01_lab1_记录

这里主要是记录,台湾大佬Angelboy的pwn的练习题,链接https://github.com/scwuaptx/HITCON-Training

lab1

题目代码

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h> 



void get_flag(){
	int fd ;
	int password;
	int magic ;
	char key[] = "Do_you_know_why_my_teammate_Orange_is_so_angry???";
	char cipher[] = {7, 59, 25, 2, 11, 16, 61, 30, 9, 8, 18, 45, 40, 89, 10, 0, 30, 22, 0, 4, 85, 22, 8, 31, 7, 1, 9, 0, 126, 28, 62, 10, 30, 11, 107, 4, 66, 60, 44, 91, 49, 85, 2, 30, 33, 16, 76, 30, 66};
	fd = open("/dev/urandom",0);
	read(fd,&password,4);
	printf("Give me maigc :");
	scanf("%d",&magic);
	if(password == magic){
		for(int i = 0 ; i < sizeof(cipher) ; i++){
			printf("%c",cipher[i]^key[i]);
		}
	}
}


int main(){
	setvbuf(stdout,0,2,0);
	get_flag();
	return 0 ;
}

代码就不解释了,主要解释一下我们想干什么?就是想跳过if判断,直接获得字符串,接下来就是怎么获得字符串?

方法一,直接python实现–自己解密呗

key = "Do_you_know_why_my_teammate_Orange_is_so_angry???"
cipher = [7, 59, 25, 2, 11, 16, 61, 30, 9, 8, 18, 45, 40, 89, 10, 0, 30, 22, 0, 4, 85, 22, 8, 31, 7, 1, 9, 0, 126, 28, 62, 10, 30, 11, 107, 4, 66, 60, 44, 91, 49, 85, 2, 30, 33, 16, 76, 30, 66]
i = 0
flag = ""
while(i<len(key)):
    c = ord(key[i]^cipher[i])
    #ord()函数可以返回对应字符的ASCII数值或者Unicode数值
    flag += chr(c)
    i += 1
print(flag)

多说一句哈,简单介绍一下函数ord()chr(),这里直接附图吧,可以吧
在这里插入图片描述

方法二 gdb调试

多说一句,这里的gdb调试可以使用peda(自己可以查查了解一下)
if判断之前,password已经写入寄存器了,我们直接从寄存器里获取,然后给magic赋值就好了
然后就直接gdb调试了,大家可以直接看代码就好,这个或许更直接

# oldthree @ ubuntu in ~/xxm/angelboy/LAB/lab1 [9:36:28] 
$ gcc -g -m32 -o sys1 sysmagic.c 

# oldthree @ ubuntu in ~/xxm/angelboy/LAB/lab1 [9:37:03] 
$ gcc -q sys1                   
gcc: error: unrecognized command line option ‘-q’

