1、Pe打开发现识别不了
.exe,.dll,.elf,.so文件识别
发现是elf文件,需要远程调试。
运行显示如此:
2、IDA
找到main
__int64 __fastcall main(int a1, char **a2, char **a3)
{
size_t v3; // rax
int i; // [rsp+4h] [rbp-43Ch]
size_t v6; // [rsp+8h] [rbp-438h]
char v7[32]; // [rsp+10h] [rbp-430h] BYREF
char v8[256]; // [rsp+30h] [rbp-410h] BYREF
_BYTE v9[256]; // [rsp+130h] [rbp-310h] BYREF
char s[520]; // [rsp+230h] [rbp-210h] BYREF
unsigned __int64 v11; // [rsp+438h] [rbp-8h]
v11 = __readfsqword(0x28u);
memset(v8, 0, sizeof(v8));
strcpy(v9, "pisanbao");
memset(&v9[9], 0, 247);
memset(s, 0, 0x200uLL);
s[0] = -117;
s[1] = 99;
s[2] = 115;
s[3] = 93;
s[4] = 87;
s[5] = -23;
s[6] = -24;
s[7] = -109;
s[8] = 82;
s[9] = -90;
s[10] = 7;
s[11] = 111;
s[12] = 48;
s[13] = 12;
s[14] = 119;
s[15] = 60;
s[16] = -3;
s[17] = -60;
s[18] = -101;
s[19] = -80;
s[20] = 24;
s[21] = 9;
s[22] = -113;
s[23] = -12;
v6 = strlen(s);
v3 = strlen(v9);
sub_7FA(v8, v9, v3);
sub_9B4(v8, s, v6);
puts("Remote Linux debugger");
printf("plz input your flag:");
__isoc99_scanf("%29s", v7);
if ( strlen(v7) != 24 )
{
printf("wrong length");
exit(0);
}
for ( i = 0; i <= 23; ++i )
{
if ( v7[i] != s[i] )
{
printf("GG");
exit(0);
}
}
printf("you win!!!");
return 0LL;
}
看到代码很多,但其实不复杂,就是v7和s比较,长度是24,调试获取s的值即可。(将Ida下dbgsrv下的linux复制到虚拟机里启动)
f2设置断点,f9运行,设置linux服务器信息,可以开始调试。
点击1-s处,将2处变量转化为字符串,得到flag
just_debug_it_2333