ISG

题目链接
https://github.com/tower111/software
junkcode

查看check函数

pwndbg> disassemble check
Dump of assembler code for function check:
   0x080484fb <+0>: push   ebp
   0x080484fc <+1>: mov    ebp,esp
   0x080484fe <+3>: sub    esp,0x18
   0x08048501 <+6>: mov    eax,ds:0x804a02c
   0x08048506 <+11>:    sub    esp,0xc
   0x08048509 <+14>:    push   eax
   0x0804850a <+15>:    call   0x80483d0 <strlen@plt>
   0x0804850f <+20>:    add    esp,0x10
   0x08048512 <+23>:    mov    DWORD PTR [ebp-0xc],eax
   0x08048515 <+26>:    sub    esp,0xc
   0x08048518 <+29>:    push   DWORD PTR [ebp+0x8]
   0x0804851b <+32>:    call   0x80483d0 <strlen@plt>
   0x08048520 <+37>:    add    esp,0x10
   0x08048523 <+40>:    mov    edx,eax
   0x08048525 <+42>:    mov    eax,DWORD PTR [ebp-0xc]
   0x08048528 <+45>:    cmp    edx,eax              #这里校验长度
   0x0804852a <+47>:    jae    0x8048533 <check+56>
   0x0804852c <+49>:    mov    eax,0x0
   0x08048531 <+54>:    jmp    0x8048581 <check+134>
   0x08048533 <+56>:    mov    DWORD PTR [ebp-0x10],0x0
   0x0804853a <+63>:    jmp    0x8048574 <check+121>
   0x0804853c <+65>:    mov    edx,DWORD PTR [ebp-0x10]
   0x0804853f <+68>:    mov    eax,DWORD PTR [ebp+0x8]
   0x08048542 <+71>:    add    eax,edx
=> 0x08048544 <+73>:    sub    eax,0x158b08b6
   0x08048549 <+78>:    sub    al,0xa0
   0x0804854b <+80>:    add    al,0x8
   0x0804854d <+82>:    mov    eax,DWORD PTR [ebp-0x10]
   0x08048550 <+85>:    add    eax,edx
   0x08048552 <+87>:    movzx  eax,BYTE PTR [eax]
   0x08048555 <+90>:    xor    ecx,eax
   0x08048557 <+92>:    mov    edx,DWORD PTR ds:0x804a030
   0x0804855d <+98>:    mov    eax,DWORD PTR [ebp-0x10]
   0x08048560 <+101>:   add    eax,edx
   0x08048562 <+103>:   movzx  eax,BYTE PTR [eax]
   0x08048565 <+106>:   cmp    cl,al                                #这里进行字符校验
   0x08048567 <+108>:   je     0x8048570 <check+117>
   0x08048569 <+110>:   mov    eax,0x0
   0x0804856e <+115>:   jmp    0x8048581 <check+134>
   0x08048570 <+117>:   add    DWORD PTR [ebp-0x10],0x1
   0x08048574 <+121>:   mov    eax,DWORD PTR [ebp-0x10]
   0x08048577 <+124>:   cmp    eax,DWORD PTR [ebp-0xc]
   0x0804857a <+127>:   jl     0x804853c <check+65>
   0x0804857c <+129>:   mov    eax,0x1
   0x08048581 <+134>:   leave  
   0x08048582 <+135>:   ret    

断在长度比较处确定字符长度

 EAX  0x17
 EBX  0x0
 ECX  0x320c
 EDX  0x8

0x17长度为23

接下来查看al和cl的值
先找al

   0x08048557 <+92>:    mov    edx,DWORD PTR ds:0x804a030
   0x0804855d <+98>:    mov    eax,DWORD PTR [ebp-0x10]
=> 0x08048560 <+101>:   and    edx,eax
   0x08048562 <+103>:   movzx  eax,BYTE PTR [eax]
   0x08048565 <+106>:   cmp    cl,al
 EAX  0x0
 EBX  0x0
 ECX  0xbe
 EDX  0x80486e8 ◂— xchg   eax, esi /* 0xd8ca8b96 */
 EDI  0x0
 ESI  0xf7fa7000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1d7d6c
 EBP  0xffffce18 —▸ 0xffffce78 ◂— 0x0
 ESP  0xffffce00 —▸ 0xffffce78 ◂— 0x0
 EIP  0x8048560 (check+101) ◂— and    edx, eax /* 0xb60fd023 */
──────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────
 ► 0x8048560 <check+101>    and    edx, eax

eax是计数器,edx是基地址

pwndbg> x /50xb $edx
0x80486e8:  0x96    0x8b    0xca    0xd8    0x72    0xf9    0xe8    0xc0
0x80486f0:  0xf7    0x0d    0x46    0x40    0x29    0x42    0xa2    0x9f
0x80486f8:  0x3e    0x2c    0x34    0x71    0xb2    0x9e    0xda    0x00
0x8048700:  0x67    0x65    0x74    0x20    0x6d    0x65    0x20    0x66
0x8048708:  0x6c    0x61    0x67    0x3a    0x00    0x47    0x4f    0x4f
0x8048710:  0x44    0x00    0x42    0x41    0x44    0x00    0x00    0x00
0x8048718:  0x01    0x1b

前32位就是al
cl跟al的操作方法类似

   0x08048547 <+76>:    mov    edx,DWORD PTR ds:0x804a02c
   0x0804854d <+82>:    mov    eax,DWORD PTR [ebp-0x10]
   0x08048550 <+85>:    add    eax,edx
   0x08048552 <+87>:    movzx  eax,BYTE PTR [eax]
   0x08048555 <+90>:    xor    ecx,eax

可以猜测,这里的ecx是输入的值

pwndbg> x /xw 0x804a02c
0x804a02c <ptr1>:   0x080486d0
pwndbg> x /50xb 0x080486d0
0x80486d0:  0xdf    0xd8    0x8d    0xa3    0x18    0xac    0x86    0x8b
0x80486d8:  0xa8    0x6e    0x76    0x24    0x4c    0x1d    0xcc    0xaf
0x80486e0:  0x4a    0x73    0x5e    0x24    0xdc    0xd5    0xa7    0x00
0x80486e8:  0x96    0x8b    0xca    0xd8    0x72    0xf9    0xe8    0xc0
0x80486f0:  0xf7    0x0d    0x46    0x40    0x29    0x42    0xa2    0x9f
0x80486f8:  0x3e    0x2c    0x34    0x71    0xb2    0x9e    0xda    0x00
0x8048700:  0x67    0x65

最终的结果应该是这两个地方的值异或了。

a1=[0x96,0x8b    ,0xca,    0xd8,    0x72,    0xf9,    0xe8,    0xc0,0xf7,    0x0d,    0x46,    0x40,    0x29,    0x42,    0xa2,    0x9f,0x3e,    0x2c,    0x34,    0x71,    0xb2,    0x9e,    0xda]
a2=[0xdf,    0xd8,    0x8d,    0xa3,    0x18,    0xac,    0x86,    0x8b,0xa8,    0x6e,    0x76,    0x24,    0x4c,    0x1d,    0xcc,    0xaf,0x4a,    0x73,    0x5e,    0x24,    0xdc,    0xd5,    0xa7]

flag=""
for i in range(len(a1)):
    flag+=chr(a1[i]^a2[i])
print flag

babynote
https://tower111.github.io/2018/08/30/ISG-babynote/

你可能感兴趣的:(ctf)