# oldthree @ ubuntu in ~/xxm/angelboy/LAB/lab1 [9:37:12] C:1
$ gdb -q sys1
Reading symbols from sys1...done.
gdb-peda$ disassemble get_flag 
Dump of assembler code for function get_flag:
   0x0804859b <+0>:	push   ebp
   0x0804859c <+1>:	mov    ebp,esp
   0x0804859e <+3>:	sub    esp,0x88
   0x080485a4 <+9>:	mov    eax,gs:0x14
   0x080485aa <+15>:	mov    DWORD PTR [ebp-0xc],eax
   0x080485ad <+18>:	xor    eax,eax
   0x080485af <+20>:	mov    DWORD PTR [ebp-0x3e],0x795f6f44
   0x080485b6 <+27>:	mov    DWORD PTR [ebp-0x3a],0x6b5f756f
   0x080485bd <+34>:	mov    DWORD PTR [ebp-0x36],0x5f776f6e
   0x080485c4 <+41>:	mov    DWORD PTR [ebp-0x32],0x5f796877
   0x080485cb <+48>:	mov    DWORD PTR [ebp-0x2e],0x745f796d
   0x080485d2 <+55>:	mov    DWORD PTR [ebp-0x2a],0x6d6d6165
   0x080485d9 <+62>:	mov    DWORD PTR [ebp-0x26],0x5f657461
   0x080485e0 <+69>:	mov    DWORD PTR [ebp-0x22],0x6e61724f
   0x080485e7 <+76>:	mov    DWORD PTR [ebp-0x1e],0x695f6567
   0x080485ee <+83>:	mov    DWORD PTR [ebp-0x1a],0x6f735f73
   0x080485f5 <+90>:	mov    DWORD PTR [ebp-0x16],0x676e615f
   0x080485fc <+97>:	mov    DWORD PTR [ebp-0x12],0x3f3f7972
   0x08048603 <+104>:	mov    WORD PTR [ebp-0xe],0x3f
   0x08048609 <+110>:	mov    BYTE PTR [ebp-0x6f],0x7
   0x0804860d <+114>:	mov    BYTE PTR [ebp-0x6e],0x3b
   0x08048611 <+118>:	mov    BYTE PTR [ebp-0x6d],0x19
   0x08048615 <+122>:	mov    BYTE PTR [ebp-0x6c],0x2
   0x08048619 <+126>:	mov    BYTE PTR [ebp-0x6b],0xb
   0x0804861d <+130>:	mov    BYTE PTR [ebp-0x6a],0x10
   0x08048621 <+134>:	mov    BYTE PTR [ebp-0x69],0x3d
   0x08048625 <+138>:	mov    BYTE PTR [ebp-0x68],0x1e
   0x08048629 <+142>:	mov    BYTE PTR [ebp-0x67],0x9
   0x0804862d <+146>:	mov    BYTE PTR [ebp-0x66],0x8
   0x08048631 <+150>:	mov    BYTE PTR [ebp-0x65],0x12
   0x08048635 <+154>:	mov    BYTE PTR [ebp-0x64],0x2d
   0x08048639 <+158>:	mov    BYTE PTR [ebp-0x63],0x28
   0x0804863d <+162>:	mov    BYTE PTR [ebp-0x62],0x59
   0x08048641 <+166>:	mov    BYTE PTR [ebp-0x61],0xa
   0x08048645 <+170>:	mov    BYTE PTR [ebp-0x60],0x0
   0x08048649 <+174>:	mov    BYTE PTR [ebp-0x5f],0x1e
   0x0804864d <+178>:	mov    BYTE PTR [ebp-0x5e],0x16
   0x08048651 <+182>:	mov    BYTE PTR [ebp-0x5d],0x0
   0x08048655 <+186>:	mov    BYTE PTR [ebp-0x5c],0x4
   0x08048659 <+190>:	mov    BYTE PTR [ebp-0x5b],0x55
   0x0804865d <+194>:	mov    BYTE PTR [ebp-0x5a],0x16
   0x08048661 <+198>:	mov    BYTE PTR [ebp-0x59],0x8
   0x08048665 <+202>:	mov    BYTE PTR [ebp-0x58],0x1f
   0x08048669 <+206>:	mov    BYTE PTR [ebp-0x57],0x7
   0x0804866d <+210>:	mov    BYTE PTR [ebp-0x56],0x1
   0x08048671 <+214>:	mov    BYTE PTR [ebp-0x55],0x9
   0x08048675 <+218>:	mov    BYTE PTR [ebp-0x54],0x0
   0x08048679 <+222>:	mov    BYTE PTR [ebp-0x53],0x7e
   0x0804867d <+226>:	mov    BYTE PTR [ebp-0x52],0x1c
   0x08048681 <+230>:	mov    BYTE PTR [ebp-0x51],0x3e
   0x08048685 <+234>:	mov    BYTE PTR [ebp-0x50],0xa
   0x08048689 <+238>:	mov    BYTE PTR [ebp-0x4f],0x1e
   0x0804868d <+242>:	mov    BYTE PTR [ebp-0x4e],0xb
   0x08048691 <+246>:	mov    BYTE PTR [ebp-0x4d],0x6b
   0x08048695 <+250>:	mov    BYTE PTR [ebp-0x4c],0x4
   0x08048699 <+254>:	mov    BYTE PTR [ebp-0x4b],0x42
   0x0804869d <+258>:	mov    BYTE PTR [ebp-0x4a],0x3c
