题目

Daddy told me I should study arm.
But I prefer to study my leg!Download : http://pwnable.kr/bin/leg.c
Download : http://pwnable.kr/bin/leg.asmssh leg@pwnable.kr -p2222 (pw:guest)

题解

#include <stdio.h>
#include <fcntl.h>
int key1(){asm("mov r3, pc\n");
}
int key2(){asm("push   {r6}\n""add   r6, pc, $1\n""bx  r6\n"".code   16\n""mov r3, pc\n""add r3, $0x4\n""push  {r3}\n""pop   {pc}\n"".code 32\n""pop {r6}\n");
}
int key3(){asm("mov r3, lr\n");
}
int main(){int key=0;printf("Daddy has very strong arm! : ");scanf("%d", &key);if( (key1()+key2()+key3()) == key ){printf("Congratz!\n");int fd = open("flag", O_RDONLY);char buf[100];int r = read(fd, buf, 100);write(0, buf, r);}else{printf("I have strong leg :P\n");}return 0;
}

(gdb) disass main
Dump of assembler code for function main:0x00008d3c <+0>:    push    {r4, r11, lr}0x00008d40 <+4>:    add r11, sp, #80x00008d44 <+8>:  sub sp, sp, #120x00008d48 <+12>: mov r3, #00x00008d4c <+16>:  str r3, [r11, #-16]0x00008d50 <+20>: ldr r0, [pc, #104]  ; 0x8dc0 <main+132>0x00008d54 <+24>:  bl  0xfb6c <printf>0x00008d58 <+28>:   sub r3, r11, #160x00008d5c <+32>:    ldr r0, [pc, #96]   ; 0x8dc4 <main+136>0x00008d60 <+36>:  mov r1, r30x00008d64 <+40>:  bl  0xfbd8 <__isoc99_scanf>0x00008d68 <+44>:   bl  0x8cd4 <key1>0x00008d6c <+48>: mov r4, r00x00008d70 <+52>:  bl  0x8cf0 <key2>0x00008d74 <+56>: mov r3, r00x00008d78 <+60>:  add r4, r4, r30x00008d7c <+64>:  bl  0x8d20 <key3>0x00008d80 <+68>: mov r3, r00x00008d84 <+72>:  add r2, r4, r30x00008d88 <+76>:  ldr r3, [r11, #-16]0x00008d8c <+80>: cmp r2, r30x00008d90 <+84>:  bne 0x8da8 <main+108>0x00008d94 <+88>:    ldr r0, [pc, #44]   ; 0x8dc8 <main+140>0x00008d98 <+92>:  bl  0x1050c <puts>0x00008d9c <+96>:    ldr r0, [pc, #40]   ; 0x8dcc <main+144>0x00008da0 <+100>: bl  0xf89c <system>0x00008da4 <+104>:  b   0x8db0 <main+116>0x00008da8 <+108>:   ldr r0, [pc, #32]   ; 0x8dd0 <main+148>0x00008dac <+112>: bl  0x1050c <puts>0x00008db0 <+116>:   mov r3, #00x00008db4 <+120>: mov r0, r30x00008db8 <+124>: sub sp, r11, #80x00008dbc <+128>:    pop {r4, r11, pc}0x00008dc0 <+132>:  andeq   r10, r6, r12, lsl #90x00008dc4 <+136>:   andeq   r10, r6, r12, lsr #90x00008dc8 <+140>:           ; <UNDEFINED> instruction: 0x0006a4b00x00008dcc <+144>:            ; <UNDEFINED> instruction: 0x0006a4bc0x00008dd0 <+148>:    andeq   r10, r6, r4, asr #9
End of assembler dump.
(gdb) disass key1
Dump of assembler code for function key1:0x00008cd4 <+0>:    push    {r11}       ; (str r11, [sp, #-4]!)0x00008cd8 <+4>:  add r11, sp, #00x00008cdc <+8>:  mov r3, pc0x00008ce0 <+12>:  mov r0, r30x00008ce4 <+16>:  sub sp, r11, #00x00008ce8 <+20>: pop {r11}       ; (ldr r11, [sp], #4)0x00008cec <+24>:   bx  lr
End of assembler dump.
(gdb) disass key2
Dump of assembler code for function key2:0x00008cf0 <+0>:    push    {r11}       ; (str r11, [sp, #-4]!)0x00008cf4 <+4>:  add r11, sp, #00x00008cf8 <+8>:  push    {r6}        ; (str r6, [sp, #-4]!)0x00008cfc <+12>:  add r6, pc, #10x00008d00 <+16>:  bx  r60x00008d04 <+20>:  mov r3, pc0x00008d06 <+22>:  adds    r3, #40x00008d08 <+24>:  push    {r3}0x00008d0a <+26>:    pop {pc}0x00008d0c <+28>:    pop {r6}        ; (ldr r6, [sp], #4)0x00008d10 <+32>:    mov r0, r30x00008d14 <+36>:  sub sp, r11, #00x00008d18 <+40>: pop {r11}       ; (ldr r11, [sp], #4)0x00008d1c <+44>:   bx  lr
End of assembler dump.
(gdb) disass key3
Dump of assembler code for function key3:0x00008d20 <+0>:    push    {r11}       ; (str r11, [sp, #-4]!)0x00008d24 <+4>:  add r11, sp, #00x00008d28 <+8>:  mov r3, lr0x00008d2c <+12>:  mov r0, r30x00008d30 <+16>:  sub sp, r11, #00x00008d34 <+20>: pop {r11}       ; (ldr r11, [sp], #4)0x00008d38 <+24>:   bx  lr
End of assembler dump.
(gdb)

