[Cracking] ELF x86 - Basic

728x90

아직까지는 쉬운 문제.

앞선 문제와 유사하고, 두번의 값을 입력 받고 특정 값과 비교한다.

해당 값은 프로그램 초반부에 %ebp - 0xc와 %ebp - 0x10에 저장되어있다가 나중에 비교 값으로 사용된다.

┌──(kali㉿kali)-[~/Downloads]
└─$ ./ch2.bin    
############################################################
##        Bienvennue dans ce challenge de cracking        ##
############################################################

username: a
Bad username
                                                                                                                   
┌──(kali㉿kali)-[~/Downloads]
└─$ gdb ch2.bin 
GNU gdb (Debian 10.1-2+b1) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.                                                                  
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
GEF for linux ready, type `gef' to start, `gef config' to configure
90 commands loaded and 5 functions added for GDB 10.1.90.20210103-git in 0.01ms using Python engine 3.10
Reading symbols from ch2.bin...
gef➤  disas main
Dump of assembler code for function main:
   0x08048309 <+0>:     lea    0x4(%esp),%ecx
   0x0804830d <+4>:     and    $0xfffffff0,%esp
   0x08048310 <+7>:     push   -0x4(%ecx)
   0x08048313 <+10>:    push   %ebp
   0x08048314 <+11>:    mov    %esp,%ebp
   0x08048316 <+13>:    push   %ecx
   0x08048317 <+14>:    sub    $0x24,%esp
   0x0804831a <+17>:    movl   $0x80a6b19,-0xc(%ebp)
   0x08048321 <+24>:    movl   $0x80a6b1e,-0x10(%ebp)
   0x08048328 <+31>:    movl   $0x80a6b2c,(%esp)
   0x0804832f <+38>:    call   0x8048de0 <puts>
   0x08048334 <+43>:    movl   $0x80a6b6c,(%esp)
   0x0804833b <+50>:    call   0x8048de0 <puts>
   0x08048340 <+55>:    movl   $0x80a6bac,(%esp)
   0x08048347 <+62>:    call   0x8048de0 <puts>
   0x0804834c <+67>:    movl   $0x80a6bea,(%esp)
   0x08048353 <+74>:    call   0x8048db0 <printf>
   0x08048358 <+79>:    mov    -0x8(%ebp),%eax
   0x0804835b <+82>:    mov    %eax,(%esp)
   0x0804835e <+85>:    call   0x804826a <getString>
   0x08048363 <+90>:    mov    %eax,-0x8(%ebp)
   0x08048366 <+93>:    mov    -0xc(%ebp),%eax
   0x08048369 <+96>:    mov    %eax,0x4(%esp)
   0x0804836d <+100>:   mov    -0x8(%ebp),%eax
   0x08048370 <+103>:   mov    %eax,(%esp)
   0x08048373 <+106>:   call   0x80502f0 <strcmp>
   0x08048378 <+111>:   test   %eax,%eax
   0x0804837a <+113>:   jne    0x80483d0 <main+199>
   0x0804837c <+115>:   movl   $0x80a6bf5,(%esp)
   0x08048383 <+122>:   call   0x8048db0 <printf>
   0x08048388 <+127>:   mov    -0x8(%ebp),%eax
   0x0804838b <+130>:   mov    %eax,(%esp)
   0x0804838e <+133>:   call   0x804826a <getString>
   0x08048393 <+138>:   mov    %eax,-0x8(%ebp)
   0x08048396 <+141>:   mov    -0x10(%ebp),%eax
   0x08048399 <+144>:   mov    %eax,0x4(%esp)
   0x0804839d <+148>:   mov    -0x8(%ebp),%eax
   0x080483a0 <+151>:   mov    %eax,(%esp)
   0x080483a3 <+154>:   call   0x80502f0 <strcmp>
   0x080483a8 <+159>:   test   %eax,%eax
   0x080483aa <+161>:   jne    0x80483c2 <main+185>
   0x080483ac <+163>:   movl   $0x80a6c00,0x4(%esp)
   0x080483b4 <+171>:   movl   $0x80a6c0c,(%esp)
   0x080483bb <+178>:   call   0x8048db0 <printf>
   0x080483c0 <+183>:   jmp    0x80483dc <main+211>
   0x080483c2 <+185>:   movl   $0x80a6c52,(%esp)
   0x080483c9 <+192>:   call   0x8048de0 <puts>
   0x080483ce <+197>:   jmp    0x80483dc <main+211>
   0x080483d0 <+199>:   movl   $0x80a6c5f,(%esp)
   0x080483d7 <+206>:   call   0x8048de0 <puts>
   0x080483dc <+211>:   mov    $0x0,%eax
   0x080483e1 <+216>:   add    $0x24,%esp
   0x080483e4 <+219>:   pop    %ecx
   0x080483e5 <+220>:   pop    %ebp
   0x080483e6 <+221>:   lea    -0x4(%ecx),%esp
   0x080483e9 <+224>:   ret    
End of assembler dump.
gef➤  x/s 0x80a6b19
0x80a6b19:      "john"
gef➤  x/s 0x80a6b1e
0x80a6b1e:      "the ripper"
gef➤  x/s 0x80a6c00
0x80a6c00:      "----------#플래그는 삭제"
gef➤  x/s 0x80a6c0c
0x80a6c0c:      "Bien joue, vous pouvez valider l'epreuve avec le mot de passe : %s !\n"
gef➤  x/s 0x80a6c52
0x80a6c52:      "Bad password"
gef➤  x/s 0x80a6c5f
0x80a6c5f:      "Bad username"
gef➤  quit
                                                                                                                   
┌──(kali㉿kali)-[~/Downloads]
└─$ ./ch2.bin  
############################################################
##        Bienvennue dans ce challenge de cracking        ##
############################################################

username: john
password: the ripper
Bien joue, vous pouvez valider l'epreuve avec le mot de passe : ----------#플래그는 삭제 !

728x90

저작자표시 비영리 변경금지

'Wargame > Root me' 카테고리의 다른 글

[Cracking] ELF C++ - 0 protection (0)	2022.07.15
[Cracking] PE x86 - 0 protection (0)	2022.07.15
[App-Script] Bash - System 2 (0)	2022.07.15
[Cryptanalysis] Encoding - UU (0)	2022.07.15
[Cryptanalysis] Encoding - ASCII (0)	2022.07.15

'Wargame > Root me' 카테고리의 다른 글

티스토리툴바