   0x080486a1 <+262>:	mov    BYTE PTR [ebp-0x49],0x2c
   0x080486a5 <+266>:	mov    BYTE PTR [ebp-0x48],0x5b
   0x080486a9 <+270>:	mov    BYTE PTR [ebp-0x47],0x31
   0x080486ad <+274>:	mov    BYTE PTR [ebp-0x46],0x55
   0x080486b1 <+278>:	mov    BYTE PTR [ebp-0x45],0x2
   0x080486b5 <+282>:	mov    BYTE PTR [ebp-0x44],0x1e
   0x080486b9 <+286>:	mov    BYTE PTR [ebp-0x43],0x21
   0x080486bd <+290>:	mov    BYTE PTR [ebp-0x42],0x10
   0x080486c1 <+294>:	mov    BYTE PTR [ebp-0x41],0x4c
   0x080486c5 <+298>:	mov    BYTE PTR [ebp-0x40],0x1e
   0x080486c9 <+302>:	mov    BYTE PTR [ebp-0x3f],0x42
   0x080486cd <+306>:	sub    esp,0x8
   0x080486d0 <+309>:	push   0x0
   0x080486d2 <+311>:	push   0x8048830
   0x080486d7 <+316>:	call   0x8048440 <open@plt>
   0x080486dc <+321>:	add    esp,0x10
   0x080486df <+324>:	mov    DWORD PTR [ebp-0x74],eax
   0x080486e2 <+327>:	sub    esp,0x4
   0x080486e5 <+330>:	push   0x4
   0x080486e7 <+332>:	lea    eax,[ebp-0x80]
   0x080486ea <+335>:	push   eax
   0x080486eb <+336>:	push   DWORD PTR [ebp-0x74]
   0x080486ee <+339>:	call   0x8048410 <read@plt>
   0x080486f3 <+344>:	add    esp,0x10
   0x080486f6 <+347>:	sub    esp,0xc
   0x080486f9 <+350>:	push   0x804883d
   0x080486fe <+355>:	call   0x8048420 <printf@plt>
   0x08048703 <+360>:	add    esp,0x10
   0x08048706 <+363>:	sub    esp,0x8
   0x08048709 <+366>:	lea    eax,[ebp-0x7c]
   0x0804870c <+369>:	push   eax
   0x0804870d <+370>:	push   0x804884d
   0x08048712 <+375>:	call   0x8048480 <__isoc99_scanf@plt>
   0x08048717 <+380>:	add    esp,0x10
   0x0804871a <+383>:	mov    edx,DWORD PTR [ebp-0x80]
   0x0804871d <+386>:	mov    eax,DWORD PTR [ebp-0x7c]
   0x08048720 <+389>:	cmp    edx,eax
   0x08048722 <+391>:	jne    0x8048760 <get_flag+453>
   0x08048724 <+393>:	mov    DWORD PTR [ebp-0x78],0x0
   0x0804872b <+400>:	jmp    0x8048758 <get_flag+445>
   0x0804872d <+402>:	lea    edx,[ebp-0x6f]
   0x08048730 <+405>:	mov    eax,DWORD PTR [ebp-0x78]
   0x08048733 <+408>:	add    eax,edx
   0x08048735 <+410>:	movzx  ecx,BYTE PTR [eax]
   0x08048738 <+413>:	lea    edx,[ebp-0x3e]
   0x0804873b <+416>:	mov    eax,DWORD PTR [ebp-0x78]
   0x0804873e <+419>:	add    eax,edx
   0x08048740 <+421>:	movzx  eax,BYTE PTR [eax]
   0x08048743 <+424>:	xor    eax,ecx
   0x08048745 <+426>:	movsx  eax,al
   0x08048748 <+429>:	sub    esp,0xc
   0x0804874b <+432>:	push   eax
   0x0804874c <+433>:	call   0x8048470 <putchar@plt>
   0x08048751 <+438>:	add    esp,0x10
   0x08048754 <+441>:	add    DWORD PTR [ebp-0x78],0x1
   0x08048758 <+445>:	mov    eax,DWORD PTR [ebp-0x78]
   0x0804875b <+448>:	cmp    eax,0x30
   0x0804875e <+451>:	jbe    0x804872d <get_flag+402>
   0x08048760 <+453>:	nop
   0x08048761 <+454>:	mov    eax,DWORD PTR [ebp-0xc]
   0x08048764 <+457>:	xor    eax,DWORD PTR gs:0x14
   0x0804876b <+464>:	je     0x8048772 <get_flag+471>
   0x0804876d <+466>:	call   0x8048430 <__stack_chk_fail@plt>
   0x08048772 <+471>:	leave  
   0x08048773 <+472>:	ret    
End of assembler dump.
gdb-peda$ b get_flag + 389
Function "get_flag + 389" not defined.
gdb-peda$ b *get_flag + 389 (解释:在if判断之前下断点)
Breakpoint 1 at 0x8048720: file sysmagic.c, line 19.
gdb-peda$ r aaa
Starting program: /home/oldthree/xxm/angelboy/LAB/lab1/sys1 aaa
Give me maigc :aaa

