【pwnable.kr】day8:leg
pwnable:leg
pwnable.kr:leg 题目链接
question
Daddy told me I should study arm.
But I prefer to study my leg!Download : http://pwnable.kr/bin/leg.c
Download : http://pwnable.kr/bin/leg.asmssh leg@pwnable.kr -p2222 (pw:guest)
题目要求我们使用ssh登录到服务器上ssh leg@pwnable.kr -p2222
,密码是guest
,有的时候可能有身份的校验,这个时候需要加上参数-o StrictHostKeyChecking=no
进行登录
leg.c
#include <stdio.h>
#include <fcntl.h>
int key1(){asm("mov r3, pc\n");
}
int key2(){asm("push {r6}\n""add r6, pc, $1\n""bx r6\n"".code 16\n""mov r3, pc\n""add r3, $0x4\n""push {r3}\n""pop {pc}\n"".code 32\n""pop {r6}\n");
}
int key3(){asm("mov r3, lr\n");
}
int main(){int key=0;printf("Daddy has very strong arm! : ");scanf("%d", &key);if( (key1()+key2()+key3()) == key ){printf("Congratz!\n");int fd = open("flag", O_RDONLY);char buf[100];int r = read(fd, buf, 100);write(0, buf, r);}else{printf("I have strong leg :P\n");}return 0;
}
leg.asm
(gdb) disass main
Dump of assembler code for function main:0x00008d3c <+0>: push {r4, r11, lr}0x00008d40 <+4>: add r11, sp, #80x00008d44 <+8>: sub sp, sp, #120x00008d48 <+12>: mov r3, #00x00008d4c <+16>: str r3, [r11, #-16]0x00008d50 <+20>: ldr r0, [pc, #104] ; 0x8dc0 <main+132>0x00008d54 <+24>: bl 0xfb6c <printf>0x00008d58 <+28>: sub r3, r11, #160x00008d5c <+32>: ldr r0, [pc, #96] ; 0x8dc4 <main+136>0x00008d60 <+36>: mov r1, r30x00008d64 <+40>: bl 0xfbd8 <__isoc99_scanf>0x00008d68 <+44>: bl 0x8cd4 <key1>0x00008d6c <+48>: mov r4, r00x00008d70 <+52>: bl 0x8cf0 <key2>0x00008d74 <+56>: mov r3, r00x00008d78 <+60>: add r4, r4, r30x00008d7c <+64>: bl 0x8d20 <key3>0x00008d80 <+68>: mov r3, r00x00008d84 <+72>: add r2, r4, r30x00008d88 <+76>: ldr r3, [r11, #-16]0x00008d8c <+80>: cmp r2, r30x00008d90 <+84>: bne 0x8da8 <main+108>0x00008d94 <+88>: ldr r0, [pc, #44] ; 0x8dc8 <main+140>0x00008d98 <+92>: bl 0x1050c <puts>0x00008d9c <+96>: ldr r0, [pc, #40] ; 0x8dcc <main+144>0x00008da0 <+100>: bl 0xf89c <system>0x00008da4 <+104>: b 0x8db0 <main+116>0x00008da8 <+108>: ldr r0, [pc, #32] ; 0x8dd0 <main+148>0x00008dac <+112>: bl 0x1050c <puts>0x00008db0 <+116>: mov r3, #00x00008db4 <+120>: mov r0, r30x00008db8 <+124>: sub sp, r11, #80x00008dbc <+128>: pop {r4, r11, pc}0x00008dc0 <+132>: andeq r10, r6, r12, lsl #90x00008dc4 <+136>: andeq r10, r6, r12, lsr #90x00008dc8 <+140>: ; <UNDEFINED> instruction: 0x0006a4b00x00008dcc <+144>: ; <UNDEFINED> instruction: 0x0006a4bc0x00008dd0 <+148>: andeq r10, r6, r4, asr #9
End of assembler dump.
