ムクソカクナケフçタハマロZ6ホ日モヒ4
クレルçアZエシネスフ74ーヨノ5ラ9ウ
ロモキナチヤカウ9ミハ・ノ日ユシマ7ク:
ア0ツコロリ3ヨルソンヘトネçク9ーレサ
4フツハヘワケ8ヤ01ホタエオ:ウメリク
1Zリナミアユワツトキタヤテçネノ8ケセ
ホイ7コセヒケ8日ラエリヲトタヤワ3テウ
.フナヌカニクキヒソーコ09セ1ホサヘワ
クカルムミヨニラテ・ネ8ヌオユハナ日9ア
ワコチキーヨクスムルツヘン.フ9タセアヲ
.7カウレ9ツ2テ1サノンモムクスローヌ
テZ6ヌキカソルウ.シ8日ハ59ツ2ニサ
ヨナシマロリヒ5ウヌアミエムン日3ス.ホ
セエホ3ユルZヘーオヲレニクカヤヒ:リソ
カチソ.ヲコ4クノケフオ5クス61タツレ
チムツZシイレ日3タ5クモリス6ユニソワ
ケ.ハオ0ナ65ヒクルソヨZレ32日モç
ユノ日ミチヨヘナ5タル4キ9ハイテヲマ0
Z97.レシウアクチロツフ35ーワケネラ
ンー5ケロラ:29モチスニクçワリ・コ0
ユ5ネセエヌールタラ・ケ.ヤヲナテホノウ
カモヌム4ク7ロウー.チメニヘヨ8ノルト
:ーヘ6ミ9日ホキロムコテヤサルヌイçラ
イセヘヤç8ケヒユモサーZマミンリアエホ
ç6エノホニシーヘムイメマヤセヒンヲ2Z
ナクスローモエフ1リサ4カ日テコヒ・ツニ
タキムチç日0ウワ6メコヘセユナツア4オ
カツレソ2ー7.ヒ8シçニタオトヌ4フネ
ホサヒソネ・タ0シロミコワー23トテスキ
ケ2ムレイラZユミツメヤ8・ニヨソロアナ
トミ29ワヌ4サクリラタカ86マZウルユ
ルフçニマチ.6タヘム8ヲレナテキノZイ
カルフンユリタヤ8ヒ:モヘコテオクエツワ
メ日42キアヲçZハシニナ1ムウコセネヨ
ト8セZ3オイークカ・ラタシニ0ノ2ツメ
カク8ヲ:テシト9キツ日6タエコムヘサ・
5ツソマオ・.フ279ロçホネメタ:ヌ4
ルスライZミソヒワ2ク3ト7ヨシ1ネ・日
ワ.シZユクー60ンタア・ツ3オクマ9チ
ネミ5Zムフ:ヨ2リウ7タ94キイマーシ
ナメユオヲ・サン7ホチレ04:9ヌç日ハ
.ムナタヒリオツニ48イ日エ0サウソ5テ
ノメワ5・モアスカ:ラムçキト日ク2ニケ
2ユ5çヤカヌコ9ロヨウシト0ノタリメオ
7タツヒ.エハ:ナワメーオリヨセ301・
シロ9タナニネワテホキヒクカ8ーセクハ.
:ラク8ノホテイ2.クモヤウシニールマヘ
イ日スルツキフヲ94ア3ワナネヘセクユ2
ラルワ8ヲセシ6ケチホムヒ・ミオサフエア
ソモヤーホタカ日・ンリミ.ネノメ:çマロ
ヌキイルニ84モコ7リク日ノ1ンメクレト
0クロçナ1ムモ9シエサ日ヲラコヌZハヤ
ヘチタンテキ1ロ4ユサツ0セクーカソホヤ
9オロチヒ0ネ6・:4çメハヲユニミワツ
キリ8ト:ヒルスオウカヌホ5ソニネラサナ
ナフマ7ーサシ・ユンワテミリラツヌZ02
モア4リ20ータム.Zヒラコスクヌソキツ
エ3ヒキ6タヨムミ1ーçスホメヌア2モソ
ノハキ8ウツサイ・ーチスオ4ロ7ルムラヒ
ンホスZハ9レーカケキトコヌル0.ウラヤ
日フ.05トテアシハナロニルワス29ヌレ
キム3ホケハクミリス9テユラートçレ7チ
6タツ.ヲキリヌセ04Zホチヤ:シイロン
5ー3レクユ:ロチホヲ8ソテマ1ヌシ2ヤ
タツアコ4サミモソオケ0ネカ.57ナムロ

