zoukankan      html  css  js  c++  java
  • WHCTF-babyre

    首先执行file命令得到如下信息

    ELF 64-bit LSB executable, x86-64
    

    尝试用IDA64打开,定位到关键函数main发现无法F5,尝试了修复无果,于是用gdb动态调试一发。

    在scanf处下断点

    b *0x0400660
    

    输入12346789之后next

    => 0x40066c <main+102>:	call   0x4004c0 <strlen@plt>
       0x400671 <main+107>:	mov    DWORD PTR [rbp-0x8],eax
       0x400674 <main+110>:	cmp    DWORD PTR [rbp-0x8],0xe
    

    可以看到调用了strlen函数,然后将长度和0xe比较,于是知道flag长度为0xe。

    再次运行

    Please input flag:abcdefghijklmn
    

    通过长度验证之后可以看到

    0x40067a <main+116>:	mov    edx,0x600b00
    0x40067f <main+121>:	lea    rax,[rbp-0x20]
    0x400683 <main+125>:	mov    rdi,rax
    0x400686 <main+128>:	call   rdx
    

    接着调用了0x600b00处的内容,于是

    b *0x600b00
    c(ontinue)
    

    然后看到一连串的数

       0x600b08 <judge+8>:	mov    BYTE PTR [rbp-0x20],0x66
       0x600b0c <judge+12>:	mov    BYTE PTR [rbp-0x1f],0x6d
       0x600b10 <judge+16>:	mov    BYTE PTR [rbp-0x1e],0x63
    => 0x600b14 <judge+20>:	mov    BYTE PTR [rbp-0x1d],0x64
       0x600b18 <judge+24>:	mov    BYTE PTR [rbp-0x1c],0x7f
       0x600b1c <judge+28>:	mov    BYTE PTR [rbp-0x1b],0x6b
       0x600b20 <judge+32>:	mov    BYTE PTR [rbp-0x1a],0x37
       0x600b24 <judge+36>:	mov    BYTE PTR [rbp-0x19],0x64
       0x600b28 <judge+40>:	mov    BYTE PTR [rbp-0x18],0x3b
       0x600b2c <judge+44>:	mov    BYTE PTR [rbp-0x17],0x56
       0x600b30 <judge+48>:	mov    BYTE PTR [rbp-0x16],0x60
    => 0x600b34 <judge+52>:	mov    BYTE PTR [rbp-0x15],0x3b
       0x600b38 <judge+56>:	mov    BYTE PTR [rbp-0x14],0x6e
       0x600b3c <judge+60>:	mov    BYTE PTR [rbp-0x13],0x70
       0x600b40 <judge+64>:	mov    DWORD PTR [rbp-0x4],0x0
       0x600b47 <judge+71>:	jmp    0x600b71 <judge+113>
    

    这串数字在后面会用到,接着调试

    RAX: 0x7fffffffe2c0 ("abcdefghijklmn")
    RBX: 0x0 
    RCX: 0x0 
    RDX: 0x61 ('a')
    EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x600b60 <judge+96>:	add    rdx,rcx
       0x600b63 <judge+99>:	movzx  edx,BYTE PTR [rdx]
       0x600b66 <judge+102>:	mov    ecx,DWORD PTR [rbp-0x4]
    => 0x600b69 <judge+105>:	xor    edx,ecx
    

    可以看到,rdx=0x61('a'),rcx=0x0,然后rdx=rdx^rcx。于是大致知道是异或加密了flag。

    接着调试发现在下一次,rdx=0x62('b'),rcx=0x1。

    于是知道flag[i] = key[i] ^ i && 0 <= i < strlen(flag)

    而这里的key便是上面的一连串数字,脚本输出flag

    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    __Author__ = "LB@10.0.0.55"
    
    key = [0x66,0x6d,0x63,0x64,0x7f,0x6b,0x37,0x64,0x3b,0x56,0x60,0x3b,0x6e,0x70]
    flag = ''
    for i in range(len(key)):
    	flag += chr(key[i]^i)
    print flag
    #flag{n1c3_j0b}
    

    >###作者: LB919 >###出处:http://www.cnblogs.com/L1B0/ >###如有转载,荣幸之至!请随手标明出处;
  • 相关阅读:
    AngularJS ui-router (嵌套路由)
    解决Can't connect to MySQL server on 'localhost' (10048)
    PHP获取一年有几周以及每周开始日期和结束日期
    MySQL(八)之DML
    MySQL(七)MySQL常用函数
    MySQL(六)之MySQL常用操作符
    MySQL(五)之DDL(数据定义语言)与六大约束
    MySQL(四)之MySQL数据类型
    MySQL(三)之SQL语句分类、基本操作、三大范式
    linux命令详解之netstat
  • 原文地址:https://www.cnblogs.com/L1B0/p/8393926.html
Copyright © 2011-2022 走看看