我的书签
添加书签
移除书签6.2.1 re XHPCTF2017 dont_panic
题目解析
第一步当然是 file 啦:
$ file dont_panicdont_panic: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
64 位,静态编译,而且 stripped。
看一下段吧:
$ readelf -S dont_panicThere are 13 section headers, starting at offset 0xfa388:Section Headers:[Nr] Name Type Address OffsetSize EntSize Flags Link Info Align[ 0] NULL 0000000000000000 000000000000000000000000 0000000000000000 0 0 0[ 1] .text PROGBITS 0000000000401000 00001000000000000007ae40 0000000000000000 AX 0 0 16[ 2] .rodata PROGBITS 000000000047c000 0007c0000000000000033f5b 0000000000000000 A 0 0 32[ 3] .typelink PROGBITS 00000000004b0080 000b00800000000000000b4c 0000000000000000 A 0 0 32[ 4] .itablink PROGBITS 00000000004b0bd0 000b0bd00000000000000038 0000000000000000 A 0 0 8[ 5] .gosymtab PROGBITS 00000000004b0c08 000b0c080000000000000000 0000000000000000 A 0 0 1[ 6] .gopclntab PROGBITS 00000000004b0c20 000b0c200000000000044d5d 0000000000000000 A 0 0 32[ 7] .noptrdata PROGBITS 00000000004f6000 000f60000000000000002608 0000000000000000 WA 0 0 32[ 8] .data PROGBITS 00000000004f8620 000f86200000000000001cf0 0000000000000000 WA 0 0 32[ 9] .bss NOBITS 00000000004fa320 000fa310000000000001a908 0000000000000000 WA 0 0 32[10] .noptrbss NOBITS 0000000000514c40 000fa31000000000000046a0 0000000000000000 WA 0 0 32[11] .note.go.buildid NOTE 0000000000400fc8 00000fc80000000000000038 0000000000000000 A 0 0 4[12] .shstrtab STRTAB 0000000000000000 000fa3100000000000000073 0000000000000000 0 0 1
我们发现一些奇怪的东西,.gosymtab、.gopclantab,Google 一下才知道,它其实是一个用 Go 语言编写的程序。好吧,运行它:
$ ./dont_panicusage: ./dont_panic flag$ ./dont_panic abcdNope.
$ xxd -g1 dont_panic | grep Nope.000a5240: 3e 45 72 72 6e 6f 45 72 72 6f 72 4e 6f 70 65 2e >ErrnoErrorNope.$ objdump -d dont_panic | grep a524b47ba23: 48 8d 05 21 98 02 00 lea 0x29821(%rip),%rax # 0x4a524b
字符串“Nope.”应该是判断错误时的输出,我们顺便找到了使用它的地址为 0x47ba23,接下来在去 r2 里看吧,经过一番搜索,找到了最重要的函数 fcn.0047b8a0:
[0x0047ba23]> pdf @ fcn.0047b8a0/ (fcn) fcn.0047b8a0 947| fcn.0047b8a0 ();| ; JMP XREF from 0x0047bc4e (fcn.0047b8a0)| .-> 0x0047b8a0 64488b0c25f8. mov rcx, qword fs:[0xfffffffffffffff8]| : 0x0047b8a9 488d442490 lea rax, [rsp - 0x70]| : 0x0047b8ae 483b4110 cmp rax, qword [rcx + 0x10] ; [0x10:8]=-1 ; 16| ,==< 0x0047b8b2 0f8691030000 jbe 0x47bc49| |: 0x0047b8b8 4881ecf00000. sub rsp, 0xf0| |: 0x0047b8bf 4889ac24e800. mov qword [local_e8h], rbp| |: 0x0047b8c7 488dac24e800. lea rbp, [local_e8h] ; 0xe8 ; 232| |: 0x0047b8cf 488b05f2ec07. mov rax, qword [0x004fa5c8] ; [0x4fa5c8:8]=0| |: 0x0047b8d6 4883f802 cmp rax, 2 ; 2| ,===< 0x0047b8da 0f8530020000 jne 0x47bb10| ||: ; JMP XREF from 0x0047bc3d (fcn.0047b8a0)| .