[----------------------------------registers-----------------------------------]
EAX: 0xf7fb5000 --> 0x1afdb0 
EBX: 0x0 
ECX: 0x0 
EDX: 0x4feff4f0 
ESI: 0xf7fb5000 --> 0x1afdb0 
EDI: 0xf7fb5000 --> 0x1afdb0 
EBP: 0xffffcd88 --> 0xffffcd98 --> 0x0 
ESP: 0xffffcd00 --> 0x804a020 --> 0xf7e64810 (<setvbuf>:	push   ebp)
EIP: 0x8048720 (<get_flag+389>:	cmp    edx,eax)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048717 <get_flag+380>:	add    esp,0x10
   0x804871a <get_flag+383>:	mov    edx,DWORD PTR [ebp-0x80]
   0x804871d <get_flag+386>:	mov    eax,DWORD PTR [ebp-0x7c]
=> 0x8048720 <get_flag+389>:	cmp    edx,eax
   0x8048722 <get_flag+391>:	jne    0x8048760 <get_flag+453>
   0x8048724 <get_flag+393>:	mov    DWORD PTR [ebp-0x78],0x0
   0x804872b <get_flag+400>:	jmp    0x8048758 <get_flag+445>
   0x804872d <get_flag+402>:	lea    edx,[ebp-0x6f]
[------------------------------------stack-------------------------------------]
0000| 0xffffcd00 --> 0x804a020 --> 0xf7e64810 (<setvbuf>:	push   ebp)
0004| 0xffffcd04 --> 0xf7fe78a2 (mov    edi,eax)
0008| 0xffffcd08 --> 0x4feff4f0 
0012| 0xffffcd0c --> 0xf7fb5000 --> 0x1afdb0 
0016| 0xffffcd10 --> 0xf7fb5d60 --> 0xfbad2887 
0020| 0xffffcd14 --> 0x3 
0024| 0xffffcd18 --> 0x193b0778 
0028| 0xffffcd1c --> 0x3d100b02 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x08048720 in get_flag () at sysmagic.c:19
19		if(password == magic){
gdb-peda$ set $edx = $eax
gdb-peda$ c
Continuing.
CTF{debugger_1s_so_p0werful_1n_dyn4m1c_4n4lySis!}[Inferior 1 (process 21828) exited normally]
Warning: not running