(gdb) disass key1
Dump of assembler code for function key1:0x00008cd4 <+0>: push {r11} ; (str r11, [sp, #-4]!)0x00008cd8 <+4>: add r11, sp, #00x00008cdc <+8>: mov r3, pc0x00008ce0 <+12>: mov r0, r30x00008ce4 <+16>: sub sp, r11, #00x00008ce8 <+20>: pop {r11} ; (ldr r11, [sp], #4)0x00008cec <+24>: bx lr
End of assembler dump.
(gdb) disass key2
Dump of assembler code for function key2:0x00008cf0 <+0>: push {r11} ; (str r11, [sp, #-4]!)0x00008cf4 <+4>: add r11, sp, #00x00008cf8 <+8>: push {r6} ; (str r6, [sp, #-4]!)0x00008cfc <+12>: add r6, pc, #10x00008d00 <+16>: bx r60x00008d04 <+20>: mov r3, pc0x00008d06 <+22>: adds r3, #40x00008d08 <+24>: push {r3}0x00008d0a <+26>: pop {pc}0x00008d0c <+28>: pop {r6} ; (ldr r6, [sp], #4)0x00008d10 <+32>: mov r0, r30x00008d14 <+36>: sub sp, r11, #00x00008d18 <+40>: pop {r11} ; (ldr r11, [sp], #4)0x00008d1c <+44>: bx lr
End of assembler dump.
(gdb) disass key3
Dump of assembler code for function key3:0x00008d20 <+0>: push {r11} ; (str r11, [sp, #-4]!)0x00008d24 <+4>: add r11, sp, #00x00008d28 <+8>: mov r3, lr0x00008d2c <+12>: mov r0, r30x00008d30 <+16>: sub sp, r11, #00x00008d34 <+20>: pop {r11} ; (ldr r11, [sp], #4)0x00008d38 <+24>: bx lr
End of assembler dump.
(gdb)
analyse
c与asm混合编程,只要我们输入的key
的值等于key1()+key2()+key3()
的值即可。
key1()
0x00008cd4 <+0>: push {r11} ; (str r11, [sp, #-4]!)0x00008cd8 <+4>: add r11, sp, #00x00008cdc <+8>: mov r3, pc0x00008ce0 <+12>: mov r0, r30x00008ce4 <+16>: sub sp, r11, #00x00008ce8 <+20>: pop {r11} ; (ldr r11, [sp], #4)0x00008cec <+24>: bx lr
返回值为r0
,r0
保存的是0x00008cdc
处时的pc
值,由于流水线处理,pc为进接的第二条指令的地址,pc=0x00008ce4
,key1()=0x00008ce4
key2()
0x00008cf0 <+0>: push {r11} ; (str r11, [sp, #-4]!)0x00008cf4 <+4>: add r11, sp, #00x00008cf8 <+8>: push {r6} ; (str r6, [sp, #-4]!)0x00008cfc <+12>: add r6, pc, #10x00008d00 <+16>: bx r60x00008d04 <+20>: mov r3, pc0x00008d06 <+22>: adds r3, #40x00008d08 <+24>: push {r3}0x00008d0a <+26>: pop {pc}0x00008d0c <+28>: pop {r6} ; (ldr r6, [sp], #4)0x00008d10 <+32>: mov r0, r30x00008d14 <+36>: sub sp, r11, #00x00008d18 <+40>: pop {r11} ; (ldr r11, [sp], #4)0x00008d1c <+44>: bx lr
同key1()
,r0保存的是r3+#4
,而r3是0X00008d04
时的pc值,pc=0x00008d08
,所以key2()=0x00008d08+4=0x00008d0c
key3()
0x00008d20 <+0>: push {r11} ; (str r11, [sp, #-4]!)0x00008d24 <+4>: add r11, sp, #00x00008d28 <+8>: mov r3, lr0x00008d2c <+12>: mov r0, r30x00008d30 <+16>: sub sp, r11, #00x00008d34 <+20>: pop {r11} ; (ldr r11, [sp], #4)0x00008d38 <+24>: bx lr
r0
的值是lr
的值,而lr
是子函数返回位置的地址,在main函数中可以看到为0x00008d80
get flag
所以我们知道key
应该等于0x00008d80+0x00008d0c+0x00008ce4=108400
/ $ ./leg
Daddy has very strong arm! : 108400
Congratz!