Writeup MBE 1A

Writeup MBE 1A

七月 9, 2019 阅读 513 字数 16944 评论 0 喜欢 1

lab1A

lab1A@warzone:/levels/lab01$ file lab1A
lab1A: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=8207a5ad5821e47f25412161c60dc24fd2f3386e, stripped
lab1A@warzone:/levels/lab01$

list all functions

[0x08048880]> aaa
[0x08048880]> afl
····
0x08048a0f  309  15  sym.auth
0x08048b44  298  8  sym.main
·····

老规矩 还是从 main 函数开始分析;

[0x08048880]> pdf @ sym.main
╒ (fcn) sym.main 298
│          ; arg int arg_3        @ ebp+0xc
│          ; DATA XREF from 0x08048897 (entry0)
│          ;-- main:
│          ;-- sym.main:
│          0x08048b44    55             push ebp
│          0x08048b45    89e5           mov ebp, esp
│          0x08048b47    83e4f0         and esp, 0xfffffff0
│          0x08048b4a    83ec40         sub esp, 0x40
│          0x08048b4d    8b450c         mov eax, dword [ebp + 0xc]      ; [0xc:4]=0
│          0x08048b50    8944240c       mov dword [esp + 0xc], eax      ; [0xc:4]=0
│          0x08048b54    65a114000000   mov eax, dword gs:[0x14]        ; [0x14:4]=1
│          0x08048b5a    8944243c       mov dword [esp + 0x3c], eax     ; [0x3c:4]=0x8048034 section_end.ehdr ; '<'
│          0x08048b5e    31c0           xor eax, eax
│          0x08048b60    50             push eax
│          0x08048b61    31c0           xor eax, eax
│      ┌─< 0x08048b63    7403           je 0x8048b68
│      │   0x08048b65    83c404         add esp, 4
│      └   ; JMP XREF from 0x08048b63 (sym.main)
│      └─> 0x08048b68    58             pop eax
│          0x08048b69    c70424738d04.  mov dword [esp], str..___________________________.  ; [0x8048d73:4]=0x2d2d2d2e  ; ".---------------------------." @ 0x8048d73
│          0x08048b70    e89bfcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048b75    c70424918d04.  mov dword [esp], str.____________RPISEC___________  ; [0x8048d91:4]=0x2d2d2d7c  ; "|---------  RPISEC  --------|" @ 0x8048d91
│          0x08048b7c    e88ffcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048b81    c70424af8d04.  mov dword [esp], str.___SECURE_LOGIN_SYS_v._3.0___  ; [0x8048daf:4]=0x53202b7c  ; "|+ SECURE LOGIN SYS v. 3.0 +|" @ 0x8048daf
│          0x08048b88    e883fcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048b8d    c70424cd8d04.  mov dword [esp], 0x8048dcd      ; [0x8048dcd:4]=0x2d2d2d7c
│          0x08048b94    e877fcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048b99    c70424eb8d04.  mov dword [esp], str.____Enter_your_Username:_____  ; [0x8048deb:4]=0x202d7e7c  ; "|~- Enter your Username:  ~-|" @ 0x8048deb
│          0x08048ba0    e86bfcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048ba5    c70424098e04.  mov dword [esp], str._____________________________  ; [0x8048e09:4]=0x2d2d2d27  ; "'---------------------------'" @ 0x8048e09
│          0x08048bac    e85ffcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048bb1    a160b00408     mov eax, dword [sym.stdin]      ; [0x804b060:4]=0x3a434347  ; "GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2" @ 0x804b060
│          0x08048bb6    89442408       mov dword [esp + 8], eax        ; [0x8:4]=0
│          0x08048bba    c74424042000.  mov dword [esp + 4], 0x20       ; [0x20:4]=0x2168  ; "h!" 0x00000020
│          0x08048bc2    8d44241c       lea eax, [esp + 0x1c]           ; 0x1c
│          0x08048bc6    890424         mov dword [esp], eax
│          0x08048bc9    e802fcffff     call sym.imp.fgets ;sym.imp.fgets()
│          0x08048bce    c70424738d04.  mov dword [esp], str..___________________________.  ; [0x8048d73:4]=0x2d2d2d2e  ; ".---------------------------." @ 0x8048d73
│          0x08048bd5    e836fcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048bda    c70424278e04.  mov dword [esp], str._____NEW_ACCOUNT_DETECTED____  ; [0x8048e27:4]=0x2121207c  ; "| !! NEW ACCOUNT DETECTED !!|" @ 0x8048e27
│          0x08048be1    e82afcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048be6    c70424cd8d04.  mov dword [esp], 0x8048dcd      ; [0x8048dcd:4]=0x2d2d2d7c
│          0x08048bed    e81efcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048bf2    c70424458e04.  mov dword [esp], str.____Input_your_serial:_______  ; [0x8048e45:4]=0x202d7e7c  ; "|~- Input your serial:    ~-|" @ 0x8048e45
│          0x08048bf9    e812fcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048bfe    c70424098e04.  mov dword [esp], str._____________________________  ; [0x8048e09:4]=0x2d2d2d27  ; "'---------------------------'" @ 0x8048e09
│          0x08048c05    e806fcffff     call sym.imp.puts ;sym.imp.puts()
│          0x08048c0a    8d442418       lea eax, [esp + 0x18]           ; 0x18
│          0x08048c0e    89442404       mov dword [esp + 4], eax        ; [0x4:4]=0x10101
│          0x08048c12    c70424008d04.  mov dword [esp], 0x8048d00      ; [0x8048d00:4]=0xa007525
│          0x08048c19    e842fcffff     call sym.imp.__isoc99_scanf ;sym.imp.__isoc99_scanf()
│          0x08048c1e    8b442418       mov eax, dword [esp + 0x18]     ; [0x18:4]=0x8048880 entry0
│          0x08048c22    89442404       mov dword [esp + 4], eax        ; [0x4:4]=0x10101
│          0x08048c26    8d44241c       lea eax, [esp + 0x1c]           ; 0x1c
│          0x08048c2a    890424         mov dword [esp], eax
│          0x08048c2d    e8ddfdffff     call sym.auth ;sym.auth()
│          0x08048c32    85c0           test eax, eax
│     ┌──< 0x08048c34    751f           jne 0x8048c55
│     │    0x08048c36    c70424638e04.  mov dword [esp], str.Authenticated_  ; [0x8048e63:4]=0x68747541  ; "Authenticated!" @ 0x8048e63
│     │    0x08048c3d    e8cefbffff     call sym.imp.puts ;sym.imp.puts()
│     │    0x08048c42    c70424728e04.  mov dword [esp], str._bin_sh    ; [0x8048e72:4]=0x6e69622f  ; "/bin/sh" @ 0x8048e72
│     │    0x08048c49    e8d2fbffff     call sym.imp.system ;sym.imp.system()
│     │    0x08048c4e    b800000000     mov eax, 0
│    ┌───< 0x08048c53    eb05           jmp 0x8048c5a
│    │└    ; JMP XREF from 0x08048c34 (sym.main)
│    │└──> 0x08048c55    b801000000     mov eax, 1
│    └     ; JMP XREF from 0x08048c53 (sym.main)
│    └───> 0x08048c5a    8b54243c       mov edx, dword [esp + 0x3c]     ; [0x3c:4]=0x8048034 section_end.ehdr ; '<'
│          0x08048c5e    653315140000.  xor edx, dword gs:[0x14]
│          0x08048c65    7405           je 0x8048c6c
│          0x08048c67    e894fbffff     call sym.imp.__stack_chk_fail ;sym.imp.__stack_chk_fail()
│          ; JMP XREF from 0x08048c65 (sym.main)
│          0x08048c6c    c9             leave
╘          0x08048c6d    c3             ret

