Day13 - 簡單的靜態分析(二)

2019鐵人賽

SoL

2018-10-26 19:36:32

3934 瀏覽

分享至

前言

繼續在這個平台解逆向的靜態分析

正文

這次講兩題:

Ceaser Protection
Garbled Password

Ceaser Protection

這邊直接先貼組合語言出來


Dump of assembler code for function main:
   0x0000000000400d2e <+0>:     push   rbp
   0x0000000000400d2f <+1>:     mov    rbp,rsp
   0x0000000000400d32 <+4>:     sub    rsp,0x30
   0x0000000000400d36 <+8>:     mov    DWORD PTR [rbp-0x24],edi
   0x0000000000400d39 <+11>:    mov    QWORD PTR [rbp-0x30],rsi
   0x0000000000400d3d <+15>:    mov    rax,QWORD PTR fs:0x28
   0x0000000000400d46 <+24>:    mov    QWORD PTR [rbp-0x8],rax
   0x0000000000400d4a <+28>:    xor    eax,eax
   0x0000000000400d4c <+30>:    mov    QWORD PTR [rbp-0x14],0x0
   0x0000000000400d54 <+38>:    mov    DWORD PTR [rbp-0xc],0x0
   0x0000000000400d5b <+45>:    mov    DWORD PTR [rbp-0x18],0x0
   0x0000000000400d62 <+52>:    jmp    0x400d8e <main+96>
   0x0000000000400d64 <+54>:    mov    eax,DWORD PTR [rbp-0x18]
   0x0000000000400d67 <+57>:    movsxd rdx,eax
   0x0000000000400d6a <+60>:    lea    rax,[rip+0x2d937f]        # 0x6da0f0 <password1> , "bqqrcorbefa"
   0x0000000000400d71 <+67>:    movzx  eax,BYTE PTR [rdx+rax*1]
   0x0000000000400d75 <+71>:    add    eax,0x3
   0x0000000000400d78 <+74>:    mov    ecx,eax
   0x0000000000400d7a <+76>:    mov    eax,DWORD PTR [rbp-0x18]
   0x0000000000400d7d <+79>:    movsxd rdx,eax
   0x0000000000400d80 <+82>:    lea    rax,[rip+0x2db669]        # 0x6dc3f0 <password>
   0x0000000000400d87 <+89>:    mov    BYTE PTR [rdx+rax*1],cl
   0x0000000000400d8a <+92>:    add    DWORD PTR [rbp-0x18],0x1
   0x0000000000400d8e <+96>:    cmp    DWORD PTR [rbp-0x18],0xb
   0x0000000000400d92 <+100>:   jle    0x400d64 <main+54>
   0x0000000000400d94 <+102>:   cmp    DWORD PTR [rbp-0x24],0x1 # [rbp-0x24] = argc
   0x0000000000400d98 <+106>:   jg     0x400dad <main+127>
   0x0000000000400d9a <+108>:   lea    rdi,[rip+0xb05c7]        # 0x4b1368, "\nEnter password as command line argument\n. i.e. challenge <password> "

   0x0000000000400da1 <+115>:   call   0x411ba0 <puts>
   0x0000000000400da6 <+120>:   mov    eax,0x1
   0x0000000000400dab <+125>:   jmp    0x400e18 <main+234>      # exit(1)
   0x0000000000400dad <+127>:   mov    eax,DWORD PTR [rbp-0x24]
   0x0000000000400db0 <+130>:   cdqe
   0x0000000000400db2 <+132>:   shl    rax,0x3
   0x0000000000400db6 <+136>:   lea    rdx,[rax-0x8]
   0x0000000000400dba <+140>:   mov    rax,QWORD PTR [rbp-0x30]
   0x0000000000400dbe <+144>:   add    rax,rdx
   0x0000000000400dc1 <+147>:   mov    rcx,QWORD PTR [rax]
   0x0000000000400dc4 <+150>:   lea    rax,[rbp-0x14]
   0x0000000000400dc8 <+154>:   mov    edx,0xc
   0x0000000000400dcd <+159>:   mov    rsi,rcx
   0x0000000000400dd0 <+162>:   mov    rdi,rax
   0x0000000000400dd3 <+165>:   call   0x4004b0
   0x0000000000400dd8 <+170>:   lea    rax,[rbp-0x14]
   0x0000000000400ddc <+174>:   mov    edx,0xb
   0x0000000000400de1 <+179>:   lea    rsi,[rip+0x2db608]        # 0x6dc3f0 <password>
   0x0000000000400de8 <+186>:   mov    rdi,rax
   0x0000000000400deb <+189>:   call   0x4004a8
   0x0000000000400df0 <+194>:   test   eax,eax
   0x0000000000400df2 <+196>:   jne    0x400e07 <main+217>
   0x0000000000400df4 <+198>:   lea    rdi,[rip+0xb05b5]        # 0x4b13b0
   0x0000000000400dfb <+205>:   call   0x400cd3 <print_flag>
   0x0000000000400e00 <+210>:   mov    eax,0x0
   0x0000000000400e05 <+215>:   jmp    0x400e18 <main+234>
   0x0000000000400e07 <+217>:   lea    rdi,[rip+0xb05c3]        # 0x4b13d1
   0x0000000000400e0e <+224>:   call   0x411ba0 <puts>
   0x0000000000400e13 <+229>:   mov    eax,0x1
   0x0000000000400e18 <+234>:   mov    rsi,QWORD PTR [rbp-0x8]
   0x0000000000400e1c <+238>:   xor    rsi,QWORD PTR fs:0x28
   0x0000000000400e25 <+247>:   je     0x400e2c <main+254>
   0x0000000000400e27 <+249>:   call   0x4512f0 <__stack_chk_fail_local>
   0x0000000000400e2c <+254>:   leave
   0x0000000000400e2d <+255>:   ret
End of assembler dump.

