White Security
Flag 문제풀이 본문
Papa brought me a packed present! let's open it. Download : http://pwnable.kr/bin/flag This is reversing task. all you need is binary
Toddler's Bottle 4번 문제입니다.
papa가 packed present 를 주셨다고 하는데요.
바이너리만으로 풀 수 있는 리버싱 문제라고 합니다.
[root@centos7 ~]# ./flag I will malloc() and strcpy the flag there. take it.
주어진 바이너리를 실행해 보면
malloc() 과 strcpy 함수를 사용하여
플래그를 복사하고 있다는 힌트를 줍니다.
(gdb) info file Symbols from "/root/flag".
gdb 를 이용하여
섹션을 조회해 보면
어떠한 정보도 얻을 수가 없습니다.
[root@centos7 ~]# upx -l flag
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
883745 -> 335288 37.94% linux/amd64 flag
이유가 무엇인가 보니
UPX 패킹이 된 상태였군요.
문제의 'packed' present 가 힌트였나 봅니다.
[root@centos7 ~]# upx -d flag
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
883745 <- 335288 37.94% linux/amd64 flag
Unpacked 1 file.
upx -d 명령으로 바이너리를
decompress 했습니다.
(gdb) info file
Symbols from "/root/flag".
Local exec file:
`/root/flag', file type elf64-x86-64.
Entry point: 0x401058
0x0000000000400190 - 0x00000000004001b0 is .note.ABI-tag
0x00000000004001b0 - 0x00000000004001d4 is .note.gnu.build-id
0x00000000004001d8 - 0x00000000004002f8 is .rela.plt
0x00000000004002f8 - 0x0000000000400310 is .init
0x0000000000400310 - 0x00000000004003d0 is .plt
0x00000000004003d0 - 0x0000000000494d38 is .text
0x0000000000494d40 - 0x000000000049655c is __libc_freeres_fn
0x0000000000496560 - 0x0000000000496608 is __libc_thread_freeres_fn
0x0000000000496608 - 0x0000000000496616 is .fini
0x0000000000496620 - 0x00000000004b39c4 is .rodata
0x00000000004b39c8 - 0x00000000004b39d0 is __libc_atexit
0x00000000004b39d0 - 0x00000000004b3a28 is __libc_subfreeres
0x00000000004b3a28 - 0x00000000004b3a30 is __libc_thread_subfreeres
0x00000000004b3a30 - 0x00000000004c0fdc is .eh_frame
0x00000000004c0fdc - 0x00000000004c115e is .gcc_except_table
0x00000000006c1ef0 - 0x00000000006c1f10 is .tdata
0x00000000006c1f10 - 0x00000000006c1f48 is .tbss
0x00000000006c1f10 - 0x00000000006c1f18 is .init_array
0x00000000006c1f18 - 0x00000000006c1f20 is .fini_array
0x00000000006c1f20 - 0x00000000006c1f30 is .ctors
0x00000000006c1f30 - 0x00000000006c1f40 is .dtors
0x00000000006c1f40 - 0x00000000006c1f48 is .jcr
0x00000000006c1f50 - 0x00000000006c1fd0 is .data.rel.ro
0x00000000006c1fd0 - 0x00000000006c1fe0 is .got
0x00000000006c1fe8 - 0x00000000006c2060 is .got.plt
0x00000000006c2060 - 0x00000000006c36f0 is .data
0x00000000006c3700 - 0x00000000006c6288 is .bss
0x00000000006c6290 - 0x00000000006c62d8 is __libc_freeres_ptrs
이제 섹션 정보가 정상적으로 출력됩니다.
(gdb) disas main Dump of assembler code for function main: 0x0000000000401164 <+0>: push rbp 0x0000000000401165 <+1>: mov rbp,rsp 0x0000000000401168 <+4>: sub rsp,0x10 0x000000000040116c <+8>: mov edi,0x496658 0x0000000000401171 <+13>: call 0x402080 <puts> 0x0000000000401176 <+18>: mov edi,0x64 0x000000000040117b <+23>: call 0x4099d0 <malloc> 0x0000000000401180 <+28>: mov QWORD PTR [rbp-0x8],rax 0x0000000000401184 <+32>: mov rdx,QWORD PTR [rip+0x2c0ee5] # 0x6c2070 <flag> 0x000000000040118b <+39>: mov rax,QWORD PTR [rbp-0x8] 0x000000000040118f <+43>: mov rsi,rdx 0x0000000000401192 <+46>: mov rdi,rax 0x0000000000401195 <+49>: call 0x400320 0x000000000040119a <+54>: mov eax,0x0 0x000000000040119f <+59>: leave 0x00000000004011a0 <+60>: ret End of assembler dump.
어셈블리화 하여 확인해 보니
malloc 으로 메모리를 확보하고
0x6c2070 가 참조하고 있는 주소를
0x400320 의 인자로 전달하고 있습니다.
(gdb) x/s *0x6c2070 0x496628: "UPX...? sounds like a delivery service :)"
참조 데이터를 문자열 형태로 출력하니
플래그를 확인할 수 있었습니다.
'Wargame Writeups > pwnable.kr' 카테고리의 다른 글
| Random 문제풀이 (0) | 2019.02.06 |
|---|---|
| Passcode 문제풀이 (0) | 2019.02.06 |
| Bof 문제풀이 (0) | 2019.02.05 |
| Collision 문제풀이 (1) | 2019.02.04 |
| Fd 문제풀이 (0) | 2019.01.31 |
'Wargame Writeups/pwnable.kr' Related Articles
more
Comments