----> 0x0047b8e0 488b05d9ec07. mov rax, qword [0x004fa5c0] ; [0x4fa5c0:8]=0| :||: 0x0047b8e7 488b0ddaec07. mov rcx, qword [0x004fa5c8] ; [0x4fa5c8:8]=0| :||: 0x0047b8ee 4883f901 cmp rcx, 1 ; 1| ,=====< 0x0047b8f2 0f8611020000 jbe 0x47bb09| |:||: 0x0047b8f8 488b4810 mov rcx, qword [rax + 0x10] ; [0x10:8]=-1 ; 16| |:||: 0x0047b8fc 48894c2450 mov qword [local_50h], rcx| |:||: 0x0047b901 488b4018 mov rax, qword [rax + 0x18] ; [0x18:8]=-1 ; 24| |:||: 0x0047b905 4889442448 mov qword [local_48h], rax| |:||: 0x0047b90a 4883f82a cmp rax, 0x2a ; '*' ; 42 ; 判断密码长度是否大于 42| ,======< 0x0047b90e 0f8c0f010000 jl 0x47ba23 ; 若小于,失败| ||:||: 0x0047b914 31d2 xor edx, edx| ||:||: 0x0047b916 31db xor ebx, ebx| ||:||: 0x0047b918 4889542438 mov qword [local_38h], rdx ; 密码字符串 provided_flag 的下标 i| ||:||: 0x0047b91d 885c2436 mov byte [local_36h], bl| ||:||: 0x0047b921 4839c2 cmp rdx, rax ; 比较下标 i 与密码长度| ,=======< 0x0047b924 7d72 jge 0x47b998 ; 若大于或等于,成功| |||:||: ; JMP XREF from 0x0047b996 (fcn.0047b8a0)| --------> 0x0047b926 0fb63411 movzx esi, byte [rcx + rdx] ; 循环终点| |||:||: 0x0047b92a 4080fe80 cmp sil, 0x80 ; 128| ========< 0x0047b92e 0f83a0010000 jae 0x47bad4| |||:||: 0x0047b934 400fb6f6 movzx esi, sil| |||:||: 0x0047b938 488d7a01 lea rdi, [rdx + 1] ; 1 ; 下标 + 1| |||:||: ; JMP XREF from 0x0047bb04 (fcn.0047b8a0) ; 密码逐位判断逻辑| --------> 0x0047b93c 48897c2440 mov qword [local_40h], rdi| |||:||: 0x0047b941 01f3 add ebx, esi| |||:||: 0x0047b943 885c2437 mov byte [local_37h], bl ; bl 代表 provided_flag[i]| |||:||: 0x0047b947 881c24 mov byte [rsp], bl| |||:||: 0x0047b94a e811feffff call fcn.0047b760 ; 该函数会对 bl 做一些处理| |||:||: 0x0047b94f 0fb6442408 movzx eax, byte [local_8h] ; [0x8:1]=255 ; 8 ; eax 是上面函数的返回值,即 mapanic(provided_flag[i])| |||:||: 0x0047b954 488b4c2438 mov rcx, qword [local_38h] ; [0x38:8]=-1 ; '8' ; 56| |||:||: 0x0047b959 4883f92a cmp rcx, 0x2a ; '*' ; 42 ; 判断 rcx 是否大于等于 0x2a| ========< 0x0047b95d 0f836a010000 jae 0x47bacd ; 如果大于或等于,跳转| |||:||: 0x0047b963 488d15f6a807. lea rdx, 0x004f6260 ; 读入 constant_binary_blob| |||:||: 0x0047b96a 0fb60c0a movzx ecx, byte [rdx + rcx] ; ecx 代表 constant_binary_blob[i]| |||:||: 0x0047b96e 38c8 cmp al, cl ; 比较 mapanic(provided_flag[i]) 和 constant_binary_blob[i]| ========< 0x0047b970 0f85ad000000 jne 0x47ba23 ; 如果不等于,失败| |||:||: 0x0047b976 488b442448 mov rax, qword [local_48h] ; [0x48:8]=-1 ; 'H' ; 72| |||:||: 0x0047b97b 488b4c2450 mov rcx, qword [local_50h] ; [0x50:8]=-1 ; 'P' ; 80| |||:||: 0x0047b980 488b542440 mov rdx, qword [local_40h] ; [0x40:8]=-1 ; '@' ; 64| |||:||: 0x0047b985 0fb65c2437 movzx ebx, byte [local_37h] ; [0x37:1]=255 ; '7' ; 55| |||:||: 0x0047b98a 4889542438 mov qword [local_38h], rdx| |||:||: 0x0047b98f 885c2436 mov byte [local_36h], bl| |||:||: 0x0047b993 4839c2 cmp rdx, rax| ========< 0x0047b996 7c8e jl 0x47b926 ; 循环起点| |||:||: ; JMP XREF from 0x0047b924 (fcn.0047b8a0)| `-------> 0x0047b998 488d05d5c902. lea rax, 0x004a8374 ; "Seems like you got a flag." ; 成功| ||:||: 0x0047b99f 48898424a800. mov qword [local_a8h], rax| ||:||: 0x0047b9a7 48c78424b000. mov qword [local_b0h], 0x1c ; [0x1c:8]=-1 ; 28| ||:||: 0x0047b9b3 48c744245800. mov qword [local_58h], 0| ||:||: 0x0047b9bc 48c744246000. mov qword [local_60h], 0| ||:||: 0x0047b9c5 