-
-
[原创]看雪.京东 2018CTF 第三题 PWN_wow WriteUp
-
发表于: 2018-6-21 12:01
-
0x4008c5 0x65 e
0x40090c 0x13
0x400953 0x4b K
0x40099a 0x25 %
0x4009d8 0x44 D
evXnaK
key为evXnaK
3.漏洞
【1】RELRO:RELRO会有Partial RELRO和FULL RELRO,如果开启FULL RELRO,意味着我们无法修改got表
【2】Stack:如果栈中开启Canary found,那么就不能用直接用溢出的方法覆盖栈中返回地址,而且要通过改写指针与局部变量、leak canary
、overwrite canary的方法来绕过
【3】NX:NX enabled如果这个保护开启就是意味着栈中数据没有执行权限,以前的经常用的call esp或者jmp esp的方法就不能使用,但是可
以利用rop这种方法绕过
【4】PIE:PIE enabled如果程序开启这个地址随机化选项就意味着程序每次运行的时候地址都会变化,而如果没有开PIE的话那么No PIE
(0x400000),括号内的数据就是程序的基地址
【5】FORTIFY:FORTIFY_SOURCE机制对格式化字符串有两个限制(1)包含%n的格式化字符串不能位于程序内存中的可写地址。(2)当使用位置参
数时,必须使用范围内的所有参数。所以如果要使用%7$x,你必须同时使用1,2,3,4,5和6。
【1】RELRO:RELRO会有Partial RELRO和FULL RELRO,如果开启FULL RELRO,意味着我们无法修改got表
【2】Stack:如果栈中开启Canary found,那么就不能用直接用溢出的方法覆盖栈中返回地址,而且要通过改写指针与局部变量、leak canary
、overwrite canary的方法来绕过
【3】NX:NX enabled如果这个保护开启就是意味着栈中数据没有执行权限,以前的经常用的call esp或者jmp esp的方法就不能使用,但是可
以利用rop这种方法绕过
【4】PIE:PIE enabled如果程序开启这个地址随机化选项就意味着程序每次运行的时候地址都会变化,而如果没有开PIE的话那么No PIE
(0x400000),括号内的数据就是程序的基地址
【5】FORTIFY:FORTIFY_SOURCE机制对格式化字符串有两个限制(1)包含%n的格式化字符串不能位于程序内存中的可写地址。(2)当使用位置参
数时,必须使用范围内的所有参数。所以如果要使用%7$x,你必须同时使用1,2,3,4,5和6。
网上搜的解释,凑合着看吧。
开了NX,栈上数据就没法执行了。
- 2.程序分析
1 2 3 4 5 6 7 | int __cdecl main(int argc, const char **argv, const char **envp){ setbuf(stdin, 0LL); setbuf(stdout, 0LL); welcome(); JUMPOUT(__CS__, 4196376LL);} |
1 2 3 4 5 6 7 8 9 10 11 12 13 | __int64 welcome(){ puts("***************************\n"); puts("2018 kanxue CTF\n"); puts("***************************\n"); puts("***************************\n"); puts("常记溪亭日暮,沉醉不知归路。\n"); puts("兴尽晚回舟,误入藕花深处。\n"); puts("争渡,争渡,惊起一滩鸥鹭。\n"); puts(asc_400C01); puts("***************************\n"); return test();} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | .text:0000000000400751 public test.text:0000000000400751 test proc near ; CODE XREF: welcome+63↑p.text:0000000000400751 ; __unwind {.text:0000000000400751 push rbp.text:0000000000400752 mov rbp, rsp.text:0000000000400755 mov rax, 65h.text:000000000040075C mov rcx, 0.text:0000000000400763 mov rdx, 1 ; addr.text:000000000040076A mov rsi, 0 ; pid.text:0000000000400771 mov rdi, 0 ; request.text:0000000000400778 syscall ; LINUX - sys_ptrace.text:000000000040077A cmp rax, 0.text:000000000040077E jmp short L_K1 //这里不跳就退出了,算是个反调试,改为jmp 只有一直执行这个程序.text:0000000000400780 ; ---------------------------------------------------------------------------.text:0000000000400780 mov rax, 3Ch.text:0000000000400787 mov rdi, 0 ; error_code.text:000000000040078E syscall ; LINUX - sys_exit.text:0000000000400790.text:0000000000400790 L_K1: ; CODE XREF: test+2D↑j.text:0000000000400790 nop.text:0000000000400791 nop.text:0000000000400792 pop rbp.text:0000000000400793 retn.text:0000000000400793 ; } // starts at 400751.text:0000000000400793 test endp.text:0000000000400793 |
1 2 3 4 5 6 7 | int __cdecl main(int argc, const char **argv, const char **envp){ setbuf(stdin, 0LL); setbuf(stdout, 0LL); welcome(); JUMPOUT(__CS__, 4196376LL);} |
