pwnable.kr wp leg
题目
Daddy told me I should study arm.
But I prefer to study my leg!Download : http://pwnable.kr/bin/leg.c
Download : http://pwnable.kr/bin/leg.asmssh leg@pwnable.kr -p2222 (pw:guest)
题解
#include <stdio.h>
#include <fcntl.h>
int key1(){asm("mov r3, pc\n");
}
int key2(){asm("push {r6}\n""add r6, pc, $1\n""bx r6\n"".code 16\n""mov r3, pc\n""add r3, $0x4\n""push {r3}\n""pop {pc}\n"".code 32\n""pop {r6}\n");
}
int key3(){asm("mov r3, lr\n");
}
int main(){int key=0;printf("Daddy has very strong arm! : ");scanf("%d", &key);if( (key1()+key2()+key3()) == key ){printf("Congratz!\n");int fd = open("flag", O_RDONLY);char buf[100];int r = read(fd, buf, 100);write(0, buf, r);}else{printf("I have strong leg :P\n");}return 0;
}
(gdb) disass main
Dump of assembler code for function main:0x00008d3c <+0>: push {r4, r11, lr}0x00008d40 <+4>: add r11, sp, #80x00008d44 <+8>: sub sp, sp, #120x00008d48 <+12>: mov r3, #00x00008d4c <+16>: str r3, [r11, #-16]0x00008d50 <+20>: ldr r0, [pc, #104] ; 0x8dc0 <main+132>0x00008d54 <+24>: bl 0xfb6c <printf>0x00008d58 <+28>: sub r3, r11, #160x00008d5c <+32>: ldr r0, [pc, #96] ; 0x8dc4 <main+136>0x00008d60 <+36>: mov r1, r30x00008d64 <+40>: bl 0xfbd8 <__isoc99_scanf>0x00008d68 <+44>: bl 0x8cd4 <key1>0x00008d6c <+48>: mov r4, r00x00008d70 <+52>: bl 0x8cf0 <key2>0x00008d74 <+56>: mov r3, r00x00008d78 <+60>: add r4, r4, r30x00008d7c <+64>: bl 0x8d20 <key3>0x00008d80 <+68>: mov r3, r00x00008d84 <+72>: add r2, r4, r30x00008d88 <+76>: ldr r3, [r11, #-16]0x00008d8c <+80>: cmp r2, r30x00008d90 <+84>: bne 0x8da8 <main+108>0x00008d94 <+88>: ldr r0, [pc, #44] ; 0x8dc8 <main+140>0x00008d98 <+92>: bl 0x1050c <puts>0x00008d9c <+96>: ldr r0, [pc, #40] ; 0x8dcc <main+144>0x00008da0 <+100>: bl 0xf89c <system>0x00008da4 <+104>: b 0x8db0 <main+116>0x00008da8 <+108>: ldr r0, [pc, #32] ; 0x8dd0 <main+148>0x00008dac <+112>: bl 0x1050c <puts>0x00008db0 <+116>: mov r3, #00x00008db4 <+120>: mov r0, r30x00008db8 <+124>: sub sp, r11, #80x00008dbc <+128>: pop {r4, r11, pc}0x00008dc0 <+132>: andeq r10, r6, r12, lsl #90x00008dc4 <+136>: andeq r10, r6, r12, lsr #90x00008dc8 <+140>: ; <UNDEFINED> instruction: 0x0006a4b00x00008dcc <+144>: ; <UNDEFINED> instruction: 0x0006a4bc0x00008dd0 <+148>: andeq r10, r6, r4, asr #9
End of assembler dump.
(gdb) disass key1
Dump of assembler code for function key1:0x00008cd4 <+0>: push {r11} ; (str r11, [sp, #-4]!)0x00008cd8 <+4>: add r11, sp, #00x00008cdc <+8>: mov r3, pc0x00008ce0 <+12>: mov r0, r30x00008ce4 <+16>: sub sp, r11, #00x00008ce8 <+20>: pop {r11} ; (ldr r11, [sp], #4)0x00008cec <+24>: bx lr
End of assembler dump.
(gdb) disass key2
Dump of assembler code for function key2:0x00008cf0 <+0>: push {r11} ; (str r11, [sp, #-4]!)0x00008cf4 <+4>: add r11, sp, #00x00008cf8 <+8>: push {r6} ; (str r6, [sp, #-4]!)0x00008cfc <+12>: add r6, pc, #10x00008d00 <+16>: bx r60x00008d04 <+20>: mov r3, pc0x00008d06 <+22>: adds r3, #40x00008d08 <+24>: push {r3}0x00008d0a <+26>: pop {pc}0x00008d0c <+28>: pop {r6} ; (ldr r6, [sp], #4)0x00008d10 <+32>: mov r0, r30x00008d14 <+36>: sub sp, r11, #00x00008d18 <+40>: pop {r11} ; (ldr r11, [sp], #4)0x00008d1c <+44>: bx lr
End of assembler dump.