488d05b4e300. lea rax, 0x00489d80| ||:||: 0x0047b9cc 48890424 mov qword [rsp], rax| ||:||: 0x0047b9d0 488d8c24a800. lea rcx, [local_a8h] ; 0xa8 ; 168| ||:||: 0x0047b9d8 48894c2408 mov qword [local_8h], rcx| ||:||: 0x0047b9dd e80efff8ff call fcn.0040b8f0| ||:||: 0x0047b9e2 488b442410 mov rax, qword [local_10h] ; [0x10:8]=-1 ; 16| ||:||: 0x0047b9e7 488b4c2418 mov rcx, qword [local_18h] ; [0x18:8]=-1 ; 24| ||:||: 0x0047b9ec 4889442458 mov qword [local_58h], rax| ||:||: 0x0047b9f1 48894c2460 mov qword [local_60h], rcx| ||:||: 0x0047b9f6 488d442458 lea rax, [local_58h] ; 0x58 ; 'X' ; 88| ||:||: 0x0047b9fb 48890424 mov qword [rsp], rax| ||:||: 0x0047b9ff 48c744240801. mov qword [local_8h], 1| ||:||: 0x0047ba08 48c744241001. mov qword [local_10h], 1| ||:||: 0x0047ba11 e84a8effff call fcn.00474860| ||:||: 0x0047ba16 48c704240000. mov qword [rsp], 0| ||:||: 0x0047ba1e e88d1efeff call fcn.0045d8b0| ||:||: ; JMP XREF from 0x0047b90e (fcn.0047b8a0)| ||:||: ; JMP XREF from 0x0047b970 (fcn.0047b8a0)| -`------> 0x0047ba23 488d05219802. lea rax, 0x004a524b ; "Nope." ; 失败| |:||: 0x0047ba2a 488984248800. mov qword [local_88h], rax| |:||: 0x0047ba32 48c784249000. mov qword [local_90h], 5| |:||: 0x0047ba3e 48c784249800. mov qword [local_98h], 0| |:||: 0x0047ba4a 48c78424a000. mov qword [local_a0h], 0| |:||: 0x0047ba56 488d0523e300. lea rax, 0x00489d80| |:||: 0x0047ba5d 48890424 mov qword [rsp], rax| |:||: 0x0047ba61 488d84248800. lea rax, [local_88h] ; 0x88 ; 136| |:||: 0x0047ba69 4889442408 mov qword [local_8h], rax| |:||: 0x0047ba6e e87dfef8ff call fcn.0040b8f0| |:||: 0x0047ba73 488b442410 mov rax, qword [local_10h] ; [0x10:8]=-1 ; 16| |:||: 0x0047ba78 488b4c2418 mov rcx, qword [local_18h] ; [0x18:8]=-1 ; 24| |:||: 0x0047ba7d 488984249800. mov qword [local_98h], rax| |:||: 0x0047ba85 48898c24a000. mov qword [local_a0h], rcx| |:||: 0x0047ba8d 488d84249800. lea rax, [local_98h] ; 0x98 ; 152| |:||: 0x0047ba95 48890424 mov qword [rsp], rax| |:||: 0x0047ba99 48c744240801. mov qword [local_8h], 1| |:||: 0x0047baa2 48c744241001. mov qword [local_10h], 1| |:||: 0x0047baab e8b08dffff call fcn.00474860| |:||: 0x0047bab0 48c704240100. mov qword [rsp], 1| |:||: 0x0047bab8 e8f31dfeff call fcn.0045d8b0| |:||: 0x0047babd 488bac24e800. mov rbp, qword [local_e8h] ; [0xe8:8]=-1 ; 232| |:||: 0x0047bac5 4881c4f00000. add rsp, 0xf0| |:||: 0x0047bacc c3 ret| |:||: ; JMP XREF from 0x0047b95d (fcn.0047b8a0)| --------> 0x0047bacd e8ee8dfaff call fcn.004248c0| |:||: 0x0047bad2 0f0b ud2| |:||: ; JMP XREF from 0x0047b92e (fcn.0047b8a0)| --------> 0x0047bad4 48890c24 mov qword [rsp], rcx| |:||: 0x0047bad8 4889442408 mov qword [local_8h], rax| |:||: 0x0047badd 4889542410 mov qword [local_10h], rdx| |:||: 0x0047bae2 e869b8fcff call fcn.00447350| |:||: 0x0047bae7 8b742418 mov esi, dword [local_18h] ; [0x18:4]=-1 ; 24| |:||: 0x0047baeb 488b7c2420 mov rdi, qword [local_20h] ; [0x20:8]=-1 ; 32| |:||: 0x0047baf0 488b442448 