CTF
KnightCTF 2023 - KrackMe 1.0
1. intro 2. code 및 분석 2.1. code int __cdecl main(int argc, const char **argv, const char **envp) { unsigned int i; // [rsp+10h] [rbp-170h] unsigned int j; // [rsp+10h] [rbp-170h] unsigned int k; // [rsp+10h] [rbp-170h] unsigned int m; // [rsp+10h] [rbp-170h] unsigned int n; // [rsp+10h] [rbp-170h] int ii; // [rsp+10h] [rbp-170h] int jj; // [rsp+10h] [rbp-170h] unsigned int kk; // [rsp+10h] [rbp-..
idekCTK 2022 - Typop
1. intro bof + rop + rcu가 복합적으로 이루어져 공부하기 좋은 문제였다. 2. code 2.1. code 2.1.2. main int __cdecl main(int argc, const char **argv, const char **envp) { setvbuf(_bss_start, 0LL, 2, 0LL); while ( puts("Do you want to complete a survey?") && getchar() == 'y' ) { getchar(); getFeedback(); } return 0; } 2.1.2. getFeedback unsigned __int64 getFeedback() { __int64 buf; // [rsp+Eh] [rbp-12h] BYREF __int16 v..
IRIS CTF - ret2libm
1. intro 2. code 및 분석 2.1. code #include #include // gcc -fno-stack-protector -lm int main(int argc, char* argv) { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); char yours[8]; printf("Check out my pecs: %p\n", fabs); printf("How about yours? "); gets(yours); printf("Let's see how they stack up."); return 0; } 2.2. 분석 제공된 압축 파일을 풀어보면 libc, libm, 문제파일, 소스코드가 포함되어있다. 프로그램을 실행해보..
Hackappatoi CTF 2022 - [PWN] beerop (unsolved)
1. intro 2. code 및 분석 2.1. code 이 문제는 코드보다 어셈블러 코드로 보는 것이 더 나은 것 같아 불필요한 부분을 삭제하여 그대로 올린다. ┌──(kali㉿kali)-[~/Downloads] └─$ objdump -D beerop beerop: file format elf64-x86-64 ...... Disassembly of section .text: 0000000000001000 : 1000: 55 push %rbp 1001: 48 89 e5 mov %rsp,%rbp 1004: 48 8d 05 f5 0f 00 00 lea 0xff5(%rip),%rax # 0x2000 100b: 48 89 45 f8 mov %rax,-0x8(%rbp) 100f: 48 c7 c0 09 00 00 ..
Hackappatoi CTF 2022 - [PWN] heap baby v2
1. intro 2. code 및 분석 2.1. code int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { unsigned int choice; // [rsp+1Ch] [rbp-4h] setup(); while ( 1 ) { choice = menu(); if ( choice == 3 ) break; if ( choice 4 ) { puts("nope is not a place that!"); } else { user_idx *= 2; v0 = user_idx; user_tuples[v0] = (char *)malloc(0x10uLL); v1 = user_idx + 1; user_tuples[v1] = (char *..
Hackappatoi CTF 2022 - [PWN] Endless Queue
1. intro 2. code 및 분석 2.1. code int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { setup(); banner(); bar_queue(); } void __fastcall __noreturn bar_queue() { unsigned int v0; // eax unsigned int hours; // [rsp+Ch] [rbp-54h] char buffer[64]; // [rsp+10h] [rbp-50h] BYREF unsigned __int64 v3; // [rsp+58h] [rbp-8h] v3 = __readfsqword(0x28u); memset(buffer, 0, sizeof(buffer..
Hackappatoi CTF 2022 - [PWN] Sanity drink
1. intro 2. code 및 분석 2.1. code int __cdecl main(int argc, const char **argv, const char **envp) { char user_password[32]; // [rsp+0h] [rbp-50h] BYREF char otp_password[32]; // [rsp+20h] [rbp-30h] BYREF unsigned __int64 v7; // [rsp+48h] [rbp-8h] v7 = __readfsqword(0x28u); puts("------------------------------------------------------------"); puts("---------------[ Pwners Secret Club Access ]-----..