还可以在password放入寄存器的时候下断点。下面也是gdb调试

# oldthree @ ubuntu in ~/xxm/angelboy/LAB/lab1 [9:48:45] 
$ gdb -q sys1
Reading symbols from sys1...done.
gdb-peda$ disassemble get_flag 
Dump of assembler code for function get_flag:
   0x0804859b <+0>:	push   ebp
   0x0804859c <+1>:	mov    ebp,esp
   0x0804859e <+3>:	sub    esp,0x88
   0x080485a4 <+9>:	mov    eax,gs:0x14
   0x080485aa <+15>:	mov    DWORD PTR [ebp-0xc],eax
   0x080485ad <+18>:	xor    eax,eax
   0x080485af <+20>:	mov    DWORD PTR [ebp-0x3e],0x795f6f44
   0x080485b6 <+27>:	mov    DWORD PTR [ebp-0x3a],0x6b5f756f
   0x080485bd <+34>:	mov    DWORD PTR [ebp-0x36],0x5f776f6e
   0x080485c4 <+41>:	mov    DWORD PTR [ebp-0x32],0x5f796877
   0x080485cb <+48>:	mov    DWORD PTR [ebp-0x2e],0x745f796d
   0x080485d2 <+55>:	mov    DWORD PTR [ebp-0x2a],0x6d6d6165
   0x080485d9 <+62>:	mov    DWORD PTR [ebp-0x26],0x5f657461
   0x080485e0 <+69>:	mov    DWORD PTR [ebp-0x22],0x6e61724f
   0x080485e7 <+76>:	mov    DWORD PTR [ebp-0x1e],0x695f6567
   0x080485ee <+83>:	mov    DWORD PTR [ebp-0x1a],0x6f735f73
   0x080485f5 <+90>:	mov    DWORD PTR [ebp-0x16],0x676e615f
   0x080485fc <+97>:	mov    DWORD PTR [ebp-0x12],0x3f3f7972
   0x08048603 <+104>:	mov    WORD PTR [ebp-0xe],0x3f
   0x08048609 <+110>:	mov    BYTE PTR [ebp-0x6f],0x7
   0x0804860d <+114>:	mov    BYTE PTR [ebp-0x6e],0x3b
   0x08048611 <+118>:	mov    BYTE PTR [ebp-0x6d],0x19
   0x08048615 <+122>:	mov    BYTE PTR [ebp-0x6c],0x2
   0x08048619 <+126>:	mov    BYTE PTR [ebp-0x6b],0xb
   0x0804861d <+130>:	mov    BYTE PTR [ebp-0x6a],0x10
   0x08048621 <+134>:	mov    BYTE PTR [ebp-0x69],0x3d
   0x08048625 <+138>:	mov    BYTE PTR [ebp-0x68],0x1e
   0x08048629 <+142>:	mov    BYTE PTR [ebp-0x67],0x9
   0x0804862d <+146>:	mov    BYTE PTR [ebp-0x66],0x8
   0x08048631 <+150>:	mov    BYTE PTR [ebp-0x65],0x12
   0x08048635 <+154>:	mov    BYTE PTR [ebp-0x64],0x2d
   0x08048639 <+158>:	mov    BYTE PTR [ebp-0x63],0x28
   0x0804863d <+162>:	mov    BYTE PTR [ebp-0x62],0x59
   0x08048641 <+166>:	mov    BYTE PTR [ebp-0x61],0xa
   0x08048645 <+170>:	mov    BYTE PTR [ebp-0x60],0x0
   0x08048649 <+174>:	mov    BYTE PTR [ebp-0x5f],0x1e
   0x0804864d <+178>:	mov    BYTE PTR [ebp-0x5e],0x16
   0x08048651 <+182>:	mov    BYTE PTR [ebp-0x5d],0x0
   0x08048655 <+186>:	mov    BYTE PTR [ebp-0x5c],0x4
   0x08048659 <+190>:	mov    BYTE PTR [ebp-0x5b],0x55
   0x0804865d <+194>:	mov    BYTE PTR [ebp-0x5a],0x16
   0x08048661 <+198>:	mov    BYTE PTR [ebp-0x59],0x8
   0x08048665 <+202>:	mov    BYTE PTR [ebp-0x58],0x1f
   0x08048669 <+206>:	mov    BYTE PTR [ebp-0x57],0x7
   0x0804866d <+210>:	mov    BYTE PTR [ebp-0x56],0x1
   0x08048671 <+214>:	mov    BYTE PTR [ebp-0x55],0x9
   0x08048675 <+218>:	mov    BYTE PTR [ebp-0x54],0x0
   0x08048679 <+222>:	mov    BYTE PTR [ebp-0x53],0x7e
   0x0804867d <+226>:	mov    BYTE PTR [ebp-0x52],0x1c
   0x08048681 <+230>:	mov    BYTE PTR [ebp-0x51],0x3e
   0x08048685 <+234>:	mov    BYTE PTR [ebp-0x50],0xa
   0x08048689 <+238>:	mov    BYTE PTR [ebp-0x4f],0x1e
   0x0804868d <+242>:	mov    BYTE PTR [ebp-0x4e],0xb
   0x08048691 <+246>:	mov    BYTE PTR [ebp-0x4d],0x6b
   0x08048695 <+250>:	mov    BYTE PTR [ebp-0x4c],0x4
   0x08048699 <+254>:	mov    BYTE PTR [ebp-0x4b],0x42
