geek-no-gdb

题目地址 话说好像是要用gdb调试的,然而之前一直没用过gdb,对着教程弄了一会,也许是因为编译时没有-g导致调试不起来,只能拖进ida看看,发现大部分函数也是能看的,不过最关键的一段函数却无法使用f5,只能怼汇编了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
sub_400716      proc near               ; CODE XREF: main+B0↓p

s = qword ptr -68h
var_54 = dword ptr -54h
s2 = byte ptr -50h
var_48 = qword ptr -48h
var_40 = qword ptr -40h
var_38 = qword ptr -38h
var_30 = qword ptr -30h
var_28 = word ptr -28h
var_18 = qword ptr -18h

; __unwind {
push rbp
mov rbp, rsp
nop
sub rsp, 68h
mov [rbp+s], rdi
mov rax, fs:28h
mov [rbp+var_18], rax
xor eax, eax
mov rax, 'kVPSOwmg'
mov qword ptr [rbp+s2], rax
mov rax, 'YkQ\@kQV'
mov [rbp+var_48], rax
mov rax, 'QC[Dk@G['
mov [rbp+var_40], rax
mov rax, 'kg{kXARF'
mov [rbp+var_38], rax
mov rax, 'FQSSAVQP'
mov [rbp+var_30], rax
mov [rbp+var_28], 'I'
mov [rbp+var_54], 0
jmp short loc_4007A3
; ---------------------------------------------------------------------------

loc_400787: ; CODE XREF: sub_400716+A2↓j
mov eax, [rbp+var_54]
cdqe
movzx eax, [rbp+rax+s2]
xor eax, 34h
mov edx, eax
mov eax, [rbp+var_54]
cdqe
mov [rbp+rax+s2], dl
add [rbp+var_54], 1

loc_4007A3: ; CODE XREF: sub_400716+6F↑j
mov eax, [rbp+var_54]
movsxd rbx, eax
mov rax, [rbp+s]
mov rdi, rax ; s
call _strlen
cmp rbx, rax
jb short loc_400787
lea rdx, [rbp+s2]
mov rax, [rbp+s]
mov rsi, rdx ; s2
mov rdi, rax ; s1
call _strcmp
test eax, eax
jnz short loc_4007DD
mov edi, offset s ; "Yeah!Prison break!"
call _puts
jmp short loc_4007E7
; ---------------------------------------------------------------------------

loc_4007DD: ; CODE XREF: sub_400716+B9↑j
mov edi, offset aNoYouFailed ; "No!You Failed"
call _puts

一通操作就是把一开始的输入读入s,然后再把一个字符串读入s2,如果对于s的每一位异或0x34后与s2相等就ok啦,所以flag=s2^0x34,逆运算脚本如下:

1
2
3
s2="gmwOSPVkVQk@\QkY[G@kD[CQFRAXk{gkPQVASSQFI"
flag=''.join([chr(ord(i)^0x34) for i in s2])
print flag

不知道怎么用gdb真是鶸啊orz

文章目录
|