main 运行的第一件事需要你提供 username(line 30), 通过 function fgets(line 34-39) 获取到usernmae,按照参数入栈原则,从右到左

char* fgets( char* str, int count, std::FILE* stream );

  • first passed argument : Stream – file stream to read the data from; (on line 35)
  • second passed argument : Count – maximum number of characters to write; ( on line 36)
  • third passed argument : Str – pointer to an element of a char array; (on line 37-38)

    username-prompt 之后 需要你输入 serial ,通过 function scanf( on line 50-53) 获取;
    serial通过[esp+0x18] 获取到,传递给 scanf的 第一个参数是 字符串 0x8048d00;

     [0x08048880]> ps @ 0x8048d00
    %u
     

通过unsigned int 格式读取;读取之后,调用了 自定义的auth functions(line 58), 传递的第一个参数是[esp + 0x18] Serial (line 54-55), 第二个参数是 [esp + 0x1c] Username (line 56-57); 调用之后 如果 等于0,就调用系统shell(61-63)

So , I guess the main-functions look like this :

void main(){
···
	char username[32];
	unsigned int serial;
	
	puts("Enter username");
	fgets(username, 32, stdin);
	
	puts("Enter serial");
	scanf("%u", &serial);
	
	if(auth(username, serial) == 0){
	puts("Authenticated!");
    system("/bin/sh");
	}
}

因此 我们必须在 Auth 里面找到一个方法,使得 return ==0

在进入Auth functions 之前,我们先看看Auth的栈结构;

ebp + 0x00 [saved ebp] <— push ebp
ebp + 0x04 [return address] <— return address pushed by call-instrunction
ebp + 0x08 [username] <— 1st argument
ebp + 0x0c [serial] <— 2nd argument

Let’s seen Auth function:

[0x08048880]> pdf @ sym.auth
╒ (fcn) sym.auth 309
│           ; arg int arg_1_1      @ ebp+0x5
│           ; arg int arg_2        @ ebp+0x8
│           ; arg int arg_3        @ ebp+0xc
│           ; var int local_3      @ ebp-0xc
│           ; var int local_4      @ ebp-0x10
│           ; var int local_5      @ ebp-0x14
│           ; CALL XREF from 0x08048c2d (sym.main)
│           ;-- sym.auth:
│           0x08048a0f    55             push ebp
│           0x08048a10    89e5           mov ebp, esp
│           0x08048a12    83ec28         sub esp, 0x28
│           0x08048a15    c7442404038d.  mov dword [esp + 4], 0x8048d03  ; [0x8048d03:4]=10
│           0x08048a1d    8b4508         mov eax, dword [ebp + 8]       ; [0x8:4]=0
│           0x08048a20    890424         mov dword [esp], eax
│           0x08048a23    e878fdffff     call sym.imp.strcspn           ; sub.strcspn_12_79c+0x4
│             ^- sub.strcspn_12_79c() ; sym.imp.strcspn
│           0x08048a28    8b5508         mov edx, dword [ebp + 8]       ; [0x8:4]=0
│           0x08048a2b    01d0           add eax, edx
│           0x08048a2d    c60000         mov byte [eax], 0
│           0x08048a30    c74424042000.  mov dword [esp + 4], 0x20      ; [0x20:4]=0x2168  ; "h!" 0x00000020
│           0x08048a38    8b4508         mov eax, dword [ebp + 8]       ; [0x8:4]=0
│           0x08048a3b    890424         mov dword [esp], eax
│           0x08048a3e    e80dfeffff     call sym.imp.strnlen
│             ^- sym.imp.strnlen()
│           0x08048a43    8945f4         mov dword [ebp-local_3], eax
│           0x08048a46    50             push eax
│           0x08048a47    31c0           xor eax, eax
│       ┌─< 0x08048a49    7403           je 0x8048a4e
│       │   0x08048a4b    83c404         add esp, 4
│       └   ; JMP XREF from 0x08048a49 (sym.auth)
│       └─> 0x08048a4e    58             pop eax
│           0x08048a4f    837df405       cmp dword [ebp-local_3], 5     ; [0x5:4]=257
│      ┌──< 0x08048a53    7f0a           jg 0x8048a5f
│      │    0x08048a55    b801000000     mov eax, 1
│     ┌───< 0x08048a5a    e9e3000000     jmp 0x8048b42
│     │└    ; JMP XREF from 0x08048a53 (sym.auth)
│     │└──> 0x08048a5f    c744240c0000.  mov dword [esp + 0xc], 0       ; [0xc:4]=0
│     │     0x08048a67    c74424080100.  mov dword [esp + 8], 1         ; [0x8:4]=0
│     │     0x08048a6f    c74424040000.  mov dword [esp + 4], 0         ; [0x4:4]=0x10101
│     │     0x08048a77    c70424000000.  mov dword [esp], 0
│     │     0x08048a7e    e8edfdffff     call sym.imp.ptrace
│     │       ^- sym.imp.ptrace()
│     │     0x08048a83    83f8ff         cmp eax, 0xff
│    ┌────< 0x08048a86    752e           jne 0x8048ab6
│    ││     0x08048a88    c70424088d04.  mov dword [esp], str._e_32m.___________________________.  ; [0x8048d08:4]=0x32335b1b  ; str._e_32m.___________________________.
│    ││     0x08048a8f    e87cfdffff     call sym.imp.puts
│    ││       ^- sym.imp.puts()
│    ││     0x08048a94    c704242c8d04.  mov dword [esp], str._e_31m_____TAMPERING_DETECTED______  ; [0x8048d2c:4]=0x31335b1b  ; str._e_31m_____TAMPERING_DETECTED______
│    ││     0x08048a9b    e870fdffff     call sym.imp.puts
│    ││       ^- sym.imp.puts()
│    ││     0x08048aa0    c70424508d04.  mov dword [esp], str._e_32m_____________________________  ; [0x8048d50:4]=0x32335b1b  ; str._e_32m_____________________________
│    ││     0x08048aa7    e864fdffff     call sym.imp.puts
│    ││       ^- sym.imp.puts()