mov rax, qword [local_48h] ; [0x48:8]=-1 ; 'H' ; 72| |:||: 0x0047baf5 488b4c2450 mov rcx, qword [local_50h] ; [0x50:8]=-1 ; 'P' ; 80| |:||: 0x0047bafa 488b542438 mov rdx, qword [local_38h] ; [0x38:8]=-1 ; '8' ; 56| |:||: 0x0047baff 0fb65c2436 movzx ebx, byte [local_36h] ; [0x36:1]=255 ; '6' ; 54| ========< 0x0047bb04 e933feffff jmp 0x47b93c| |:||: ; JMP XREF from 0x0047b8f2 (fcn.0047b8a0)| `-----> 0x0047bb09 e8b28dfaff call fcn.004248c0| :||: 0x0047bb0e 0f0b ud2| :||: ; JMP XREF from 0x0047b8da (fcn.0047b8a0)| :`---> 0x0047bb10 488d054c9802. lea rax, 0x004a5363 ; "usage:"| : |: 0x0047bb17 4889442478 mov qword [local_78h], rax| : |: 0x0047bb1c 48c784248000. mov qword [local_80h], 6| : |: 0x0047bb28 488d056a9602. lea rax, 0x004a5199 ; "flag"| : |: 0x0047bb2f 4889442468 mov qword [local_68h], rax| : |: 0x0047bb34 48c744247004. mov qword [local_70h], 4| : |: 0x0047bb3d 488dbc24b800. lea rdi, [local_b8h] ; 0xb8 ; 184| : |: 0x0047bb45 0f57c0 xorps xmm0, xmm0| : |: 0x0047bb48 4883c7f0 add rdi, 0xfffffffffffffff0| : |: 0x0047bb4c 48896c24f0 mov qword [rsp - 0x10], rbp| : |: 0x0047bb51 488d6c24f0 lea rbp, [rsp - 0x10]| : |: 0x0047bb56 e8851afdff call fcn.0044d5e0| : |: 0x0047bb5b 488b6d00 mov rbp, qword [rbp]| : |: 0x0047bb5f 488d051ae200. lea rax, 0x00489d80| : |: 0x0047bb66 48890424 mov qword [rsp], rax| : |: 0x0047bb6a 488d4c2478 lea rcx, [local_78h] ; 0x78 ; 'x' ; 120| : |: 0x0047bb6f 48894c2408 mov qword [local_8h], rcx| : |: 0x0047bb74 e877fdf8ff call fcn.0040b8f0| : |: 0x0047bb79 488b442410 mov rax, qword [local_10h] ; [0x10:8]=-1 ; 16| : |: 0x0047bb7e 488b4c2418 mov rcx, qword [local_18h] ; [0x18:8]=-1 ; 24| : |: 0x0047bb83 48898424b800. mov qword [local_b8h], rax| : |: 0x0047bb8b 48898c24c000. mov qword [local_c0h], rcx| : |: 0x0047bb93 488b052eea07. mov rax, qword [0x004fa5c8] ; [0x4fa5c8:8]=0| : |: 0x0047bb9a 488b0d1fea07. mov rcx, qword [0x004fa5c0] ; [0x4fa5c0:8]=0| : |: 0x0047bba1 4885c0 test rax, rax| :,===< 0x0047bba4 0f8698000000 jbe 0x47bc42| :||: 0x0047bbaa 48894c2408 mov qword [local_8h], rcx| :||: 0x0047bbaf 488d05cae100. lea rax, 0x00489d80| :||: 0x0047bbb6 48890424 mov qword [rsp], rax| :||: 0x0047bbba e831fdf8ff call fcn.0040b8f0| :||: 0x0047bbbf 488b442410 mov rax, qword [local_10h] ; [0x10:8]=-1 ; 16| :||: 0x0047bbc4 488b4c2418 mov rcx, qword [local_18h] ; [0x18:8]=-1 ; 24| :||: 0x0047bbc9 48898424c800. mov qword [local_c8h], rax| :||: 0x0047bbd1 48898c24d000. mov qword [local_d0h], rcx| :||: 0x0047bbd9 488d05a0e100. lea rax, 0x00489d80| :||: 0x0047bbe0 48890424 mov qword [rsp], rax| :||: 0x0047bbe4 488d4c2468 lea rcx, [local_68h] ; 0x68 ; 'h' ; 104| :||: 0x0047bbe9 48894c2408 mov qword [local_8h], rcx| :||: 0x0047bbee e8fdfcf8ff call fcn.0040b8f0| :||: 0x0047bbf3 488b442418 mov rax, qword [local_18h] ; [0x18:8]=-1 ; 24| :||: 0x0047bbf8 488b4c2410 mov rcx, qword [local_10h] ; [0x10:8]=-1 ; 16| :||: 0x0047bbfd 48898c24d800. mov qword [local_d8h], rcx| :||: 