(gdb) disass key3
Dump of assembler code for function key3:0x00008d20 <+0>: push {r11} ; (str r11, [sp, #-4]!)0x00008d24 <+4>: add r11, sp, #00x00008d28 <+8>: mov r3, lr0x00008d2c <+12>: mov r0, r30x00008d30 <+16>: sub sp, r11, #00x00008d34 <+20>: pop {r11} ; (ldr r11, [sp], #4)0x00008d38 <+24>: bx lr
End of assembler dump.
(gdb)
简单的arm pwn逆向
要key1 + key2 + key3 == key即可
先看key1
返回值是r0, r0由r3决定, pc是程序指针, arm架构下有ASM mode和Thumb mode两种模式, ASM mode下pc指向下一条指令, 测试一下知道程序运行在Thumb mode下, 所以此时key1返回值为0x00008ce4
再看key2
同上, r0由r3决定, r3 = 0x00008d08 + 4
最后看key3
这里的r3由lr赋值, 即link register, 指向返回地址, key3函数的返回地址看main的汇编可以确定, 为0x00008d80
综上输入的key = 0x00008ce4 + 0x00008d08 + 4 + 0x00008d80 = 108400
pwnable.kr wp leg相关推荐
- 【pwnable.kr】leg
pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ss ...
- pwnable.kr wp passcode
题目 Mommy told me to make a passcode based login system. My initial C code was compiled without any e ...
- 【pwnable.kr】day8:leg
pwnable:leg pwnable.kr:leg 题目链接 question Daddy told me I should study arm. But I prefer to study my ...
- pwnable.kr 简单题目详细笔记汇总
文章目录 fd collision bof flag passcode random input leg mistake shellshock coin1 lotto cmd1 cmd2 uaf bl ...
- [CTF]pwnable.kr fd Wp
pwnable.kr fd Wp 给大家推荐一个优秀的pwn练习平台 点我!!!点我!!! 今天分享第一题 fd 首先解决一下我的虚拟机没有网络的问题,没有做任何修改的情况下,我的kali没有网络了, ...
- pwnable.kr之Toddler‘s Bottle前八题知识点记录
pwn刷题网站地址(点击直达): http://pwnable.kr/play.php 文章目录 第一题 fd 第二题:collision 1.首先是char和int数据类型的转换 2.python实 ...
- pwnable.kr lotto题解
ssh lotto@pwnable.kr -p2222 (pw:guest) 题目源码: #include <stdio.h> #include <stdlib.h> #inc ...
- 简单易懂的 pwnable.kr 第六题[random]Writeupt
简单易懂的 pwnable.kr 第六题[random]Writeupt 题目地址: http://pwnable.kr/play.php 题目: peak小知识 异或^ 据有如下几种性质: 2. 恒 ...
- 简单易懂的 pwnable.kr 第三题[bof]Writeupt
简单易懂的 pwnable.kr 第三题[bof]Writeupt 题目地址:http://pwnable.kr/play.php 点开题目发现: 他给了提示覆盖,并且给了两个网址.分别打开,第一个给 ...
最新文章
- Hibernate的延迟加载
- 随机猜拳判断胜利(思路,逻辑正确不完美)if switch
- (转)如何查看java本地方法
- 到天宫做客(洛谷P1178题题解,Java语言描述)
- matlab对文本文件的读写
- CentOS服务器Mysql主从复制集群的搭建
- [原创]独立模式安装Hive
- java udp 断开_java – 如何中断阻塞调用UDP socket的receive()[复制]
- xbox360自制系统服务器,没有想象那么难!XBOX360刷机详细教程
- 5V限流IC,0.4A-4.8A可调限流芯片解决方案
- 语义分割算法汇总(长期更新)
- 推荐10个超级实用的电脑软件 (可以快速提高工作效率)
- 苹果开发者申请-创建证书签名请求
- spring boot 2.0 配置logback日志
- ad软件one pin错误是啥意思_AD19的错误提示大总结解释
- GenXus进行APP开发-全局颜色设计
- 实验四+126+黄晟
- tensor如何实现转置_pytorch tensor 变换
- linux 扫描wifi软件,ubuntu用shell命令wpa_cli工具连接wifi
- 分享 Python 教学视频,从基础到爬虫、网页、数据分析、机器学习.....
热门文章
- 剪辑视频,教你虚化边框背景一看就会
- python3.7 openpyxl 在excel单元格中写入数据
- #3 GPA计算(python)
- 如何用MathType编辑集合运算符号
- SpringCloud 教程 (四) docker部署spring cloud项目
- android调用相机返回大图,Android调用相机拍照返回原图
- python自学网站免费-推荐几个适合小白学习Python的免费网站
- TFT-eSPI 库在 ESP32 上的配置和使用(ESP32 for Arduino)
- 移动智能开发平台群雄逐鹿-塞班(Symbian),WinCE,黑莓(Blackberry),QT/Qtopia,iOS,Android
- SAP PA 15模块资源下载