前面那些和昨天同樣的東西就不贅述了，一開始可以看到在 main+60

有一個變數 password1 的值是 bqqrcorbefa ，然後他把每個字都加 3

之後再存到變數 password 中，所以我們也做同樣的事情

這樣就可以得到這題的答案

這個東西就是 caesar cipher 又稱 rot3

Garbled Password

雖然這題難度寫比前一題要難，但我覺得一樣@@

這邊先貼上 main 的組合語言:


Dump of assembler code for function main:
   0x0000000000400ddd <+0>:     push   rbp
   0x0000000000400dde <+1>:     mov    rbp,rsp
   0x0000000000400de1 <+4>:     sub    rsp,0x30
   0x0000000000400de5 <+8>:     mov    DWORD PTR [rbp-0x24],edi   # argc
   0x0000000000400de8 <+11>:    mov    QWORD PTR [rbp-0x30],rsi   # argv
   0x0000000000400dec <+15>:    mov    rax,QWORD PTR fs:0x28
   0x0000000000400df5 <+24>:    mov    QWORD PTR [rbp-0x8],rax
   0x0000000000400df9 <+28>:    xor    eax,eax
   0x0000000000400dfb <+30>:    mov    QWORD PTR [rbp-0x15],0x0
   0x0000000000400e03 <+38>:    mov    DWORD PTR [rbp-0xd],0x0
   0x0000000000400e0a <+45>:    mov    BYTE PTR [rbp-0x9],0x0
   0x0000000000400e0e <+49>:    cmp    DWORD PTR [rbp-0x24],0x1
   0x0000000000400e12 <+53>:    jg     0x400e27 <main+74>
   0x0000000000400e14 <+55>:    lea    rdi,[rip+0xb05bd]        # 0x4b13d8, "\nEnter password as command line argument\ni.e challenge <password> "
   0x0000000000400e1b <+62>:    call   0x411bf0 <puts>
   0x0000000000400e20 <+67>:    mov    eax,0x1
   0x0000000000400e25 <+72>:    jmp    0x400e63 <main+134>      # exit
   0x0000000000400e27 <+74>:    mov    eax,DWORD PTR [rbp-0x24] # eax = argc
   0x0000000000400e2a <+77>:    cdqe                            # set edx = 0
   0x0000000000400e2c <+79>:    shl    rax,0x3                  # rax = 16
   0x0000000000400e30 <+83>:    lea    rdx,[rax-0x8]            # rdx = 8
   0x0000000000400e34 <+87>:    mov    rax,QWORD PTR [rbp-0x30] # 
   0x0000000000400e38 <+91>:    add    rax,rdx          
   0x0000000000400e3b <+94>:    mov    rcx,QWORD PTR [rax]      # rcx = argv[1], our_input
   0x0000000000400e3e <+97>:    lea    rax,[rbp-0x15]
   0x0000000000400e42 <+101>:   mov    edx,0xc
   0x0000000000400e47 <+106>:   mov    rsi,rcx
   0x0000000000400e4a <+109>:   mov    rdi,rax
   0x0000000000400e4d <+112>:   call   0x4004b0                 # strcpy( rbp-0x15 ,input,12) 
   0x0000000000400e52 <+117>:   lea    rax,[rbp-0x15]
   0x0000000000400e56 <+121>:   mov    rdi,rax
   0x0000000000400e59 <+124>:   call   0x400d2e <validate_password>
   0x0000000000400e5e <+129>:   mov    eax,0x0
   0x0000000000400e63 <+134>:   mov    rcx,QWORD PTR [rbp-0x8]     # exit
   0x0000000000400e67 <+138>:   xor    rcx,QWORD PTR fs:0x28
   0x0000000000400e70 <+147>:   je     0x400e77 <main+154>
   0x0000000000400e72 <+149>:   call   0x451340 <__stack_chk_fail_local>
   0x0000000000400e77 <+154>:   leave
   0x0000000000400e78 <+155>:   ret