1 2 3 4 5 6 7 8 9 10 11 12 13 | __int64 welcome(){ puts("***************************\n"); puts("2018 kanxue CTF\n"); puts("***************************\n"); puts("***************************\n"); puts("常记溪亭日暮,沉醉不知归路。\n"); puts("兴尽晚回舟,误入藕花深处。\n"); puts("争渡,争渡,惊起一滩鸥鹭。\n"); puts(asc_400C01); puts("***************************\n"); return test();} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | .text:0000000000400751 public test.text:0000000000400751 test proc near ; CODE XREF: welcome+63↑p.text:0000000000400751 ; __unwind {.text:0000000000400751 push rbp.text:0000000000400752 mov rbp, rsp.text:0000000000400755 mov rax, 65h.text:000000000040075C mov rcx, 0.text:0000000000400763 mov rdx, 1 ; addr.text:000000000040076A mov rsi, 0 ; pid.text:0000000000400771 mov rdi, 0 ; request.text:0000000000400778 syscall ; LINUX - sys_ptrace.text:000000000040077A cmp rax, 0.text:000000000040077E jmp short L_K1 //这里不跳就退出了,算是个反调试,改为jmp 只有一直执行这个程序.text:0000000000400780 ; ---------------------------------------------------------------------------.text:0000000000400780 mov rax, 3Ch.text:0000000000400787 mov rdi, 0 ; error_code.text:000000000040078E syscall ; LINUX - sys_exit.text:0000000000400790.text:0000000000400790 L_K1: ; CODE XREF: test+2D↑j.text:0000000000400790 nop.text:0000000000400791 nop.text:0000000000400792 pop rbp.text:0000000000400793 retn.text:0000000000400793 ; } // starts at 400751.text:0000000000400793 test endp.text:0000000000400793 |
1 2 3 4 5 6 7 | int __cdecl main(int argc, const char **argv, const char **envp){ setbuf(stdin, 0LL); setbuf(stdout, 0LL); welcome(); JUMPOUT(__CS__, 4196376LL);} |
1 2 3 4 5 6 7 8 9 10 11 12 13 | __int64 welcome(){ puts("***************************\n"); puts("2018 kanxue CTF\n"); puts("***************************\n"); puts("***************************\n"); puts("常记溪亭日暮,沉醉不知归路。\n"); puts("兴尽晚回舟,误入藕花深处。\n"); puts("争渡,争渡,惊起一滩鸥鹭。\n"); puts(asc_400C01); puts("***************************\n"); return test();} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | .text:0000000000400751 public test.text:0000000000400751 test proc near ; CODE XREF: welcome+63↑p.text:0000000000400751 ; __unwind {.text:0000000000400751 push rbp.text:0000000000400752 mov rbp, rsp.text:0000000000400755 mov rax, 65h.text:000000000040075C mov rcx, 0.text:0000000000400763 mov rdx, 1 ; addr.text:000000000040076A mov rsi, 0 ; pid.text:0000000000400771 mov rdi, 0 ; request.text:0000000000400778 syscall ; LINUX - sys_ptrace.text:000000000040077A cmp rax, 0.text:000000000040077E jmp short L_K1 //这里不跳就退出了,算是个反调试,改为jmp 只有一直执行这个程序.text:0000000000400780 ; ---------------------------------------------------------------------------.text:0000000000400780 mov rax, 3Ch.text:0000000000400787 mov rdi, 0 ; error_code.text:000000000040078E syscall ; LINUX - sys_exit.text:0000000000400790.text:0000000000400790 L_K1: ; CODE XREF: test+2D↑j.text:0000000000400790 nop.text:0000000000400791 nop.text:0000000000400792 pop rbp.text:0000000000400793 retn.text:0000000000400793 ; } // starts at 400751.text:0000000000400793 test endp.text:0000000000400793 |
1 2 3 4 5 6 7 8 9 10 11 12 13 | __int64 welcome(){ puts("***************************\n"); puts("2018 kanxue CTF\n"); puts("***************************\n"); puts("***************************\n"); puts("常记溪亭日暮,沉醉不知归路。\n"); puts("兴尽晚回舟,误入藕花深处。\n"); puts("争渡,争渡,惊起一滩鸥鹭。