[HackIM2020]returminator
挺有意思的题,给了三个文件,py,elf和data
import subprocess
o = [296, 272, 272, 272, 296, 360, 272, 424, 272, 208, 120, 120, 120, 96, 120, 120, 120, 120, 120, 120, 120, 208, 120, 120, 208, 208, 208, 208, 208, 272, 120, 208, 208]
r = [208, 225, 237, 20, 214, 183, 79, 105, 207, 217, 125, 66, 123, 104, 97, 99, 107 , 105, 109, 50, 48, 202, 111, 111, 29, 63, 223, 36, 0, 124, 100, 219, 32]
cmd = ['./main']
rets = []
with open('blob', 'rb') as f:
for offset in o:
data = f.read(offset)
p = subprocess.Popen(cmd, stdin=subprocess.PIPE)
p.stdin.write(data)
p.communicate()
rets.append(p.returncode)
if all([rets[i] == r[i] for i in range(len(r))]):
print('Yes!')
else:
print('No!')
这个py将blob文件中的部分作为输入给了elf
看看elf
这个read导致可以栈溢出,看看blob
明显是个rop,输入的地址是gadgets,通过这个方法有点像vm
v={
0x40119a: "pop rdi retn",
0x40119C: "pop rsi retn",
0x40119E: "pop rdx retn",
0x4011A0: "pop rcx retn",
0x4011A2: "pop rax retn",
0x4011A4: "add rax, rdi retn",
0x4011A8: "add rax, rsi retn",
0x4011AC: "add rax, rdx retn",
0x4011B0: "add rax, rcx retn",
0x4011B4: "add rax, rax retn",
0x4011B8: "add rax, 1 retn",
0x4011BD: "xor rax, rax retn",
0x4011C1: "sub rax, rdi retn",
0x4011C5: "sub rax, rsi retn",
0x4011C9: "sub rax, rdx retn",
0x4011CD: "sub rax, rcx retn",
0x4011D1: "sub rax, 1 retn",
0x4011D6: "movzx rdi, byte ptr [rdi] retn",
0x4011DB: "movzx rsi, byte ptr [rsi] retn",
0x4011E0: "movzx rdx, byte ptr [rdx] retn",
0x4011E5: "movzx rcx, byte ptr [rcx] retn",
0x4011EA: "mov rdi, rax retn",
0x4011EE: "mov rsi, rax retn",
0x4011F2: "mov rdx, rax retn",
0x4011F6: "mov rcx, rax retn",
0x4011FA: "mov edi, 0 ;call _exit",
0x4011FF: "call _exit",
0x4040a0: "flag"
}
o = [296, 272, 272, 272, 296, 360, 272, 424, 272, 208, 120, 120, 120, 96, 120, 120, 120, 120, 120, 120, 120, 208, 120, 120, 208, 208, 208, 208, 208, 272, 120, 208, 208]
with open('blob', 'rb') as f:
for offset in o:
data = f.read(offset)
for i in range(0,len(data),8):
t=int.from_bytes(data[i:i+8], 'little')
#print(hex(t))
if t==0x6161616161616161:
continue
if t in v:
print(v[t])
else:
print(hex(t))
print("======================================")
得到
pop rax retn flag pop rdi retn 0x0 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x2 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0x4 add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn add rax, rdx retn pop rdi retn 0x64 sub rax, rdi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x6 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x8 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0xa add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn add rax, rdx retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0xc add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0xe add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0x10 add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn add rax, rdx retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x12 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x1 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0x1e add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn sub rax, rdx retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x3 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x16 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0x3 add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn add rax, rdx retn pop rdi retn 0x64 sub rax, rdi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x5 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x1d add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0x1c add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn pop rax retn flag pop rcx retn 0x7 add rax, rcx retn mov rcx, rax retn movzx rcx, byte ptr [rcx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn add rax, rdx retn sub rax, rcx retn pop rdi retn 0x64 sub rax, rdi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x9 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x11 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0xb add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn sub rax, rdx retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x13 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x1b add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn mov rcx, rax retn pop rax retn flag pop rdi retn 0xd add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0xf add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0x14 add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn add rax, rdx retn sub rax, rcx retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x15 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x17 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0x17 add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn add rax, rdx retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x19 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x1a add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x1e add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x9 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x8 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x1 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x2 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x3 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x4 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x5 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x6 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x7 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0xb add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x0 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x1d add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x1d add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0x1d add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0xd add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn sub rax, rsi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x1c add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0xe add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn sub rax, rsi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x1c add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0xf add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x0 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x1b add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn sub rax, rsi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x17 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x18 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn sub rax, rsi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x1a add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x0 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn pop rax retn flag pop rdx retn 0x1 add rax, rdx retn mov rdx, rax retn movzx rdx, byte ptr [rdx] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn sub rax, rdx retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x13 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn call _exit ====================================== pop rax retn flag pop rdi retn 0xb add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0xc add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn add rax, rsi retn mov rdi, rax retn call _exit ====================================== pop rax retn flag pop rdi retn 0x15 add rax, rdi retn mov rdi, rax retn movzx rdi, byte ptr [rdi] retn pop rax retn flag pop rsi retn 0x14 add rax, rsi retn mov rsi, rax retn movzx rsi, byte ptr [rsi] retn xor rax, rax retn add rax, rdi retn sub rax, rsi retn mov rdi, rax retn call _exit ======================================
分析即可得到flag