   0x0804869d <+258>:	mov    BYTE PTR [ebp-0x4a],0x3c
   0x080486a1 <+262>:	mov    BYTE PTR [ebp-0x49],0x2c
   0x080486a5 <+266>:	mov    BYTE PTR [ebp-0x48],0x5b
   0x080486a9 <+270>:	mov    BYTE PTR [ebp-0x47],0x31
   0x080486ad <+274>:	mov    BYTE PTR [ebp-0x46],0x55
   0x080486b1 <+278>:	mov    BYTE PTR [ebp-0x45],0x2
   0x080486b5 <+282>:	mov    BYTE PTR [ebp-0x44],0x1e
   0x080486b9 <+286>:	mov    BYTE PTR [ebp-0x43],0x21
   0x080486bd <+290>:	mov    BYTE PTR [ebp-0x42],0x10
   0x080486c1 <+294>:	mov    BYTE PTR [ebp-0x41],0x4c
   0x080486c5 <+298>:	mov    BYTE PTR [ebp-0x40],0x1e
   0x080486c9 <+302>:	mov    BYTE PTR [ebp-0x3f],0x42
   0x080486cd <+306>:	sub    esp,0x8
   0x080486d0 <+309>:	push   0x0
   0x080486d2 <+311>:	push   0x8048830
   0x080486d7 <+316>:	call   0x8048440 <open@plt>
   0x080486dc <+321>:	add    esp,0x10
   0x080486df <+324>:	mov    DWORD PTR [ebp-0x74],eax
   0x080486e2 <+327>:	sub    esp,0x4
   0x080486e5 <+330>:	push   0x4
   0x080486e7 <+332>:	lea    eax,[ebp-0x80]
   0x080486ea <+335>:	push   eax
   0x080486eb <+336>:	push   DWORD PTR [ebp-0x74]
   0x080486ee <+339>:	call   0x8048410 <read@plt>
   0x080486f3 <+344>:	add    esp,0x10
   0x080486f6 <+347>:	sub    esp,0xc
   0x080486f9 <+350>:	push   0x804883d
   0x080486fe <+355>:	call   0x8048420 <printf@plt>
   0x08048703 <+360>:	add    esp,0x10
   0x08048706 <+363>:	sub    esp,0x8
   0x08048709 <+366>:	lea    eax,[ebp-0x7c]
   0x0804870c <+369>:	push   eax
   0x0804870d <+370>:	push   0x804884d
   0x08048712 <+375>:	call   0x8048480 <__isoc99_scanf@plt>
   0x08048717 <+380>:	add    esp,0x10
   0x0804871a <+383>:	mov    edx,DWORD PTR [ebp-0x80]
   0x0804871d <+386>:	mov    eax,DWORD PTR [ebp-0x7c]
   0x08048720 <+389>:	cmp    edx,eax
   0x08048722 <+391>:	jne    0x8048760 <get_flag+453>
   0x08048724 <+393>:	mov    DWORD PTR [ebp-0x78],0x0
   0x0804872b <+400>:	jmp    0x8048758 <get_flag+445>
   0x0804872d <+402>:	lea    edx,[ebp-0x6f]
   0x08048730 <+405>:	mov    eax,DWORD PTR [ebp-0x78]
   0x08048733 <+408>:	add    eax,edx
   0x08048735 <+410>:	movzx  ecx,BYTE PTR [eax]
   0x08048738 <+413>:	lea    edx,[ebp-0x3e]
   0x0804873b <+416>:	mov    eax,DWORD PTR [ebp-0x78]
   0x0804873e <+419>:	add    eax,edx
   0x08048740 <+421>:	movzx  eax,BYTE PTR [eax]
   0x08048743 <+424>:	xor    eax,ecx
   0x08048745 <+426>:	movsx  eax,al
   0x08048748 <+429>:	sub    esp,0xc
   0x0804874b <+432>:	push   eax
   0x0804874c <+433>:	call   0x8048470 <putchar@plt>
   0x08048751 <+438>:	add    esp,0x10
   0x08048754 <+441>:	add    DWORD PTR [ebp-0x78],0x1
   0x08048758 <+445>:	mov    eax,DWORD PTR [ebp-0x78]
   0x0804875b <+448>:	cmp    eax,0x30
   0x0804875e <+451>:	jbe    0x804872d <get_flag+402>
   0x08048760 <+453>:	nop
   0x08048761 <+454>:	mov    eax,DWORD PTR [ebp-0xc]
   0x08048764 <+457>:	xor    eax,DWORD PTR gs:0x14
   0x0804876b <+464>:	je     0x8048772 <get_flag+471>
   0x0804876d <+466>:	call   0x8048430 <__stack_chk_fail@plt>
   0x08048772 <+471>:	leave  
   0x08048773 <+472>:	ret    
End of assembler dump.
gdb-peda$ b *get_flag +355
Breakpoint 1 at 0x80486fe: file sysmagic.c, line 17.
gdb-peda$ r
Starting program: /home/oldthree/xxm/angelboy/LAB/lab1/sys1 