0x0047bc05 48898424e000. mov qword [local_e0h], rax| :||: 0x0047bc0d 488d8424b800. lea rax, [local_b8h] ; 0xb8 ; 184| :||: 0x0047bc15 48890424 mov qword [rsp], rax| :||: 0x0047bc19 48c744240803. mov qword [local_8h], 3| :||: 0x0047bc22 48c744241003. mov qword [local_10h], 3| :||: 0x0047bc2b e8308cffff call fcn.00474860| :||: 0x0047bc30 48c704240100. mov qword [rsp], 1| :||: 0x0047bc38 e8731cfeff call fcn.0045d8b0| `====< 0x0047bc3d e99efcffff jmp 0x47b8e0| ||: ; JMP XREF from 0x0047bba4 (fcn.0047b8a0)| `---> 0x0047bc42 e8798cfaff call fcn.004248c0| |: 0x0047bc47 0f0b ud2| |: ; JMP XREF from 0x0047b8b2 (fcn.0047b8a0)| `--> 0x0047bc49 e872f3fcff call fcn.0044afc0\ `=< 0x0047bc4e e94dfcffff jmp fcn.0047b8a0
根据我们的分析(详见注释),密码判断逻辑应该如下:
for (int i=0; i<length(provided_flag[i]); i++) {if (main_mapanic(provided_flag[i]) != constant_binary_blob[i]) {badboy();exit();}goodboy();}
如果要硬着头皮调试的话当然也可以,但我们这里采取暴力破解的办法。还记得章节 5.2 里说的 pin 吗,”由于程序具有循环、分支等结构,每次运行时执行的指令数量不一定相同,于是我们可是使用 Pin 来统计执行指令的数量,从而对程序进行分析”。这里就是这样,程序对输入的密码逐位判断,如果错误,就跳出来,所以根据我们密码正确字节数的不同,程序会执行有明显差异的次数。我们还讲过一个官方示例 inscount0.cpp,我们针对这一题稍微做一点修改,如下:
#include <iostream>#include <fstream>#include "pin.H"ofstream OutFile;// The running count of instructions is kept here// make it static to help the compiler optimize docountstatic UINT64 icount = 0;// This function is called before every instruction is executedVOID docount(void *ip) {if ((long int)ip == 0x0047b96e) icount++; // 0x0047b960: compare mapanic(provided_flag[i]) with constant_binary_blob[i]}// Pin calls this function every time a new instruction is encounteredVOID Instruction(INS ins, VOID *v){// Insert a call to docount before every instruction, no arguments are passedINS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_INST_PTR, IARG_END); // IARG_INST_PTR: Type: ADDRINT. The address of the instrumented instruction.}KNOB<string> KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool","o", "inscount.out", "specify output file name");// This function is called when the application exitsVOID Fini(INT32 code, VOID *v){// Write to a file since cout and cerr maybe closed by the applicationOutFile.setf(ios::showbase);OutFile << "Count " << icount << endl;OutFile.close();}/* ===================================================================== *//* Print Help Message *//* ===================================================================== */INT32 Usage(){cerr << "This tool counts the number of dynamic instructions executed" << endl;cerr << endl << KNOB_BASE::StringKnobSummary() << endl;return -1;}/* ===================================================================== *//* Main *//* ===================================================================== *//* argc, argv are the entire command line: pin -t <toolname> -- ... *//* ===================================================================== */int main(int argc, char * argv[]){// Initialize pinif (PIN_Init(argc, argv)) return Usage();OutFile.open(KnobOutputFile.Value().c_str());// Register Instruction to be called to instrument instructionsINS_AddInstrumentFunction(Instruction, 0);// Register Fini to be called when the application exitsPIN_AddFiniFunction(Fini, 0);// Start the program, never returnsPIN_StartProgram();return 0;}