\n"); puts(asc_400C01); puts("***************************\n"); return test();} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | .text:0000000000400751 public test.text:0000000000400751 test proc near ; CODE XREF: welcome+63↑p.text:0000000000400751 ; __unwind {.text:0000000000400751 push rbp.text:0000000000400752 mov rbp, rsp.text:0000000000400755 mov rax, 65h.text:000000000040075C mov rcx, 0.text:0000000000400763 mov rdx, 1 ; addr.text:000000000040076A mov rsi, 0 ; pid.text:0000000000400771 mov rdi, 0 ; request.text:0000000000400778 syscall ; LINUX - sys_ptrace.text:000000000040077A cmp rax, 0.text:000000000040077E jmp short L_K1 //这里不跳就退出了,算是个反调试,改为jmp 只有一直执行这个程序.text:0000000000400780 ; ---------------------------------------------------------------------------.text:0000000000400780 mov rax, 3Ch.text:0000000000400787 mov rdi, 0 ; error_code.text:000000000040078E syscall ; LINUX - sys_exit.text:0000000000400790.text:0000000000400790 L_K1: ; CODE XREF: test+2D↑j.text:0000000000400790 nop.text:0000000000400791 nop.text:0000000000400792 pop rbp.text:0000000000400793 retn.text:0000000000400793 ; } // starts at 400751.text:0000000000400793 test endp.text:0000000000400793 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | .text:0000000000400751 public test.text:0000000000400751 test proc near ; CODE XREF: welcome+63↑p.text:0000000000400751 ; __unwind {.text:0000000000400751 push rbp.text:0000000000400752 mov rbp, rsp.text:0000000000400755 mov rax, 65h.text:000000000040075C mov rcx, 0.text:0000000000400763 mov rdx, 1 ; addr.text:000000000040076A mov rsi, 0 ; pid.text:0000000000400771 mov rdi, 0 ; request.text:0000000000400778 syscall ; LINUX - sys_ptrace.text:000000000040077A cmp rax, 0.text:000000000040077E jmp short L_K1 //这里不跳就退出了,算是个反调试,改为jmp 只有一直执行这个程序.text:0000000000400780 ; ---------------------------------------------------------------------------.text:0000000000400780 mov rax, 3Ch.text:0000000000400787 mov rdi, 0 ; error_code.text:000000000040078E syscall ; LINUX - sys_exit.text:0000000000400790.text:0000000000400790 L_K1: ; CODE XREF: test+2D↑j.text:0000000000400790 nop.text:0000000000400791 nop.text:0000000000400792 pop rbp.text:0000000000400793 retn.text:0000000000400793 ; } // starts at 400751.text:0000000000400793 test endp.text:0000000000400793 |
接下来就进入关键代码了:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | .text:0000000000400818 sar rax, 0Ch.text:000000000040081C shl rax, 0Ch.text:0000000000400820 mov rdi, rax.text:0000000000400823.text:0000000000400823 loc_400823: ; CODE XREF: .text:000000000040088E↓j.text:0000000000400823 mov rdx, 7.text:000000000040082A mov rax, 0Ah.text:0000000000400831 mov rsi, 1000h.text:0000000000400838 syscall ; LINUX - sys_mprotect.text:000000000040083A xor rax, rax.text:000000000040083D mov rdx, 6.text:0000000000400844 push rax.text:0000000000400845 lea rax, ds:601080h.text:000000000040084D mov rsi, rax.text:0000000000400850 pop rax.text:0000000000400851 mov rdi, rax.text:0000000000400854 syscall ; LINUX -read 函数,读取6个字符到601080.text:0000000000400856 call $+5.text:000000000040085B pop rax.text:000000000040085C add rax, 24h.text:0000000000400860 xor rcx, rcx.text:0000000000400863 mov dl, [rsi+rcx].text:0000000000400866.text:0000000000400866 L1_64: ; CODE XREF: .text:0000000000400878↓j.text:0000000000400866 ; .text:000000000040087D↓j.text:0000000000400866 mov bl, [rax+rcx].text:0000000000400869 xor bl, dl.text:000000000040086B mov [rax+rcx], bl.text:000000000040086E.text:000000000040086E loc_40086E:.text:000000000040086E mov dh, [rax+rcx-1].text:0000000000400872.text:0000000000400872 loc_400872:.text:0000000000400872 inc rcx.text:0000000000400875 cmp dh, 0FBh.text:0000000000400878 jz short L1_64.text:000000000040087A cmp bl, 90h.text:000000000040087D jnz short L1_64 |