My daddy has a lot of ARMv5te muscle!
flag
:My daddy has a lot of ARMv5te muscle!
【pwnable.kr】day8:leg相关推荐
- 【pwnable.kr】leg
pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ss ...
- 【pwnable.kr】Toddler‘s Bottle-[flag]
目录导航 下载题目文件 二进制分析 获取flag gdb调试 下载题目文件 Papa brought me a packed present! let's open it.Download : htt ...
- 【pwnable.kr】passcode
pwnable从入门到放弃,第六题. ssh passcode@pwnable.kr -p2222 (pw:guest) 完全是'&'的锅. #include <stdio.h> ...
- 【pwnable.kr】 alloca
https://www.anquanke.com/post/id/170288 前言 最近在刷pwnable.kr [Rookiss],题目都好有意思,一其中题alloca虽然分值不高,但分析过程很值 ...
- 【pwnable.kr】Toddler‘s Bottle-[passcode]
目录导航 进入服务器 下载文件 反编译分析 EXP TIPS 进入服务器 Mommy told me to make a passcode based login system. My initial ...
- 【pwnable.kr】Toddler‘s Bottle-[bof]
目录导航 打开题目审题 nc 命令介绍 获取服务器文件 源代码分析 ELF分析构造payload 解题 打开题目审题 Nana told me that buffer overflow is one ...
- 【pwnable.kr】Toddler‘s Bottle-[fd]
目录导航 打开题目审题 找到突破口 相关c语言知识 源代码分析 找到FLAG 打开题目审题 Mommy! what is a file descriptor in Linux?* try to pla ...
- 【pwnable.kr】Toddler‘s Bottle-[random]
目录导航 Target & Download Analysis & IDA Debug & writeup TIPS Target & Download Daddy, ...
- 【pwnable.kr】 passcode
https://r00tnb.github.io/2017/12/10/pwnable.kr-passcode/ 分析 首先读源码passcode.c 1 2 3 4 5 6 7 8 9 10 11 ...
最新文章
- HDU2028Lowest Common Multiple Plus
- 学习使用Free RTOS ,移植最新的STM32 v3.5固件库
- wind up和end up的区别
- 以太坊智能合约安全 Dasp Top10
- 复位处理详细设计方案
- ElasticSearch 创建父子类型
- ES2017 异步函数async/await
- *循环单链表[带头结点]
- java2048设计说明,Html5中的本地存储设计理念
- express搭建的nodejs项目使用webpack进行打包
- 【日常】DES加密算法python实现_以密码编码学与网络安全——原理与实践(第六版)课后习题3.11为例
- Python简单操作爬取微博热搜榜(表格.xls模式存储)
- 快讯 | Elon Musk拟跨界做喜剧,号称要建立跨星系传媒帝国Thud!(轰!)
- OSError: [WinError 87]参数错误
- 【量化交易】 python 基本语法与变量 【003】 策略 复习一下
- Tableau 可视化图表学习
- sl410k安装debian7.0无线网卡问题解决
- 三星服务器nvme固态硬盘,强弱之差是否悬殊?五款NVMe M.2 SSD横评
- 视觉SLAM②--初识SLAM
- UAVStack应用数据归集
热门文章
- html制作日历备忘录,CSS3制作日历备忘录
- linux设备驱动归纳总结(九):1.platform设备驱动
- Eclipse 插件
- mybatis的left join多条件操作
- Cannot run program “mvn“ (in directory “/var/lib/jenkins/workspace)
- 汉语言处理工具pyhanlp的简繁转换
- 如何在Swift中使用Result
- CobaltStrike之后渗透
- 三国华容道网页版来了
- js数组交集、并集、差集