[Cracking] ELF C++ - 0 protection

C++은 또 이해하기 어렵구나...

 

아는 것보다 모르는 게 훨씬 많으니 공부할 맛이 난다.

 

해당 파일을 실행해보니 마찬가지로 인자를 passwd로 사용한다.

┌──(kali㉿kali)-[~/Downloads]
└─$ ./ch25.bin                                                
usage : ./ch25.bin password

 

앞선 문제와 동일하게 문자열을 비교할 테니 strings 명령어로 문자를 뽑아봤지만 특별히 눈에 띄는 문자열은 없었다.

 

┌──(kali㉿kali)-[~/Downloads]
└─$ strings ch25.bin 
/lib/ld-linux.so.2
CyIk
libstdc++.so.6
__gmon_start__
_Jv_RegisterClasses
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
__pthread_key_create
_ZNSsixEj
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
_ZSt4cout
_ZNSaIcED1Ev
_ZNSspLEc
_ZSt4cerr
_ZNKSs7compareEPKc
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
_ZNSsC1EPKcRKSaIcE
_ZNSt8ios_base4InitC1Ev
_ZNSsD1Ev
_ZNKSs6lengthEv
_ZNSt8ios_base4InitD1Ev
_ZNSolsEPFRSoS_E
__gxx_personality_v0
_ZNSaIcEC1Ev
libgcc_s.so.1
_Unwind_Resume
libc.so.6
_IO_stdin_used
__cxa_atexit
__libc_start_main
GCC_3.0
CXXABI_1.3
GLIBCXX_3.4
GLIBC_2.0
GLIBC_2.1.3
PTRh
,[^_]
[^_]
usage : 
 password
Bravo, tu peux valider en utilisant ce mot de passe...
Congratz. You can validate with this password...
Password incorrect.
;*2$"
zPLR
GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.1) 4.8.4
GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.gcc_except_table
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6591
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
crackme.cpp
_ZStL8__ioinit
_Z41__static_initialization_and_destruction_0ii
_GLOBAL__sub_I__Z5ploufSsSs
_ZZL18__gthread_active_pvE20__gthread_active_ptr
__FRAME_END__
__JCR_END__
_GLOBAL_OFFSET_TABLE_
__init_array_end
__init_array_start
_DYNAMIC
data_start
__cxa_atexit@@GLIBC_2.1.3
__libc_csu_fini
_start
_ZNSspLEc@@GLIBCXX_3.4
__gmon_start__
_Jv_RegisterClasses
_fp_hw
_ZNSsixEj@@GLIBCXX_3.4
_fini
_ZNSt8ios_base4InitC1Ev@@GLIBCXX_3.4
_ZSt4cerr@@GLIBCXX_3.4
_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPKS3_
__libc_start_main@@GLIBC_2.0
_ZNKSs6lengthEv@@GLIBCXX_3.4
_ZNSt8ios_base4InitD1Ev@@GLIBCXX_3.4
_ITM_deregisterTMCloneTable
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@@GLIBCXX_3.4
_IO_stdin_used
_ZNSsD1Ev@@GLIBCXX_3.4
_ITM_registerTMCloneTable
__data_start
__x86.get_pc_thunk.bx
_ZNKSs7compareEPKc@@GLIBCXX_3.4
__TMC_END__
_ZNSsC1EPKcRKSaIcE@@GLIBCXX_3.4
_ZSt4cout@@GLIBCXX_3.4
__dso_handle
__libc_csu_init
__bss_start
_ZNSaIcED1Ev@@GLIBCXX_3.4
__pthread_key_create
_end
_ZNSolsEPFRSoS_E@@GLIBCXX_3.4
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_@@GLIBCXX_3.4
_edata
_ZNSaIcEC1Ev@@GLIBCXX_3.4
__gxx_personality_v0@@CXXABI_1.3
_Unwind_Resume@@GCC_3.0
_Z5ploufSsSs
main
_init

 

그래서 gdb를 통해 main 함수를 한줄씩 실행하며 비교문에서 어떤 문자열이 비교되는지 확인하다가 이거다 싶은 문자열을 찾았다.

 

[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax   : 0xffffd064  →  0x8050ccc  →  "----------#플래그는 삭제"
$ebx   : 0xffffd090  →  0x00000002
$ecx   : 0x2e      
$edx   : 0xffffffff
$esp   : 0xffffd054  →  0xffffd068  →  0x8050bdc  →  0xaf67b350
$ebp   : 0xffffd078  →  0x00000000
$esi   : 0x2       
$edi   : 0x8048890  →  <_start+0> xor %ebp, %ebp
$eip   : 0x8048b51  →  <main+203> sub $0x4, %esp
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63 
──────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd054│+0x0000: 0xffffd068  →  0x8050bdc  →  0xaf67b350      ← $esp
0xffffd058│+0x0004: 0xffffd06c  →  0x8050bbc  →  0xca15d618
0xffffd05c│+0x0008: 0x8048d72  →  <__libc_csu_init+82> add $0x1, %edi
0xffffd060│+0x000c: 0x00000002
0xffffd064│+0x0010: 0x8050ccc  →  "----------#플래그는 삭제"
0xffffd068│+0x0014: 0x8050bdc  →  0xaf67b350
0xffffd06c│+0x0018: 0x8050bbc  →  0xca15d618
0xffffd070│+0x001c: 0xffffd090  →  0x00000002
────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
    0x8048b45 <main+191>       mov    %edx, 0x4(%esp)
    0x8048b49 <main+195>       mov    %eax, (%esp)
    0x8048b4c <main+198>       call   0x804898d <_Z5ploufSsSs>
 →  0x8048b51 <main+203>       sub    $0x4, %esp
    0x8048b54 <main+206>       lea    -0x10(%ebp), %eax
    0x8048b57 <main+209>       mov    %eax, (%esp)
    0x8048b5a <main+212>       call   0x8048800 <_ZNSsD1Ev@plt>
    0x8048b5f <main+217>       lea    -0x16(%ebp), %eax
    0x8048b62 <main+220>       mov    %eax, (%esp)
────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ch25.bin", stopped 0x8048b51 in main (), reason: SINGLE STEP
──────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x8048b51 → main()
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────

 

strings 명령어로 직접 찾을 수 없는 이유는 특정 함수 내에서 연산을 통해 문자열을 만들어내기 때문.

이 프로그램에서는 _Z5ploufSsSs 함수가 그 역할을 하는 것을 알 수 있었다.