之后的主要是代码自解压。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | .text:0000000000400818 sar rax, 0Ch.text:000000000040081C shl rax, 0Ch.text:0000000000400820 mov rdi, rax.text:0000000000400823.text:0000000000400823 loc_400823: ; CODE XREF: .text:000000000040088E↓j.text:0000000000400823 mov rdx, 7.text:000000000040082A mov rax, 0Ah.text:0000000000400831 mov rsi, 1000h.text:0000000000400838 syscall ; LINUX - sys_mprotect.text:000000000040083A xor rax, rax.text:000000000040083D mov rdx, 6.text:0000000000400844 push rax.text:0000000000400845 lea rax, ds:601080h.text:000000000040084D mov rsi, rax.text:0000000000400850 pop rax.text:0000000000400851 mov rdi, rax.text:0000000000400854 syscall ; LINUX -read 函数,读取6个字符到601080.text:0000000000400856 call $+5.text:000000000040085B pop rax.text:000000000040085C add rax, 24h.text:0000000000400860 xor rcx, rcx.text:0000000000400863 mov dl, [rsi+rcx].text:0000000000400866.text:0000000000400866 L1_64: ; CODE XREF: .text:0000000000400878↓j.text:0000000000400866 ; .text:000000000040087D↓j.text:0000000000400866 mov bl, [rax+rcx].text:0000000000400869 xor bl, dl.text:000000000040086B mov [rax+rcx], bl.text:000000000040086E.text:000000000040086E loc_40086E:.text:000000000040086E mov dh, [rax+rcx-1].text:0000000000400872.text:0000000000400872 loc_400872:.text:0000000000400872 inc rcx.text:0000000000400875 cmp dh, 0FBh.text:0000000000400878 jz short L1_64.text:000000000040087A cmp bl, 90h.text:000000000040087D jnz short L1_64 |
之后的主要是代码自解压。
根据用户输入的字符(总共6个)进行6段代码的解压。
解压后代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | text:000000000040087F 48 8D 04 08 lea rax, [rax+rcx] ecx=4a.text:0000000000400883 48 2D 80 00 00 00 sub rax, 80h rax=400849.text:0000000000400889 48 31 C9 xor rcx, rcx.text:000000000040088C.text:000000000040088C loc_40088C: ; CODE XREF: .text:000000000040089B↓j.text:000000000040088C 8A 1C 08 mov bl, [rax+rcx].text:000000000040088F 30 D3 xor bl, dl.text:0000000000400891 88 1C 08 mov [rax+rcx], bl.text:0000000000400894 48 FF C1 inc rcx.text:0000000000400897 48 83 F9 20 cmp rcx, 20h.text:000000000040089B 7C EF jl short loc_40088C.text:000000000040089D 48 05 80 00 00 00 add rax, 80h rax 4008c9.text:00000000004008A3 48 31 C9 xor rcx, rcx.text:00000000004008A6 8A 14 0E mov dl, [rsi+rcx].text:00000000004008A9 48 FF C6 inc rsi.text:00000000004008AC 32 14 0E xor dl, [rsi+rcx] 输入的第一个字符与第二个异或.text:00000000004008AF.text:00000000004008AF L2_64: ; CODE XREF: .text:00000000004008C1↓j.text:00000000004008AF ; .text:00000000004008C6↓j.text:00000000004008AF 8A 1C 08 mov bl, [rax+rcx] rax=4008c9.text:00000000004008B2 30 D3 xor bl, dl.text:00000000004008B4 88 1C 08 mov [rax+rcx], bl.text:00000000004008B7 8A 74 08 FF mov dh, [rax+rcx-1].text:00000000004008BB 48 FF C1 inc rcx.text:00000000004008BE 80 FE FB cmp dh, 0FBh.text:00000000004008C1 74 EC jz short L2_64.text:00000000004008C3 80 FB 90 cmp bl, 90h.text:00000000004008C6 75 E7 jnz short L2_64.text:00000000004008C8 90 nop.text:00000000004008C9 48 8D 04 08 lea rax, [rax+rcx].text:00000000004008CD 48 2D 80 00 00 00 sub rax, 80h.text:00000000004008D3 48 31 C9 xor rcx, rcx.text:00000000004008D6.text:00000000004008D6 LEn1_64: ; CODE XREF: .text:00000000004008E5↓j.text:00000000004008D6 8A 1C 08 mov bl, [rax+rcx].text:00000000004008D9 30 D3 xor bl, dl.text:00000000004008DB 88 1C 08 mov [rax+rcx], bl.text:00000000004008DE 48 FF C1 inc rcx.text:00000000004008E1 48 