728x90
| pwnable.kr 6 - random |
random 함수를 사용하는 문제로 예상된다.
한번 코드를 살펴보자
| random@pwnable:~$ cat random.c #include <stdio.h> int main(){ unsigned int random; random = rand(); // random value! unsigned int key=0; scanf("%d", &key); if( (key ^ random) == 0xdeadbeef ){ printf("Good!\n"); system("/bin/cat flag"); return 0; } printf("Wrong, maybe you should try 2^32 cases.\n"); return 0; } |
key 값을 받아서 random 값과 xor 연산을 한다.
그 결과 값이 0xdeadbeef 면 플래그를 딸수있다.
여기서 rand 함수가 단순히 rand()로 값을 얻어내면 매 수행마다 같은 값을 반환한다는것을 알고있으면 쉽다.
main을 disassemble 해보면 random값은 rbp-0x4, key값이 rbp-0x8에 위치한다는 것을 알수있다.
| (gdb) disas main Dump of assembler code for function main: 0x00000000004005f4 <+0>: push rbp 0x00000000004005f5 <+1>: mov rbp,rsp 0x00000000004005f8 <+4>: sub rsp,0x10 0x00000000004005fc <+8>: mov eax,0x0 0x0000000000400601 <+13>: call 0x400500 <rand@plt> 0x0000000000400606 <+18>: mov DWORD PTR [rbp-0x4],eax 0x0000000000400609 <+21>: mov DWORD PTR [rbp-0x8],0x0 0x0000000000400610 <+28>: mov eax,0x400760 0x0000000000400615 <+33>: lea rdx,[rbp-0x8] 0x0000000000400619 <+37>: mov rsi,rdx 0x000000000040061c <+40>: mov rdi,rax 0x000000000040061f <+43>: mov eax,0x0 0x0000000000400624 <+48>: call 0x4004f0 <__isoc99_scanf@plt> 0x0000000000400629 <+53>: mov eax,DWORD PTR [rbp-0x8] 0x000000000040062c <+56>: xor eax,DWORD PTR [rbp-0x4] 0x000000000040062f <+59>: cmp eax,0xdeadbeef 0x0000000000400634 <+64>: jne 0x400656 <main+98> 0x0000000000400636 <+66>: mov edi,0x400763 0x000000000040063b <+71>: call 0x4004c0 <puts@plt> 0x0000000000400640 <+76>: mov edi,0x400769 0x0000000000400645 <+81>: mov eax,0x0 0x000000000040064a <+86>: call 0x4004d0 <system@plt> 0x000000000040064f <+91>: mov eax,0x0 0x0000000000400654 <+96>: jmp 0x400665 <main+113> 0x0000000000400656 <+98>: mov edi,0x400778 0x000000000040065b <+103>: call 0x4004c0 <puts@plt> 0x0000000000400660 <+108>: mov eax,0x0 0x0000000000400665 <+113>: leave 0x0000000000400666 <+114>: ret |
따라서 main+33에 bp를 걸고 rbp-0x4 의 값을 보면 된다
| (gdb) b *main+33 Breakpoint 1 at 0x400615 (gdb) r Starting program: /home/random/random Breakpoint 1, 0x0000000000400615 in main () (gdb) x/wx $rbp-0x8 0x7ffdcbf613f8: 0x00000000 (gdb) x/wx $rbp-0x4 0x7ffdcbf613fc: 0x6b8b4567 |
계산은 귀찮으므로 계산기를 활용했다.
답은 3039230856
728x90
'wargame > pwnable.kr' 카테고리의 다른 글
| [포너블] pwnable.kr 8 - leg (0) | 2022.02.08 |
|---|---|
| [포너블] pwnable.kr 7 - input (0) | 2022.02.08 |
| [포너블] pwnable.kr 5 - passcode (0) | 2022.02.07 |
| [포너블] pwnable.kr 4 - flag (0) | 2022.02.07 |
| [포너블] pwnable.kr 3 - bof (0) | 2022.02.06 |
댓글