简单的arm pwn逆向
要key1 + key2 + key3 == key即可

先看key1

返回值是r0, r0由r3决定, pc是程序指针, arm架构下有ASM mode和Thumb mode两种模式, ASM mode下pc指向下一条指令, 测试一下知道程序运行在Thumb mode下, 所以此时key1返回值为0x00008ce4

再看key2

同上, r0由r3决定, r3 = 0x00008d08 + 4

最后看key3

这里的r3由lr赋值, 即link register, 指向返回地址, key3函数的返回地址看main的汇编可以确定, 为0x00008d80

综上输入的key = 0x00008ce4 + 0x00008d08 + 4 + 0x00008d80 = 108400

pwnable.kr wp leg相关推荐

【pwnable.kr】leg
pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ss ...
pwnable.kr wp passcode
题目 Mommy told me to make a passcode based login system. My initial C code was compiled without any e ...
【pwnable.kr】day8：leg
pwnable:leg pwnable.kr:leg 题目链接 question Daddy told me I should study arm. But I prefer to study my ...
pwnable.kr 简单题目详细笔记汇总
文章目录 fd collision bof flag passcode random input leg mistake shellshock coin1 lotto cmd1 cmd2 uaf bl ...
[CTF]pwnable.kr fd Wp
pwnable.kr fd Wp 给大家推荐一个优秀的pwn练习平台点我!!!点我!!! 今天分享第一题 fd 首先解决一下我的虚拟机没有网络的问题,没有做任何修改的情况下,我的kali没有网络了, ...
pwnable.kr之Toddler‘s Bottle前八题知识点记录
pwn刷题网站地址(点击直达): http://pwnable.kr/play.php 文章目录第一题 fd 第二题:collision 1.首先是char和int数据类型的转换 2.python实 ...
pwnable.kr lotto题解
ssh lotto@pwnable.kr -p2222 (pw:guest) 题目源码: #include <stdio.h> #include <stdlib.h> #inc ...
简单易懂的 pwnable.kr 第六题[random]Writeupt
简单易懂的 pwnable.kr 第六题[random]Writeupt 题目地址: http://pwnable.kr/play.php 题目: peak小知识异或^ 据有如下几种性质: 2. 恒 ...
简单易懂的 pwnable.kr 第三题[bof]Writeupt
简单易懂的 pwnable.kr 第三题[bof]Writeupt 题目地址:http://pwnable.kr/play.php 点开题目发现: 他给了提示覆盖,并且给了两个网址.分别打开,第一个给 ...

pwnable.kr wp leg

题目

题解

pwnable.kr wp leg相关推荐

最新文章

热门文章