│    ││     0x08048aac    b801000000     mov eax, 1
│   ┌─────< 0x08048ab1    e98c000000     jmp 0x8048b42
│   │└      ; JMP XREF from 0x08048a86 (sym.auth)
│   │└────> 0x08048ab6    8b4508         mov eax, dword [ebp + 8]       ; [0x8:4]=0
│   │ │     0x08048ab9    83c003         add eax, 3
│   │ │     0x08048abc    0fb600         movzx eax, byte [eax]
│   │ │     0x08048abf    0fbec0         movsx eax, al
│   │ │     0x08048ac2    3537130000     xor eax, 0x1337
│   │ │     0x08048ac7    05eded5e00     add eax, 0x5eeded
│   │ │     0x08048acc    8945f0         mov dword [ebp-local_4], eax
│   │ │     0x08048acf    c745ec000000.  mov dword [ebp-local_5], 0
│  ┌──────< 0x08048ad6    eb4e           jmp 0x8048b26
│           ; JMP XREF from 0x08048b2c (sym.auth)
│ ────────> 0x08048ad8    8b55ec         mov edx, dword [ebp-local_5]
│  ││ │     0x08048adb    8b4508         mov eax, dword [ebp + 8]       ; [0x8:4]=0
│  ││ │     0x08048ade    01d0           add eax, edx
│  ││ │     0x08048ae0    0fb600         movzx eax, byte [eax]
│  ││ │     0x08048ae3    3c1f           cmp al, 0x1f
│ ┌───────< 0x08048ae5    7f07           jg 0x8048aee
│ │││ │     0x08048ae7    b801000000     mov eax, 1
│ ────────< 0x08048aec    eb54           jmp 0x8048b42
│ └         ; JMP XREF from 0x08048ae5 (sym.auth)
│ └───────> 0x08048aee    8b55ec         mov edx, dword [ebp-local_5]
│  ││ │     0x08048af1    8b4508         mov eax, dword [ebp + 8]       ; [0x8:4]=0
│  ││ │     0x08048af4    01d0           add eax, edx
│  ││ │     0x08048af6    0fb600         movzx eax, byte [eax]
│  ││ │     0x08048af9    0fbec0         movsx eax, al
│  ││ │     0x08048afc    3345f0         xor eax, dword [ebp-local_4]
│  ││ │     0x08048aff    89c1           mov ecx, eax
│  ││ │     0x08048b01    ba2b3b2388     mov edx, 0x88233b2b
│  ││ │     0x08048b06    89c8           mov eax, ecx
│  ││ │     0x08048b08    f7e2           mul edx
│  ││ │     0x08048b0a    89c8           mov eax, ecx
│  ││ │     0x08048b0c    29d0           sub eax, edx
│  ││ │     0x08048b0e    d1e8           shr eax, 1
│  ││ │     0x08048b10    01d0           add eax, edx
│  ││ │     0x08048b12    c1e80a         shr eax, 0xa
│  ││ │     0x08048b15    69c039050000   imul eax, eax, 0x539
│  ││ │     0x08048b1b    29c1           sub ecx, eax
│  ││ │     0x08048b1d    89c8           mov eax, ecx
│  ││ │     0x08048b1f    0145f0         add dword [ebp-local_4], eax
│  ││ │     0x08048b22    8345ec01       add dword [ebp-local_5], 1
│  └        ; JMP XREF from 0x08048ad6 (sym.auth)
│  └──────> 0x08048b26    8b45ec         mov eax, dword [ebp-local_5]
│   │ │     0x08048b29    3b45f4         cmp eax, dword [ebp-local_3]
│ ────────< 0x08048b2c    7caa           jl 0x8048ad8
│   │ │     0x08048b2e    8b450c         mov eax, dword [ebp + 0xc]     ; [0xc:4]=0
│   │ │     0x08048b31    3b45f0         cmp eax, dword [ebp-local_4]
│ ────────< 0x08048b34    7407           je 0x8048b3d
│   │ │     0x08048b36    b801000000     mov eax, 1
│   │ │     0x08048b3b    eb05           jmp 0x8048b42
│           ; JMP XREF from 0x08048b34 (sym.auth)
│ ────────> 0x08048b3d    b800000000     mov eax, 0
│   └ └     ; JMP XREF from 0x08048b3b (sym.auth)
│   └ └     ; JMP XREF from 0x08048aec (sym.auth)
│   └ └     ; JMP XREF from 0x08048ab1 (sym.auth)
│   └ └     ; JMP XREF from 0x08048a5a (sym.auth)
│ ──└─└───> 0x08048b42    c9             leave
╘           0x08048b43    c3             ret
[0x08048880]>

