a7b9538d2.debug"... no. Please Enter the valid key! EZ9dmq4c8g9G7bAV Serial number is valid :) 2024-05-02 03:04:09 [13] Closing connection from 192.168.136.1...
flag
EZ9dmq4c8g9G7bAV