83 F9 20 cmp rcx, 20h.text:00000000004008E5 7C EF jl short LEn1_64.text:00000000004008E7 48 05 80 00 00 00 add rax, 80h.text:00000000004008ED 48 31 C9 xor rcx, rcx.text:00000000004008F0 48 FF C6 inc rsi.text:00000000004008F3 32 14 0E xor dl, [rsi+rcx] 第三个字符与(第一个与第二个字符的xor结果0x13异或).text:00000000004008F6.text:00000000004008F6 L3_64: ; CODE XREF: .text:0000000000400908↓j.text:00000000004008F6 ; .text:000000000040090D↓j.text:00000000004008F6 8A 1C 08 mov bl, [rax+rcx].text:00000000004008F9 30 D3 xor bl, dl.text:00000000004008FB 88 1C 08 mov [rax+rcx], bl.text:00000000004008FE 8A 74 08 FF mov dh, [rax+rcx-1].text:0000000000400902 48 FF C1 inc rcx.text:0000000000400905 80 FE FB cmp dh, 0FBh.text:0000000000400908 74 EC jz short L3_64.text:000000000040090A 80 FB 90 cmp bl, 90h.text:000000000040090D 75 E7 jnz short L3_64.text:000000000040090F 90 nop.text:0000000000400910 48 8D 04 08 lea rax, [rax+rcx].text:0000000000400914 48 2D 80 00 00 00 sub rax, 80h.text:000000000040091A 48 31 C9 xor rcx, rcx.text:000000000040091D.text:000000000040091D LEn2_64: ; CODE XREF: .text:000000000040092C↓j.text:000000000040091D 8A 1C 08 mov bl, [rax+rcx].text:0000000000400920 30 D3 xor bl, dl.text:0000000000400922 88 1C 08 mov [rax+rcx], bl.text:0000000000400925 48 FF C1 inc rcx.text:0000000000400928 48 83 F9 20 cmp rcx, 20h.text:000000000040092C 7C EF jl short LEn2_64.text:000000000040092E 48 05 80 00 00 00 add rax, 80h.text:0000000000400934 48 31 C9 xor rcx, rcx.text:0000000000400937 48 FF C6 inc rsi.text:000000000040093A 32 14 0E xor dl, [rsi+rcx].text:000000000040093D.text:000000000040093D L4_64: ; CODE XREF: .text:000000000040094F↓j.text:000000000040093D 8A 1C 08 mov bl, [rax+rcx].text:0000000000400940 30 D3 xor bl, dl.text:0000000000400942 88 1C 08 mov [rax+rcx], bl.text:0000000000400945 8A 74 08 FF mov dh, [rax+rcx-1].text:0000000000400949 48 FF C1 inc rcx.text:000000000040094C 80 FE FB cmp dh, 0FBh.text:000000000040094F 74 EC jz short L4_64.text:0000000000400951 80 FB 90 cmp bl, 90h.text:0000000000400954 75 E7 jnz short L4_64.text:0000000000400956 90 nop.text:00000000004009DC 48 8D 04 08 lea rax, [rax+rcx].text:00000000004009E0 48 2D C0 00 00 00 sub rax, 0C0h.text:00000000004009E6 48 31 C9 xor rcx, rcx.text:00000000004009E9.text:00000000004009E9 LEn5_64: ; CODE XREF: .text:00000000004009F8↓j.text:00000000004009E9 8A 1C 08 mov bl, [rax+rcx].text:00000000004009EC 30 D3 xor bl, dl.text:00000000004009EE 88 1C 08 mov [rax+rcx], bl.text:00000000004009F1 48 FF C1 inc rcx.text:00000000004009F4 48 83 F9 20 cmp rcx, 20h.text:00000000004009F8 7C EF jl short LEn5_64.text:00000000004009FA 48 C7 C0 01 00 00 00 mov rax, 1.text:0000000000400A01 48 C7 C2 05 00 00 00 mov rdx, 5.text:0000000000400A08 48 8D 34 25 58 10 60 00 lea rsi, szCh2 ; "wow!\n".text:0000000000400A10 48 89 C7 mov rdi, rax.text:0000000000400A13 0F 05 syscall ; LINUX - sys_write.text:0000000000400A15 BF 00 00 00 00 mov edi, 0.text:0000000000400A1A E8 B1 FB FF FF call _fflush.text:0000000000400A1F 48 39 C0 cmp rax, rax.text:0000000000400A22.text:0000000000400A22 L_J0:.text:0000000000400A22 75 12 jnz short near ptr loc_400A33+3.text:0000000000400A24 E8 00 00 00 00 call $+5.text:0000000000400A29.text:0000000000400A29 L_J1:.text:0000000000400A29 58 pop rax.text:0000000000400A2A 48 83 C0 07 add rax, 7.text:0000000000400A2E FF E0 jmp rax.text:0000000000400A30 ; ---------------------------------------------------------------------------.text:0000000000400A30 48 31 C0 xor rax, rax.text:0000000000400A33.text:0000000000400A33 loc_400A33: ; CODE XREF: .text:L_J0↑j.text:0000000000400A33 48 C7 C2 1A 00 00 00 mov rdx, 1Ah.text:0000000000400A3A 48 89 E6 mov rsi, rsp.text:0000000000400A3D 48 89 24 25 88 10 60 00 mov ds:lpGoble, rsp.text:0000000000400A45 48 89 C7 mov rdi, rax.text:0000000000400A48 0F 05 syscall ; LINUX - sys_read.text:0000000000400A4A 48 8B 05 37 06 20 00 mov rax, cs:lpGoble.text:0000000000400A51 48 89 C7 mov rdi, rax.text:0000000000400A54 B8 00 00 00 00 mov eax, 0.text:0000000000400A59 E8 52 FB FF FF call _printf.text:0000000000400A5E 48 31 C0 xor rax, rax.text:0000000000400A61 48 C7 C2 00 02 00 00 mov rdx, 200h.text:0000000000400A68 48 8D 74 24 E0 lea rsi, [rsp-20h].text:0000000000400A6D 48 89 C7 mov rdi, rax.text:0000000000400A70 0F 05 syscall ; LINUX - sys_read.text:0000000000400A72 90 nop.text:0000000000400A73 E8 00 00 00 00 call $+5.text:0000000000400A78.text:0000000000400A78 L_en:.text:0000000000400A78 58 pop rax.text:0000000000400A79 48 83 C0 07 add rax, 7.text:0000000000400A7D FF E0 jmp rax.text:0000000000400A7F ; ---------------------------------------------------------------------------.text:0000000000400A7F 48 C1 F8 0C sar rax, 0Ch.text:0000000000400A83 48 C1 E0 0C shl rax, 0Ch.text:0000000000400A87 48 89 C7 mov rdi, rax.text:0000000000400A8A 48 C7 C2 05 00 00 00 mov rdx, 5.text:0000000000400A91 48 C7 C0 0A 00 00 00 mov rax, 0Ah.text:0000000000400A98 48 C7 C6 00 10 00 00 mov rsi, 1000h.text:0000000000400A9F 0F 05 syscall ; LINUX - sys_mprotect.text:0000000000400AA1 B8 00 00 00 00 mov eax, 0.text:0000000000400AA6 48 8B 55 F8 mov rdx, [rbp-8].text:0000000000400AAA 64 48 33 14 25 28 00 00+xor rdx, fs:28h.text:0000000000400AB3 74 05 jz short locret_400ABA.text:0000000000400AB5 E8 D6 FA FF FF call ___stack_chk_fail.text:0000000000400ABA ; ---------------------------------------------------------------------------.text:0000000000400ABA.text:0000000000400ABA locret_400ABA: ; CODE XREF: .text:0000000000400AB3↑j.text:0000000000400ABA C9 leave.text:0000000000400ABB C3 retn.text:0000000000400ABB ; } // starts at 400794 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | text:000000000040087F 48 8D 04 08 lea rax, [rax+rcx] ecx=4a.text:0000000000400883 48 2D 80 00 00 00 sub rax, 80h rax=400849.text:0000000000400889 48 31 C9 xor rcx, rcx.text:000000000040088C.text:000000000040088C loc_40088C: ; CODE XREF: .text:000000000040089B↓j.text:000000000040088C 8A 1C 08 mov bl, [rax+rcx].text:000000000040088F 30 D3 xor bl, dl.text:0000000000400891 88 1C 08 mov [rax+rcx], bl.text:0000000000400894 48 FF C1 inc rcx.text:0000000000400897 48 83 F9 20 cmp rcx, 20h.text:000000000040089B 7C EF jl short loc_40088C.text:000000000040089D 48 05 80 00 00 00 add rax, 80h rax 4008c9.text:00000000004008A3 48 31 C9 xor rcx, rcx.text:00000000004008A6 8A 14 0E mov dl, [rsi+rcx].text:00000000004008A9 48 FF C6 inc rsi.text:00000000004008AC 32 14 0E xor dl, [rsi+rcx] 输入的第一个字符与第二个异或.text:00000000004008AF.text:00000000004008AF L2_64: ; CODE XREF: .text:00000000004008C1↓j.text:00000000004008AF ; .text:00000000004008C6↓j.text:00000000004008AF 8A 1C 08 mov bl, [rax+rcx] rax=4008c9.text:00000000004008B2 30 D3 xor bl, dl.text:00000000004008B4 88 1C 08 mov [rax+rcx], bl.text:00000000004008B7 8A 74 08 FF mov dh, [rax+rcx-1].text:00000000004008BB 