Auth function 一进来,就调用了一个strcspn function(line 14-17),传入的参数是 [ebp + 8] (Username), 和 0x8048d03 ;

[0x08048880]> ps @ 0x8048d03


[0x08048880]> px 1 @ 0x8048d03
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x08048d03  0a                                       .
[0x08048880]>

看起来是一个 换行符, 让我们看看做了什么;

│           0x08048a28    8b5508         mov edx, dword [ebp + 8]       ; [0x8:4]=0
│           0x08048a2b    01d0           add eax, edx
│           0x08048a2d    c60000         mov byte [eax], 0

要了解为什么,首先要回到 fgets() 函数, fgets(不会截断换行符),所以 username后面有一个换行符,然后通过srtcspn 索引出长度,在通过 索引长度+username 的长度 ,然后 通过[result] 定位到换行符,然后通过 mov 0, 用空字节把换行符覆盖;

│           0x08048a30    c74424042000.  mov dword [esp + 4], 0x20      ; [0x20:4]=0x2168  ; "h!" 0x00000020
│           0x08048a38    8b4508         mov eax, dword [ebp + 8]       ; [0x8:4]=0
│           0x08048a3b    890424         mov dword [esp], eax
│           0x08048a3e    e80dfeffff     call sym.imp.strnlen

on line 22-25 , call the strnlen functions, passed the two argument, 1st argument is ebp + 8, 2nd argument is max-length 0x20=32;

The return value is stored in the [ebp – local_3], This value is compared to the 5 on line 34;

│           0x08048a43    8945f4         mov dword [ebp-local_3], eax
│           0x08048a46    50             push eax
│           0x08048a47    31c0           xor eax, eax
│       ┌─< 0x08048a49    7403           je 0x8048a4e
│       │   0x08048a4b    83c404         add esp, 4
│       └   ; JMP XREF from 0x08048a49 (sym.auth)
│       └─> 0x08048a4e    58             pop eax
│           0x08048a4f    837df405       cmp dword [ebp-local_3], 5     ; [0x5:4]=257
│      ┌──< 0x08048a53    7f0a           jg 0x8048a5f
│      │    0x08048a55    b801000000     mov eax, 1
│     ┌───< 0x08048a5a    e9e3000000     jmp 0x8048b42

如果 Length 小于 5,则不采用 jg jg 0x8048a5f, 赋给eax 1之后,jmp 到0x8048b42(is the address of the functions epilogue);
if length > 5 , continue:

│     │└──> 0x08048a5f    c744240c0000.  mov dword [esp + 0xc], 0       ; [0xc:4]=0
│     │     0x08048a67    c74424080100.  mov dword [esp + 8], 1         ; [0x8:4]=0
│     │     0x08048a6f    c74424040000.  mov dword [esp + 4], 0         ; [0x4:4]=0x10101
│     │     0x08048a77    c70424000000.  mov dword [esp], 0
│     │     0x08048a7e    e8edfdffff     call sym.imp.ptrace
│     │       ^- sym.imp.ptrace()
│     │     0x08048a83    83f8ff         cmp eax, 0xff
│    ┌────< 0x08048a86    752e           jne 0x8048ab6
│    ││     0x08048a88    c70424088d04.  mov dword [esp], str._e_32m.___________________________.  ; [0x8048d08:4]=0x32335b1b  ; str._e_32m.___________________________.
│    ││     0x08048a8f    e87cfdffff     call sym.imp.puts
│    ││       ^- sym.imp.puts()
│    ││     0x08048a94    c704242c8d04.  mov dword [esp], str._e_31m_____TAMPERING_DETECTED______  ; [0x8048d2c:4]=0x31335b1b  ; str._e_31m_____TAMPERING_DETECTED______
│    ││     0x08048a9b    e870fdffff     call sym.imp.puts
│    ││       ^- sym.imp.puts()
│    ││     0x08048aa0    c70424508d04.  mov dword [esp], str._e_32m_____________________________  ; [0x8048d50:4]=0x32335b1b  ; str._e_32m_____________________________
│    ││     0x08048aa7    e864fdffff     call sym.imp.puts
│    ││       ^- sym.imp.puts()
│    ││     0x08048aac    b801000000     mov eax, 1
│   ┌─────< 0x08048ab1    e98c000000     jmp 0x8048b42