[----------------------------------registers-----------------------------------]
EAX: 0x4 
EBX: 0x0 
ECX: 0xffffcd18 --> 0xddc330b7 
EDX: 0x4 
ESI: 0xf7fb5000 --> 0x1afdb0 
EDI: 0xf7fb5000 --> 0x1afdb0 
EBP: 0xffffcd98 --> 0xffffcda8 --> 0x0 
ESP: 0xffffcd00 --> 0x804883d ("Give me maigc :")
EIP: 0x80486fe (<get_flag+355>:	call   0x8048420 <printf@plt>)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80486f3 <get_flag+344>:	add    esp,0x10
   0x80486f6 <get_flag+347>:	sub    esp,0xc
   0x80486f9 <get_flag+350>:	push   0x804883d
=> 0x80486fe <get_flag+355>:	call   0x8048420 <printf@plt>
   0x8048703 <get_flag+360>:	add    esp,0x10
   0x8048706 <get_flag+363>:	sub    esp,0x8
   0x8048709 <get_flag+366>:	lea    eax,[ebp-0x7c]
   0x804870c <get_flag+369>:	push   eax
Guessed arguments:
arg[0]: 0x804883d ("Give me maigc :")
[------------------------------------stack-------------------------------------]
0000| 0xffffcd00 --> 0x804883d ("Give me maigc :")
0004| 0xffffcd04 --> 0xffffcd18 --> 0xddc330b7 
0008| 0xffffcd08 --> 0x4 
0012| 0xffffcd0c --> 0xf7ffd918 --> 0x0 
0016| 0xffffcd10 --> 0x804a020 --> 0xf7e64810 (<setvbuf>:	push   ebp)
0020| 0xffffcd14 --> 0xf7fe78a2 (mov    edi,eax)
0024| 0xffffcd18 --> 0xddc330b7 
0028| 0xffffcd1c --> 0xf7fb5000 --> 0x1afdb0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x080486fe in get_flag () at sysmagic.c:17
17		printf("Give me maigc :");
gdb-peda$ x/d $ebp -0x80
0xffffcd18:	-574410569
gdb-peda$ c 
Continuing.
Give me maigc :-574410569
CTF{debugger_1s_so_p0werful_1n_dyn4m1c_4n4lySis!}[Inferior 1 (process 21878) exited normally]
Warning: not running

这里解释一下,为啥是x/d $ebp=0x80,主要是因为
在这里插入图片描述

第一个mov的意思是:把ebp-0x80里的汁放置到寄存器edx;第二个mov的意思是:把ebp-0x7c的值放到寄存器eaxcmp的意思是寄存器edxeax的比较是否相等。而代码中:
在这里插入图片描述

ifpasswordmagic比较,而password的值放到了寄存器edx,这也是为什么我们要看ebp-0x80的值

致谢:
-1.Hitcon-Training lab1-lab15

-2. angelboy-pwn1

  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

©️2021 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值