1625-5 王子昂 总结《2017年9月3日》 【连续第335天总结】
A. WarGames-Behemoth
B.
Level 0
跟narnia类似,不过这次没给源码,直接拖下来反编译:
int __cdecl main(int argc, const char **argv, const char **envp)
{
size_t v3; // eax@1
int result; // eax@4
int v5; // edx@4
signed int v6; // [sp+1Fh] [bp-51h]@1
signed int v7; // [sp+23h] [bp-4Dh]@1
signed int v8; // [sp+27h] [bp-49h]@1
char v9; // [sp+2Bh] [bp-45h]@1
int v10; // [sp+6Ch] [bp-4h]@1
v10 = *MK_FP(__GS__, 20);
v6 = 'G^KO';
v7 = 'EBYS';
v8 = 'Y^X';
printf("Password: ");
__isoc99_scanf("%64s", &v9);
v3 = strlen((const char *)&v6);
memfrob(&v6, v3);
if ( !strcmp(&v9, (const char *)&v6) )
{
puts("Access granted..");
execl("/bin/sh", "sh", 0);
}
else
{
puts("Access denied..");
}
result = 0;
v5 = *MK_FP(__GS__, 20) ^ v10;
return result;
}
这个是逆向的套路了,memfrob对字符串进行处理
百度memfrob都只说是对内存进行编码,没有具体的内容,连Linux C手册都下了也独独就缺这一个函数
不明白具体是做什么的,就直接原样处理好咯~
#include <stdio.h>
void main(void)
{
char a[]="OK^GSYBEX^Y";
int n = strlen(a);
memfrob(a,n);
printf(a);
return 0;
}
eatmyshorts
突然想起来还有更简单的方法、之前学到的
behemoth0@behemoth:~$ ltrace /behemoth/behemoth0
__libc_start_main(0x80485a2, 1, 0xffffd7f4, 0x8048690<unfinished ...>
printf(“Password: “) = 10
__isoc99_scanf(0x804876c, 0xffffd70b, 0xffffd700, 0x80482d2Password: 1
) = 1
strlen(“OK^GSYBEX^Y”) = 11
strcmp(“1”, “eatmyshorts”) = -1
puts(“Access denied..”Access denied..
) = 16
+++ exited (status 0) +++
ltrace命令跟踪显示函数,得到了strcmp的参数:eatmyshorts
behemoth0@behemoth:~$ /behemoth/behemoth0
Password: eatmyshorts
Access granted..
$
whoami
behemoth1
$
cat /etc/behemoth_pass/behemoth1
aesebootiv
C. 明日计划
behemoth