On line 43, Ptrace 是一个反调试的进程,可以Nop 掉,出于学习目的,继续反汇编 调戏 代码;

 │   │└────> 0x08048ab6    8b4508         mov eax, dword [ebp + 8]       ; [0x8:4]=0
│   │ │     0x08048ab9    83c003         add eax, 3
│   │ │     0x08048abc    0fb600         movzx eax, byte [eax]
│   │ │     0x08048abf    0fbec0         movsx eax, al
│   │ │     0x08048ac2    3537130000     xor eax, 0x1337
│   │ │     0x08048ac7    05eded5e00     add eax, 0x5eeded
│   │ │     0x08048acc    8945f0         mov dword [ebp-local_4], eax
│   │ │     0x08048acf    c745ec000000.  mov dword [ebp-local_5], 0
│  ┌──────< 0x08048ad6    eb4e           jmp 0x8048b26
 

把 username [ebp + 8] 加 3 之后 索引, username[3] xor 0x1337, 然后加上 0x5eeded, 最后把结果 赋给 [ebp – local_4];
到目前为止,Auth functions 看起来像是介样子的:

void auth(char *username, unsigned int serial){
int idx = strcspn(username, '\n');
username[idx] = 0x00;

int len = strlen(username, 32);

if(len < 5) return 1;

if(ptrace(0,0,1,0) == 0xff){
   puts("TAMPERING DETECTED!");
    return 1;
}
   unsigned int v1 = (username[3] ^ 0x1337) + 0x5eeded ;
   int i = 0 ;
}
│  ┌──────< 0x08048ad6    eb4e           jmp 0x8048b26
│           ; JMP XREF from 0x08048b2c (sym.auth)
│ ────────> 0x08048ad8    8b55ec         mov edx, dword [ebp-local_5]
│  ││ │     0x08048adb    8b4508         mov eax, dword [ebp + 8]       ; [0x8:4]=0
│  ││ │     0x08048ade    01d0           add eax, edx
│  ││ │     0x08048ae0    0fb600         movzx eax, byte [eax]
│  ││ │     0x08048ae3    3c1f           cmp al, 0x1f
│ ┌───────< 0x08048ae5    7f07           jg 0x8048aee
│ │││ │     0x08048ae7    b801000000     mov eax, 1
│ ────────< 0x08048aec    eb54           jmp 0x8048b42
│ └         ; JMP XREF from 0x08048ae5 (sym.auth)
│ └───────> 0x08048aee    8b55ec         mov edx, dword [ebp-local_5]
│  ││ │     0x08048af1    8b4508         mov eax, dword [ebp + 8]       ; [0x8:4]=0
│  ││ │     0x08048af4    01d0           add eax, edx
│  ││ │     0x08048af6    0fb600         movzx eax, byte [eax]
│  ││ │     0x08048af9    0fbec0         movsx eax, al
│  ││ │     0x08048afc    3345f0         xor eax, dword [ebp-local_4]
│  ││ │     0x08048aff    89c1           mov ecx, eax
│  ││ │     0x08048b01    ba2b3b2388     mov edx, 0x88233b2b
│  ││ │     0x08048b06    89c8           mov eax, ecx
│  ││ │     0x08048b08    f7e2           mul edx
│  ││ │     0x08048b0a    89c8           mov eax, ecx
│  ││ │     0x08048b0c    29d0           sub eax, edx
│  ││ │     0x08048b0e    d1e8           shr eax, 1
│  ││ │     0x08048b10    01d0           add eax, edx
│  ││ │     0x08048b12    c1e80a         shr eax, 0xa
│  ││ │     0x08048b15    69c039050000   imul eax, eax, 0x539
│  ││ │     0x08048b1b    29c1           sub ecx, eax
│  ││ │     0x08048b1d    89c8           mov eax, ecx
│  ││ │     0x08048b1f    0145f0         add dword [ebp-local_4], eax
│  ││ │     0x08048b22    8345ec01       add dword [ebp-local_5], 1
│  └        ; JMP XREF from 0x08048ad6 (sym.auth)
│  └──────> 0x08048b26    8b45ec         mov eax, dword [ebp-local_5]
│   │ │     0x08048b29    3b45f4         cmp eax, dword [ebp-local_3]
│ ────────< 0x08048b2c    7caa           jl 0x8048ad8