48 FF C1 inc rcx.text:00000000004008BE 80 FE FB cmp dh, 0FBh.text:00000000004008C1 74 EC jz short L2_64.text:00000000004008C3 80 FB 90 cmp bl, 90h.text:00000000004008C6 75 E7 jnz short L2_64.text:00000000004008C8 90 nop.text:00000000004008C9 48 8D 04 08 lea rax, [rax+rcx].text:00000000004008CD 48 2D 80 00 00 00 sub rax, 80h.text:00000000004008D3 48 31 C9 xor rcx, rcx.text:00000000004008D6.text:00000000004008D6 LEn1_64: ; CODE XREF: .text:00000000004008E5↓j.text:00000000004008D6 8A 1C 08 mov bl, [rax+rcx].text:00000000004008D9 30 D3 xor bl, dl.text:00000000004008DB 88 1C 08 mov [rax+rcx], bl.text:00000000004008DE 48 FF C1 inc rcx.text:00000000004008E1 48 83 F9 20 cmp rcx, 20h.text:00000000004008E5 7C EF jl short LEn1_64.text:00000000004008E7 48 05 80 00 00 00 add rax, 80h.text:00000000004008ED 48 31 C9 xor rcx, rcx.text:00000000004008F0 48 FF C6 inc rsi.text:00000000004008F3 32 14 0E xor dl, [rsi+rcx] 第三个字符与(第一个与第二个字符的xor结果0x13异或).text:00000000004008F6.text:00000000004008F6 L3_64: ; CODE XREF: .text:0000000000400908↓j.text:00000000004008F6 ; .text:000000000040090D↓j.text:00000000004008F6 8A 1C 08 mov bl, [rax+rcx].text:00000000004008F9 30 D3 xor bl, dl.text:00000000004008FB 88 1C 08 mov [rax+rcx], bl.text:00000000004008FE 8A 74 08 FF mov dh, [rax+rcx-1].text:0000000000400902 48 FF C1 inc rcx.text:0000000000400905 80 FE FB cmp dh, 0FBh.text:0000000000400908 74 EC jz short L3_64.text:000000000040090A 80 FB 90 cmp bl, 90h.text:000000000040090D 75 E7 jnz short L3_64.text:000000000040090F 90 nop.text:0000000000400910 48 8D 04 08 lea rax, [rax+rcx].text:0000000000400914 48 2D 80 00 00 00 sub rax, 80h.text:000000000040091A 48 31 C9 xor rcx, rcx.text:000000000040091D.text:000000000040091D LEn2_64: ; CODE XREF: .text:000000000040092C↓j.text:000000000040091D 8A 1C 08 mov bl, [rax+rcx].text:0000000000400920 30 D3 xor bl, dl.text:0000000000400922 88 1C 08 mov [rax+rcx], bl.text:0000000000400925 48 FF C1 inc rcx.text:0000000000400928 48 83 F9 20 cmp rcx, 20h.text:000000000040092C 7C EF jl short LEn2_64.text:000000000040092E 48 05 80 00 00 00 add rax, 80h.text:0000000000400934 48 31 C9 xor rcx, rcx.text:0000000000400937 48 FF C6 inc rsi.text:000000000040093A 32 14 0E xor dl, [rsi+rcx].text:000000000040093D.text:000000000040093D L4_64: ; CODE XREF: .text:000000000040094F↓j.text:000000000040093D 8A 1C 08 mov bl, [rax+rcx].text:0000000000400940 30 D3 xor bl, dl.text:0000000000400942 88 1C 08 mov [rax+rcx], bl.text:0000000000400945 8A 74 08 FF mov dh, [rax+rcx-1].text:0000000000400949 48 FF C1 inc rcx.text:000000000040094C 80 FE FB cmp dh, 0FBh.text:000000000040094F 74 EC jz short L4_64.text:0000000000400951 80 FB 90 cmp bl, 90h.text:0000000000400954 75 E7 jnz short L4_64.text:0000000000400956 90 nop.text:00000000004009DC 48 8D 04 08 lea rax, [rax+rcx].text:00000000004009E0 48 2D C0 00 00 00 sub rax, 0C0h.text:00000000004009E6 48 31 C9 xor rcx, rcx.text:00000000004009E9.text:00000000004009E9 LEn5_64: ; CODE XREF: .text:00000000004009F8↓j.text:00000000004009E9 8A 1C 08 mov bl, [rax+rcx].text:00000000004009EC 30 D3 xor bl, dl.text:00000000004009EE 88 1C 08 mov [rax+rcx], bl.text:00000000004009F1 48 FF C1 inc rcx.text:00000000004009F4 48 83 F9 20 cmp rcx, 20h.text:00000000004009F8 7C EF jl short LEn5_64.text:00000000004009FA 48 C7 C0 01 00 00 00 mov rax, 1.text:0000000000400A01 48 C7 C2 05 00 00 00 mov rdx, 5.text:0000000000400A08 48 8D 34 25 58 10 60 00 lea rsi, szCh2 ; "wow!