0ctf-pwn_warmup-re_mips4

Warmup (2)

Program is small, read and write operations directly through the INT 80h system call completion. Stack Overflow vulnerability is obvious and can overflow 20 bytes. Tip because sandbox protection is only available to read/home/warmup/flag files. Then the idea is clear, open the flag file, read the flag file to memory, write the memory to the standard output. Now encountered the first problem, open the file system call is 5, the system call number to put in eax, how to get this system call number and how to get to immediately execute system call Open file, read file to memory.

Originally thought is that sys_read will return the number of bytes read, Sys_write will return the number of bytes written, we can control the number of bytes read and write 5 then read and write returned after the EAX is 5, this time immediately returned to read the file, but found that the structure of the stack is not correct.

Finally checked the return value of the next alarm, found that if the second call to alarm in a row, the secondary alarm return the first time the remaining alarm clock, because the program execution time is very short, if the first time alarm (5), the second alarm return value will be 5, successfully obtained the system call number. This time you can open the file, and can control the return address to the beginning of the program, so overflow once can read flag, and then the last overflow can write flag to standard output, you can get flag.

Trace (4)

A MIPS inverse problem, to the tracelog, just start not to look at the assembly, has been trying to simulate the implementation of these code, but also try to check the Unicorn use method, feel very powerful, but it is not used, Feeling unicorn is more like giving a shellcode after simulating the execution of Shellcode.

Always wanted to know what this tracelog used to build, looked awkward (like an Intel-style assembler), who can tell me? Although not touched by the MIPS assembly, but check the function call convention, is to look at the role of the various registers, as well as the function prologue and epilogue appearance, holding a manual of MIPS instruction set began to analyze the code, see About 1000 lines (in fact, because of the large segment in the loop), Seeing that the code has repeated calls to a function, it is decided to analyze how many functions there are in the function prologue and epilogue, the address space of each function, how many times each function is called. The results of the analysis show that there are 3 functions in the code of more than 20,000 lines, and one function is called recursively 131 times.

Address space 0x004007d0-0x0040084c is a function called once, the function is to initialize the memory, the formation of a-za-z0-9{}flag continuous memory; address space 0x00400858-0x004009c8 is a function call 131 times, And it is in recursive invocation, after the analysis is in the preceding formed in the memory of the characters are sorted; address space

0X00400770-0X004007C4 is a function that is the implementation of the strlen () call three times.

After parsing the 0X00400858-0X004009C8, recursively sorting the memory characters recursively, we intend to simulate the entire sorting process according to TraceLog, simulating the results:

On the inside ' F1 ' stands for the first of flag, ' F2 ' stands for the second position of flag, one analogy. In fact, this time has been Lee's last flag is very close, at the end of the main function, judged the sort of the relationship between the various bytes, I also simulated it again.

Well, you can determine the contents of each byte, flag is: 0ctf{tr135m1k5l96551s9l5r}

The code is too ugly to be posted.

attached:

MIPS instruction set Reference: http://www.mrc.uidaho.edu/mrc/people/jff/digital/MIPSir.html

MIPS Registers:

Mips Prologue and Epilogue

0ctf-pwn_warmup-re_mips4