Study Record

[리버싱] Hack Me 리버싱 의사코드 복원 (7,10단계) 본문

리버싱/기본

[리버싱] Hack Me 리버싱 의사코드 복원 (7,10단계)

초코초코초코 2021. 11. 16. 14:30
728x90

7단계 : /bin/level7

☞ /bin/level7 어셈블리어 분석 (gdb /bin/level7)

0x08048454 <main+0>:    push   %ebp
0x08048455 <main+1>:    mov    %esp,%ebp
0x08048457 <main+3>:    sub    $0x8,%esp
0x0804845a <main+6>:    and    $0xfffffff0,%esp
0x0804845d <main+9>:    mov    $0x0,%eax
0x08048462 <main+14>:   sub    %eax,%esp

0x08048464 <main+16>:   sub    $0xc,%esp
0x08048467 <main+19>:   push   $0x64
0x08048469 <main+21>:   call   0x8048344 <malloc>
0x0804846e <main+26>:   add    $0x10,%esp
==> malloc(0x64)

0x08048471 <main+29>:   mov    %eax,0xfffffffc(%ebp)   # 0xfffffffc(%ebp) : 지역변수 s = malloc(0x64)

0x08048474 <main+32>:   sub    $0xc,%esp
0x08048477 <main+35>:   push   $0x80485c0        # "Insert The Password : "
0x0804847c <main+40>:   call   0x8048384 <printf>
0x08048481 <main+45>:   add    $0x10,%esp
==> printf("Insert The Password : ")

0x08048484 <main+48>:   sub    $0x4,%esp
0x08048487 <main+51>:   pushl  0x8049744              # stdin
0x0804848d <main+57>:   push   $0x64
0x0804848f <main+59>:   pushl  0xfffffffc(%ebp)       # 지역변수 s는 fgets 함수에 의해 char* 형식이라는 것을 알 수 있다.
0x08048492 <main+62>:   call   0x8048354 <fgets>
0x08048497 <main+67>:   add    $0x10,%esp
==> fgets(s, 0x64, stdin)

0x0804849a <main+70>:   sub    $0x4,%esp
0x0804849d <main+73>:   push   $0x4
0x0804849f <main+75>:   push   $0x80485d7             # mate
0x080484a4 <main+80>:   pushl  0xfffffffc(%ebp)       # 지역변수 s
0x080484a7 <main+83>:   call   0x8048364 <strncmp>
0x080484ac <main+88>:   add    $0x10,%esp
==> strncmp(s, "mate", 0x4)

0x080484af <main+91>:   test   %eax,%eax              # eax = strncmp(s, "mate", 0x4) 의 결과값
0x080484b1 <main+93>:   jne    0x80484cd <main+121>
# if s == "mate" : main+95 else main_121

0x080484b3 <main+95>:   sub    $0xc,%esp
0x080484b6 <main+98>:   push   $0x80485e0             # "\nCongratulation! next password is \"break the world\".\n\n"
0x080484bb <main+103>:  call   0x8048384 <printf>
0x080484c0 <main+108>:  add    $0x10,%esp
==> printf("\nCongratulation! next password is \"break the world\".\n\n")

0x080484c3 <main+111>:  sub    $0xc,%esp
0x080484c6 <main+114>:  push   $0x0
0x080484c8 <main+116>:  call   0x8048394 <exit>
0x080484cd <main+121>:  sub    $0xc,%esp
==> exit(0)

0x080484d0 <main+124>:  push   $0x8048617            #  "cat /bin/wrong.txt"
0x080484d5 <main+129>:  call   0x8048334 <system>
==> system("cat /bin/wrong.txt")

0x080484da <main+134>:  add    $0x10,%esp
0x080484dd <main+137>:  leave
0x080484de <main+138>:  ret
0x080484df <main+139>:  nop

☞ 복원된 코드

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

main() {
    char *s;

    s = (char *)malloc(0x64);
    printf("Insert The Password : ");

    fgets(s, 0x64, stdin);

    if(strncmp(s, "mate", 0x4) == 0){
        printf("\nCongratulation! next password is \"break the world\".\n\n");
        exit(0);
    }
    system("cat /bin/wrong.txt");
}

 

10단계 : /home/level10/program/level10

☞ /home/level10/program/level10 어셈블리어 분석 (gdb /home/level10/program/level10)

0x08048470 <main+0>:    push   %ebp
0x08048471 <main+1>:    mov    %esp,%ebp
0x08048473 <main+3>:    sub    $0x8,%esp

0x08048476 <main+6>:    sub    $0x4,%esp
0x08048479 <main+9>:    push   $0x3b6
0x0804847e <main+14>:   push   $0x404
0x08048483 <main+19>:   push   $0x1d6a
0x08048488 <main+24>:   call   0x804832c <shmget>
0x0804848d <main+29>:   add    $0x10,%esp
==> shmget(0x1d6a, 0x404, 0x3b6)

0x08048490 <main+32>:   mov    %eax,%eax
0x08048492 <main+34>:   mov    %eax,0x80496d0          # 전역변수로 추정된다. int shmid = shmget(0x3b6, 0x404, 0x1d6a);
0x08048497 <main+39>:   sub    $0x4,%esp
0x0804849a <main+42>:   push   $0x0
0x0804849c <main+44>:   push   $0x0
0x0804849e <main+46>:   pushl  0x80496d0
0x080484a4 <main+52>:   call   0x804834c <shmat>
0x080484a9 <main+57>:   add    $0x10,%esp
==> shmat(shmid, 0, 0)

0x080484ac <main+60>:   mov    %eax,0x80496cc          # 전역변수로 추정된다. void *shmaddr = shmat(shmid, 0, 0)
0x080484b1 <main+65>:   sub    $0x8,%esp
0x080484b4 <main+68>:   push   $0x8048560              # "멍멍: level11의 패스워드는?\n구타: what!@#?\n"
0x080484b9 <main+73>:   pushl  0x80496cc
0x080484bf <main+79>:   call   0x804835c <strcpy>
0x080484c4 <main+84>:   add    $0x10,%esp
==> strcpy(shmaddr, "멍멍: level11의 패스워드는?\n구타: what!@#?\n")

0x080484c7 <main+87>:   leave
0x080484c8 <main+88>:   ret
0x080484c9 <main+89>:   lea    0x0(%esi),%esi
0x080484cc <main+92>:   nop
0x080484cd <main+93>:   nop
0x080484ce <main+94>:   nop
0x080484cf <main+95>:   nop

☞ 복원된 코드

#include <stdio.h>
#include <sys/shm.h>
#include <sys/ipc.h>
#include <sys/types.h>
#include <string.h>

int shmid;
void *shmaddr = (void *)0;

main() {
        shmid = shmget(0x3b6, 0x404, 0x1d6a);
        shmaddr =  shmat(shmid, 0, 0);
        strcpy(shmaddr, "멍멍: level11의 패스워드는?\n구타: what!@#?\n");
}
728x90

'리버싱 > 기본' 카테고리의 다른 글

[리버싱] 참고 CMD(readelf, nm, objdump/objcopy, strings, binwalk, as, ld)  (0) 2021.11.15
[리버싱] Hack Me 리버싱 의사코드 복원 (5,6단계)  (0) 2021.11.15
[리버싱] netcat(nc) CMD  (0) 2021.11.15
[리버싱] 간단한 어셈블리 코드 분석 후 복원  (0) 2021.11.12
[리버싱] 어셈블리어 문법  (0) 2021.11.12
'리버싱/기본' Related Articles more