![[Cracking] ELF C++ - 0 protection](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FyGofQ%2FbtrHn7rlysi%2FbI3u7FOmjZ9Lq56o0PciA0%2Ftfile.svg)
728x90
반응형
C++은 또 이해하기 어렵구나...
아는 것보다 모르는 게 훨씬 많으니 공부할 맛이 난다.
해당 파일을 실행해보니 마찬가지로 인자를 passwd로 사용한다.
┌──(kali㉿kali)-[~/Downloads]
└─$ ./ch25.bin
usage : ./ch25.bin password
앞선 문제와 동일하게 문자열을 비교할 테니 strings 명령어로 문자를 뽑아봤지만 특별히 눈에 띄는 문자열은 없었다.
┌──(kali㉿kali)-[~/Downloads]
└─$ strings ch25.bin
/lib/ld-linux.so.2
CyIk
libstdc++.so.6
__gmon_start__
_Jv_RegisterClasses
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
__pthread_key_create
_ZNSsixEj
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
_ZSt4cout
_ZNSaIcED1Ev
_ZNSspLEc
_ZSt4cerr
_ZNKSs7compareEPKc
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
_ZNSsC1EPKcRKSaIcE
_ZNSt8ios_base4InitC1Ev
_ZNSsD1Ev
_ZNKSs6lengthEv
_ZNSt8ios_base4InitD1Ev
_ZNSolsEPFRSoS_E
__gxx_personality_v0
_ZNSaIcEC1Ev
libgcc_s.so.1
_Unwind_Resume
libc.so.6
_IO_stdin_used
__cxa_atexit
__libc_start_main
GCC_3.0
CXXABI_1.3
GLIBCXX_3.4
GLIBC_2.0
GLIBC_2.1.3
PTRh
,[^_]
[^_]
usage :
password
Bravo, tu peux valider en utilisant ce mot de passe...
Congratz. You can validate with this password...
Password incorrect.
;*2$"
zPLR
GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.1) 4.8.4
GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.gcc_except_table
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6591
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
crackme.cpp
_ZStL8__ioinit
_Z41__static_initialization_and_destruction_0ii
_GLOBAL__sub_I__Z5ploufSsSs
_ZZL18__gthread_active_pvE20__gthread_active_ptr
__FRAME_END__
__JCR_END__
_GLOBAL_OFFSET_TABLE_
__init_array_end
__init_array_start
_DYNAMIC
data_start
__cxa_atexit@@GLIBC_2.1.3
__libc_csu_fini
_start
_ZNSspLEc@@GLIBCXX_3.4
__gmon_start__
_Jv_RegisterClasses
_fp_hw
_ZNSsixEj@@GLIBCXX_3.4
_fini
_ZNSt8ios_base4InitC1Ev@@GLIBCXX_3.4
_ZSt4cerr@@GLIBCXX_3.4
_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS3_
__libc_start_main@@GLIBC_2.0
_ZNKSs6lengthEv@@GLIBCXX_3.4
_ZNSt8ios_base4InitD1Ev@@GLIBCXX_3.4
_ITM_deregisterTMCloneTable
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@@GLIBCXX_3.4
_IO_stdin_used
_ZNSsD1Ev@@GLIBCXX_3.4
_ITM_registerTMCloneTable
__data_start
__x86.get_pc_thunk.bx
_ZNKSs7compareEPKc@@GLIBCXX_3.4
__TMC_END__
_ZNSsC1EPKcRKSaIcE@@GLIBCXX_3.4
_ZSt4cout@@GLIBCXX_3.4
__dso_handle
__libc_csu_init
__bss_start
_ZNSaIcED1Ev@@GLIBCXX_3.4
__pthread_key_create
_end
_ZNSolsEPFRSoS_E@@GLIBCXX_3.4
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_@@GLIBCXX_3.4
_edata
_ZNSaIcEC1Ev@@GLIBCXX_3.4
__gxx_personality_v0@@CXXABI_1.3
_Unwind_Resume@@GCC_3.0
_Z5ploufSsSs
main
_init
그래서 gdb를 통해 main 함수를 한줄씩 실행하며 비교문에서 어떤 문자열이 비교되는지 확인하다가 이거다 싶은 문자열을 찾았다.
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax : 0xffffd064 → 0x8050ccc → "----------#플래그는 삭제"
$ebx : 0xffffd090 → 0x00000002
$ecx : 0x2e
$edx : 0xffffffff
$esp : 0xffffd054 → 0xffffd068 → 0x8050bdc → 0xaf67b350
$ebp : 0xffffd078 → 0x00000000
$esi : 0x2
$edi : 0x8048890 → <_start+0> xor %ebp, %ebp
$eip : 0x8048b51 → <main+203> sub $0x4, %esp
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63
──────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd054│+0x0000: 0xffffd068 → 0x8050bdc → 0xaf67b350 ← $esp
0xffffd058│+0x0004: 0xffffd06c → 0x8050bbc → 0xca15d618
0xffffd05c│+0x0008: 0x8048d72 → <__libc_csu_init+82> add $0x1, %edi
0xffffd060│+0x000c: 0x00000002
0xffffd064│+0x0010: 0x8050ccc → "----------#플래그는 삭제"
0xffffd068│+0x0014: 0x8050bdc → 0xaf67b350
0xffffd06c│+0x0018: 0x8050bbc → 0xca15d618
0xffffd070│+0x001c: 0xffffd090 → 0x00000002
────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
0x8048b45 <main+191> mov %edx, 0x4(%esp)
0x8048b49 <main+195> mov %eax, (%esp)
0x8048b4c <main+198> call 0x804898d <_Z5ploufSsSs>
→ 0x8048b51 <main+203> sub $0x4, %esp
0x8048b54 <main+206> lea -0x10(%ebp), %eax
0x8048b57 <main+209> mov %eax, (%esp)
0x8048b5a <main+212> call 0x8048800 <_ZNSsD1Ev@plt>
0x8048b5f <main+217> lea -0x16(%ebp), %eax
0x8048b62 <main+220> mov %eax, (%esp)
────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ch25.bin", stopped 0x8048b51 in main (), reason: SINGLE STEP
──────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x8048b51 → main()
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
strings 명령어로 직접 찾을 수 없는 이유는 특정 함수 내에서 연산을 통해 문자열을 만들어내기 때문.
이 프로그램에서는 _Z5ploufSsSs 함수가 그 역할을 하는 것을 알 수 있었다.
728x90
반응형
'Wargame > Root me' 카테고리의 다른 글
| [App-system] ELF x86 - Stack buffer and integer overflow (0) | 2022.10.22 |
|---|---|
| [App-system] ELF x86 - Stack buffer overflow - C++ vtables (0) | 2022.10.21 |
| [Cracking] PE x86 - 0 protection (0) | 2022.07.15 |
| [Cracking] ELF x86 - Basic (0) | 2022.07.15 |
| [App-Script] Bash - System 2 (0) | 2022.07.15 |