tmxklab
hitcon training [LAB 1] 본문
1. 문제
1) mitigation 확인
2) 문제 확인
2-1) main함수
int __cdecl main(int argc, const char **argv, const char **envp)
{
setvbuf(_bss_start, 0, 2, 0);
get_flag();
return 0;
}
2-2) get_flag함수
unsigned int get_flag()
{
int buf; // [esp+8h] [ebp-80h]
int v2; // [esp+Ch] [ebp-7Ch]
unsigned int i; // [esp+10h] [ebp-78h]
int fd; // [esp+14h] [ebp-74h]
char v5; // [esp+19h] [ebp-6Fh]
char v6; // [esp+1Ah] [ebp-6Eh]
char v7; // [esp+1Bh] [ebp-6Dh]
char v8; // [esp+1Ch] [ebp-6Ch]
char v9; // [esp+1Dh] [ebp-6Bh]
char v10; // [esp+1Eh] [ebp-6Ah]
char v11; // [esp+1Fh] [ebp-69h]
char v12; // [esp+20h] [ebp-68h]
char v13; // [esp+21h] [ebp-67h]
char v14; // [esp+22h] [ebp-66h]
char v15; // [esp+23h] [ebp-65h]
char v16; // [esp+24h] [ebp-64h]
char v17; // [esp+25h] [ebp-63h]
char v18; // [esp+26h] [ebp-62h]
char v19; // [esp+27h] [ebp-61h]
char v20; // [esp+28h] [ebp-60h]
char v21; // [esp+29h] [ebp-5Fh]
char v22; // [esp+2Ah] [ebp-5Eh]
char v23; // [esp+2Bh] [ebp-5Dh]
char v24; // [esp+2Ch] [ebp-5Ch]
char v25; // [esp+2Dh] [ebp-5Bh]
char v26; // [esp+2Eh] [ebp-5Ah]
char v27; // [esp+2Fh] [ebp-59h]
char v28; // [esp+30h] [ebp-58h]
char v29; // [esp+31h] [ebp-57h]
char v30; // [esp+32h] [ebp-56h]
char v31; // [esp+33h] [ebp-55h]
char v32; // [esp+34h] [ebp-54h]
char v33; // [esp+35h] [ebp-53h]
char v34; // [esp+36h] [ebp-52h]
char v35; // [esp+37h] [ebp-51h]
char v36; // [esp+38h] [ebp-50h]
char v37; // [esp+39h] [ebp-4Fh]
char v38; // [esp+3Ah] [ebp-4Eh]
char v39; // [esp+3Bh] [ebp-4Dh]
char v40; // [esp+3Ch] [ebp-4Ch]
char v41; // [esp+3Dh] [ebp-4Bh]
char v42; // [esp+3Eh] [ebp-4Ah]
char v43; // [esp+3Fh] [ebp-49h]
char v44; // [esp+40h] [ebp-48h]
char v45; // [esp+41h] [ebp-47h]
char v46; // [esp+42h] [ebp-46h]
char v47; // [esp+43h] [ebp-45h]
char v48; // [esp+44h] [ebp-44h]
char v49; // [esp+45h] [ebp-43h]
char v50; // [esp+46h] [ebp-42h]
char v51; // [esp+47h] [ebp-41h]
char v52; // [esp+48h] [ebp-40h]
char v53; // [esp+49h] [ebp-3Fh]
int v54; // [esp+4Ah] [ebp-3Eh]
int v55; // [esp+4Eh] [ebp-3Ah]
int v56; // [esp+52h] [ebp-36h]
int v57; // [esp+56h] [ebp-32h]
int v58; // [esp+5Ah] [ebp-2Eh]
int v59; // [esp+5Eh] [ebp-2Ah]
int v60; // [esp+62h] [ebp-26h]
int v61; // [esp+66h] [ebp-22h]
int v62; // [esp+6Ah] [ebp-1Eh]
int v63; // [esp+6Eh] [ebp-1Ah]
int v64; // [esp+72h] [ebp-16h]
int v65; // [esp+76h] [ebp-12h]
__int16 v66; // [esp+7Ah] [ebp-Eh]
unsigned int v67; // [esp+7Ch] [ebp-Ch]
v67 = __readgsdword(0x14u);
v54 = 2036297540;
v55 = 1801418095;
v56 = 1601662830;
v57 = 1601792119;
v58 = 1952414061;
v59 = 1835884901;
v60 = 1600484449;
v61 = 1851880015;
v62 = 1767859559;
v63 = 1869832051;
v64 = 1735287135;
v65 = 1061124466;
v66 = 63;
v5 = 7;
v6 = 59;
v7 = 25;
v8 = 2;
v9 = 11;
v10 = 16;
v11 = 61;
v12 = 30;
v13 = 9;
v14 = 8;
v15 = 18;
v16 = 45;
v17 = 40;
v18 = 89;
v19 = 10;
v20 = 0;
v21 = 30;
v22 = 22;
v23 = 0;
v24 = 4;
v25 = 85;
v26 = 22;
v27 = 8;
v28 = 31;
v29 = 7;
v30 = 1;
v31 = 9;
v32 = 0;
v33 = 126;
v34 = 28;
v35 = 62;
v36 = 10;
v37 = 30;
v38 = 11;
v39 = 107;
v40 = 4;
v41 = 66;
v42 = 60;
v43 = 44;
v44 = 91;
v45 = 49;
v46 = 85;
v47 = 2;
v48 = 30;
v49 = 33;
v50 = 16;
v51 = 76;
v52 = 30;
v53 = 66;
fd = open("/dev/urandom", 0);
read(fd, &buf, 4u);
printf("Give me maigc :");
__isoc99_scanf("%d", &v2);
if ( buf == v2 )
{
for ( i = 0; i <= 0x30; ++i )
putchar((char)(*(&v5 + i) ^ *((_BYTE *)&v54 + i)));
}
return __readgsdword(0x14u) ^ v67;
}
3) 코드흐름 파악
/dev/urandom값 4bytes와 사용자의 입력 값 v2가 동일하면 flag값을 출력해줌
2. 접근방법
방법 1)
$set을 통해 v2값 변경
edx : buf에 저장된 값 / eax : 사용자 입력 값(v2)
방법 2)
$eip를 통해 코드 흐름 변경
3. 풀이
방법 1을 통해 풀이)
-
set $eax = "edx와 동일한 값"
-
for문 빠져나간 후 또는 get_flag함수 종료 직전에 bp걸고 continue
방법 2를 통해 풀이)
실행결과)
'War Game > hitcon training' 카테고리의 다른 글
| hitcon training [LAB 6] (0) | 2020.07.19 |
|---|---|
| hitcon training [LAB 5] (0) | 2020.07.19 |
| hitcon training [LAB 4] (0) | 2020.07.19 |
| hitcon training [LAB 3] (0) | 2020.07.19 |
| hitcon training [LAB 2] (0) | 2020.07.19 |
'War Game/hitcon training' Related Articles
more
Comments