Ctf-reverse-daily (4)-elfcrackme2

Link: http://pan.baidu.com/s/1hshVzvu Password: sd4d

Very very very much the problem of the father, seemingly very simple, but there are very deep routines

I will write a comprehensive three methods, including the combination of the ASCII code value range of blasting, dynamic debugging solution, static debugging solution

(Thanks to my XX seniors support and a netizen's writeup)

1. First get the program, throw into Ida will find this is a Linux program, the program body looks very simple, under Ubuntu can also run normally

2. In combination with assembly language, the program can do a rough analysis, the second if the judgment is the input string of each bit and v4/v0 (32 bits) of the first, two, three, four bytes do XOR and the result and the 0x80498f0 at the beginning of the string comparison, Only 16 bits are fully equal to output correctly

3. Glance, v4 and V0 value found and input string independent, should be a fixed value, and v4=v0 corresponding assembly language is MOV edx,eax, so the normal idea is to use GDB in the 0x08048416 place breakpoint

4. If you are thinking the same as me, then congratulate you on the set, but the first way to finish

5. Use GDB to get the EAX value after the breakpoint, for: 0xd90c5525

6. So I tried to write a code like this:

7. Of course all you get is garbled ...

8. Well, it's 01:43:32 and I'm not talking anymore, I'm going to sleep! The reason for the error is that the first if statement is a read operation on the text segment, and a series of operations on the read value, from the main function to read to 0X0804872A, of course, will read the place where you break the breakpoint, and according to the online data said B *0x operation is to change the corresponding memory to 0XCC, So you get the EAX and edx values will be wrong, then what to do?

Solution One: the method of dynamic debugging

I've made a lot of mistakes during this period.

Error One: I used the B *0x08048418 if $eip ==0x08048146//r and b *0x080483fa//r//b *08048418 if $edx = = $dbx Both of these methods

The reason for the mistake is to understand the meaning of the breakpoint directive. I thought b if is always monitoring the condition is established, the next breakpoint is actually run to the breakpoint at the point of judgment:

if the person who makes the same mistake understands it, it doesn't work.

Error two: Watch $eip ==0x08048418 is also wrong for specific reasons I haven't checked

Write the Final Solution directly: Memory access monitoring involves the GDB instruction is Awatch (Awatch is a read-write breakpoint, memory is read or write will break. While Rwatch is read-time broken, watch is written off. ）

What I'm using here is Awatch.

Instruction for Awatch *0x08048148//r//info b//d 1//s//s//...//b *0x08048148//c

This way you can get the correct eax value, and then combine the script you wrote at the beginning to get the flag

Cond...

Ctf-reverse-daily (4)-elfcrackme2