主要是修改了两个地方:
// This function is called before every instruction is executedVOID docount(void *ip) {if ((long int)ip == 0x0047b96e) icount++; // 0x0047b960: compare mapanic(provided_flag[i]) with constant_binary_blob[i]}
该函数会在每条指令执行之前被调用,判断是否是我们需要的 0x0047b96e 地址处的指令。
然后由于函数 docount 需要一个参数,所以 Instruction 函数也要修改,加入指令的地址 IARG_INST_PTR:
// Pin calls this function every time a new instruction is encounteredVOID Instruction(INS ins, VOID *v){// Insert a call to docount before every instruction, no arguments are passedINS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_INST_PTR, IARG_END); // IARG_INST_PTR: Type: ADDRINT. The address of the instrumented instruction.}
好,接下来 make 并执行。其实我们是知道 flag 结构的,”hxp{…}“ ,总共 42 个字节。
$ cp dont_panic.cpp source/tools/MyPintool[MyPinTool]$ make obj-intel64/dont_panic.so TARGET=intel64[MyPinTool]$ ../../../pin -t obj-intel64/dont_panic.so -o inscount.out -- ~/dont_panic "hxp{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}" ; cat inscount.outNope.Count 5
注意,这里的 5 是执行次数,匹配正确的个数是 5-1=4,即 “hxp{“。但是最后一次是例外,因为完全匹配成功后直接跳转返回,不会再进行匹配。
和预期结果一样,下面写个脚本来自动化这一过程:
import osdef get_count(flag):os.system("../../../pin -t obj-intel64/dont_panic.so -o inscount.out -- ~/dont_panic " + "\"" + flag + "\"")with open("inscount.out") as f:count = int(f.read().split(" ")[1])return countcharset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+*'"flag = list("hxp{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}")count = 0while count != 42:for i in range(4, 41): # only compare "a" in "hex{}"for c in charset:flag[i] = c# print("".join(flag))count = get_count("".join(flag))if count == i+2:breakprint("".join(flag))
可惜就是速度有点慢,大概跑了一个小时吧。。。
hxp{k3eP_C4lM_AnD_D0n't_P4n1c__G0_i5_S4F3}
$ ./dont_panic "hxp{k3eP_C4lM_AnD_D0n't_P4n1c__G0_i5_S4F3}"Seems like you got a flag...
参考资料里的 gdb 脚本就快得多:
import gdbCHAR_SUCCESS = 0x47B976NOPE = 0x47BA23gdb.execute("set pagination off")gdb.execute("b*0x47B976") #Success for a given charactergdb.execute("b*0x47BA23") #Block displaying "Nope"charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+*{}'"flag = list('A'*42) #junkfor i in range(0,len(flag)) :for c in charset:flag[i] = c# the number of times we need to hit the# success bp for the previous correct characterssuccess_hits = igdb.execute("r " + '"' + "".join(flag) + '"')while success_hits > 0 :gdb.execute('c')success_hits -= 1#we break either on success or on failrip = int(gdb.parse_and_eval("$rip"))if rip == CHAR_SUCCESS:break #right one. To the next characterif rip == NOPE: #added for claritycontinueprint("".join(flag))
在最后一篇参考资料里,介绍了怎样还原 Go 二进制文件的函数名,这将大大简化我们的分析。