上面的代码执行完之后,直接jmp 0x8048b26, 程序把 [ebp-local_5] 和 Len 比较了一下大小,如果小于 则跳回0x8048ad8 开始循环,
然后再结合 line 96-97的汇编来看,似乎是一个循环体;

for(i = 0; i < len; i ++){
···
}

函数先取 username每一个字符与 0x1f compare, if username[i] > 0x1f, continue;
then eax[i] ^ v1 ; 然后把Xored出来的值 与 0x88233b2b Imul, 注意 这里的 mul edx 只有一个操作数,lower bits are stored in eax,so the edx= edx >> 32 ; 所以 这个For循环的代码 我猜是这样的 ;

for(i = 0; i < len; i++){
	unsigned int v2, v3 ,v4 ;
	if(username[i] < 0x1f) return 1;
	v2 = username[i];
	v2 ^= v1;
	v3 = (0x88233b2b * v2) >> 32;
	v4 = v2 - v3 ;
	v4 = v4 >> 1;
	v4 += v3;
	v4 = v4 >> 0xa;;
	v4 *= 0x539;
	v4 = v2 - v4;
	v1 += v4;
}
│   │ │     0x08048b2e    8b450c         mov eax, dword [ebp + 0xc]     ; [0xc:4]=0
│   │ │     0x08048b31    3b45f0         cmp eax, dword [ebp-local_4]
│ ────────< 0x08048b34    7407           je 0x8048b3d
│   │ │     0x08048b36    b801000000     mov eax, 1
│   │ │     0x08048b3b    eb05           jmp 0x8048b42
│           ; JMP XREF from 0x08048b34 (sym.auth)
│ ────────> 0x08048b3d    b800000000     mov eax, 0
│   └ └     ; JMP XREF from 0x08048b3b (sym.auth)
│   └ └     ; JMP XREF from 0x08048aec (sym.auth)
│   └ └     ; JMP XREF from 0x08048ab1 (sym.auth)
│   └ └     ; JMP XREF from 0x08048a5a (sym.auth)
│ ──└─└───> 0x08048b42    c9             leave
╘           0x08048b43    c3             ret

循环结束后 就剩这几行代码了,把我们输入的serial 和 [ebp-local_4](通过 username 计算出来的 serial) compare,return 1(faild) and return 0 (success)

现在我们可以自己写一个 对应username计算的key code出来:

#include <stdio.h>
#include <stdint.h>
#include <string.h>
int Key(char *username){
    int idx = strcspn(username, "\n");
    username[idx] = 0x00;

    int len = strnlen(username, 32);
    if(len < 5) return 0;

    unsigned int v1 = (username[3] ^ 0x1337) + 0x5eeded;

    int i = 0;

    for (i = 0; i < len; i++) {

    unsigned int v2, v3, v4;

    if (username[i] <= 0x1f) return 0;
    v2 = username[i];
    v2 ^= v1;
    v3 = (uint64_t)v2*0x88233b2b >> 32;
    v4 = v2 - v3;
    v4 = v4 >> 1;
    v4 += v3;
    v4 = v4 >> 10;
    v4 *= 0x539;
    v4 = v2 - v4;

    v1 += v4;

  }

  return v1;
}

int main(){
    char username[32];
    unsigned int serial ;

    printf("Enter username: ");
    fgets(username, 32, stdin);

    serial = Key(username);
    if(serial > 0) printf("serial: %u\n", serial);
}

gcc key.c -o key
Now we can generate your own serial:

root@bad:/media/psf/Home/code# ./key
Enter username: wobushou
serial: 6234483

Getshell

lab1A@warzone:/levels/lab01$ ./lab1A
.---------------------------.
|---------  RPISEC  --------|
|+ SECURE LOGIN SYS v. 3.0 +|
|---------------------------|
|~- Enter your Username:  ~-|
'---------------------------'
wobushou
.---------------------------.
| !! NEW ACCOUNT DETECTED !!|
|---------------------------|
|~- Input your serial:    ~-|
'---------------------------'
6234483
Authenticated!
$ whoami
lab1end
$

当时的草稿纸;

发表评论

电子邮件地址不会被公开。 必填项已用*标注