\n".text:0000000000400A10 48 89 C7 mov rdi, rax.text:0000000000400A13 0F 05 syscall ; LINUX - sys_write.text:0000000000400A15 BF 00 00 00 00 mov edi, 0.text:0000000000400A1A E8 B1 FB FF FF call _fflush.text:0000000000400A1F 48 39 C0 cmp rax, rax.text:0000000000400A22.text:0000000000400A22 L_J0:.text:0000000000400A22 75 12 jnz short near ptr loc_400A33+3.text:0000000000400A24 E8 00 00 00 00 call $+5.text:0000000000400A29.text:0000000000400A29 L_J1:.text:0000000000400A29 58 pop rax.text:0000000000400A2A 48 83 C0 07 add rax, 7.text:0000000000400A2E FF E0 jmp rax.text:0000000000400A30 ; ---------------------------------------------------------------------------.text:0000000000400A30 48 31 C0 xor rax, rax.text:0000000000400A33.text:0000000000400A33 loc_400A33: ; CODE XREF: .text:L_J0↑j.text:0000000000400A33 48 C7 C2 1A 00 00 00 mov rdx, 1Ah.text:0000000000400A3A 48 89 E6 mov rsi, rsp.text:0000000000400A3D 48 89 24 25 88 10 60 00 mov ds:lpGoble, rsp.text:0000000000400A45 48 89 C7 mov rdi, rax.text:0000000000400A48 0F 05 syscall ; LINUX - sys_read.text:0000000000400A4A 48 8B 05 37 06 20 00 mov rax, cs:lpGoble.text:0000000000400A51 48 89 C7 mov rdi, rax.text:0000000000400A54 B8 00 00 00 00 mov eax, 0.text:0000000000400A59 E8 52 FB FF FF call _printf.text:0000000000400A5E 48 31 C0 xor rax, rax.text:0000000000400A61 48 C7 C2 00 02 00 00 mov rdx, 200h.text:0000000000400A68 48 8D 74 24 E0 lea rsi, [rsp-20h].text:0000000000400A6D 48 89 C7 mov rdi, rax.text:0000000000400A70 0F 05 syscall ; LINUX - sys_read.text:0000000000400A72 90 nop.text:0000000000400A73 E8 00 00 00 00 call $+5.text:0000000000400A78.text:0000000000400A78 L_en:.text:0000000000400A78 58 pop rax.text:0000000000400A79 48 83 C0 07 add rax, 7.text:0000000000400A7D FF E0 jmp rax.text:0000000000400A7F ; ---------------------------------------------------------------------------.text:0000000000400A7F 48 C1 F8 0C sar rax, 0Ch.text:0000000000400A83 48 C1 E0 0C shl rax, 0Ch.text:0000000000400A87 48 89 C7 mov rdi, rax.text:0000000000400A8A 48 C7 C2 05 00 00 00 mov rdx, 5.text:0000000000400A91 48 C7 C0 0A 00 00 00 mov rax, 0Ah.text:0000000000400A98 48 C7 C6 00 10 00 00 mov rsi, 1000h.text:0000000000400A9F 0F 05 syscall ; LINUX - sys_mprotect.text:0000000000400AA1 B8 00 00 00 00 mov eax, 0.text:0000000000400AA6 48 8B 55 F8 mov rdx, [rbp-8].text:0000000000400AAA 64 48 33 14 25 28 00 00+xor rdx, fs:28h.text:0000000000400AB3 74 05 jz short locret_400ABA.text:0000000000400AB5 E8 D6 FA FF FF call ___stack_chk_fail.text:0000000000400ABA ; ---------------------------------------------------------------------------.text:0000000000400ABA.text:0000000000400ABA locret_400ABA: ; CODE XREF: .text:0000000000400AB3↑j.text:0000000000400ABA C9 leave.text:0000000000400ABB C3 retn.text:0000000000400ABB ; } // starts at 400794 |
根据其判断条件:
1 2 3 | .text:0000000000400875 cmp dh, 0FBh 前一个字符.text:0000000000400878 jz short L1_64.text:000000000040087A cmp bl, 90h 当前字符 |
前一个字符异或之后是0xfb 当前字符异或之后是0x90 异或的key是一样的。
1 2 3 | .text:0000000000400875 cmp dh, 0FBh 前一个字符.text:0000000000400878 jz short L1_64.text:000000000040087A cmp bl, 90h 当前字符 |
前一个字符异或之后是0xfb 当前字符异或之后是0x90 异或的key是一样的。
根据这个条件,可以得到前五个字符。
最后一个比较
1 | .text:00000000004008C3 80 FB 90 cmp bl, 90h |
只检测了当前字符还原后是0x90,要解压的内容:
1 | .text:00000000004008C3 80 FB 90 cmp bl, 90h |
|
|
|---|---|