main 這邊其實沒啥重點，就是把我們的輸入取前 12 個字丟到函數 validate_password

所以這邊再來看這個函數


Dump of assembler code for function validate_password:
   0x0000000000400d2e <+0>:     push   rbp
   0x0000000000400d2f <+1>:     mov    rbp,rsp
   0x0000000000400d32 <+4>:     sub    rsp,0x20
   0x0000000000400d36 <+8>:     mov    QWORD PTR [rbp-0x18],rdi            # rbp-0x18 = our input
   0x0000000000400d3a <+12>:    mov    DWORD PTR [rbp-0x4],0x0             # rbp-0x4 = count 
   0x0000000000400d41 <+19>:    jmp    0x400d95 <validate_password+103>    # check if(count != 11) then copy password 
   0x0000000000400d43 <+21>:    mov    eax,DWORD PTR [rbp-0x4]             # 
   0x0000000000400d46 <+24>:    and    eax,0x1
   0x0000000000400d49 <+27>:    test   eax,eax
   0x0000000000400d4b <+29>:    je     0x400d70 <validate_password+66>
   0x0000000000400d4d <+31>:    mov    eax,DWORD PTR [rbp-0x4]
   0x0000000000400d50 <+34>:    movsxd rdx,eax
   0x0000000000400d53 <+37>:    lea    rax,[rip+0x2d93a6]        # 0x6da100 <password2> , "1e2e3g4v5u6!"
   0x0000000000400d5a <+44>:    movzx  ecx,BYTE PTR [rdx+rax*1]
   0x0000000000400d5e <+48>:    mov    eax,DWORD PTR [rbp-0x4]
   0x0000000000400d61 <+51>:    movsxd rdx,eax
   0x0000000000400d64 <+54>:    lea    rax,[rip+0x2db6a5]        # 0x6dc410 <password> , ""
   0x0000000000400d6b <+61>:    mov    BYTE PTR [rdx+rax*1],cl
   0x0000000000400d6e <+64>:    jmp    0x400d91 <validate_password+99>
   0x0000000000400d70 <+66>:    mov    eax,DWORD PTR [rbp-0x4]
   0x0000000000400d73 <+69>:    movsxd rdx,eax
   0x0000000000400d76 <+72>:    lea    rax,[rip+0x2d9373]        # 0x6da0f0 <password1> , "n1v2r3i4e5p6"
   0x0000000000400d7d <+79>:    movzx  ecx,BYTE PTR [rdx+rax*1]
   0x0000000000400d81 <+83>:    mov    eax,DWORD PTR [rbp-0x4]
   0x0000000000400d84 <+86>:    movsxd rdx,eax
   0x0000000000400d87 <+89>:    lea    rax,[rip+0x2db682]        # 0x6dc410 <password> , ""
   0x0000000000400d8e <+96>:    mov    BYTE PTR [rdx+rax*1],cl
   0x0000000000400d91 <+99>:    add    DWORD PTR [rbp-0x4],0x1
   0x0000000000400d95 <+103>:   cmp    DWORD PTR [rbp-0x4],0xb
   0x0000000000400d99 <+107>:   jle    0x400d43 <validate_password+21>
   0x0000000000400d9b <+109>:   mov    rax,QWORD PTR [rbp-0x18]
   0x0000000000400d9f <+113>:   mov    edx,0xc
   0x0000000000400da4 <+118>:   lea    rsi,[rip+0x2db665]        # 0x6dc410 <password> , ""
   0x0000000000400dab <+125>:   mov    rdi,rax
   0x0000000000400dae <+128>:   call   0x4004a8                  # strcmp( our_input, password)
   0x0000000000400db3 <+133>:   test   eax,eax
   0x0000000000400db5 <+135>:   jne    0x400dca <validate_password+156>
   0x0000000000400db7 <+137>:   lea    rdi,[rip+0xb05ea]        # 0x4b13a8
   0x0000000000400dbe <+144>:   call   0x400cd3 <print_flag>
   0x0000000000400dc3 <+149>:   mov    eax,0x0
   0x0000000000400dc8 <+154>:   jmp    0x400ddb <validate_password+173>
   0x0000000000400dca <+156>:   lea    rdi,[rip+0xb05f8]        # 0x4b13c9
   0x0000000000400dd1 <+163>:   call   0x411bf0 <puts>
   0x0000000000400dd6 <+168>:   mov    eax,0x1
   0x0000000000400ddb <+173>:   leave
   0x0000000000400ddc <+174>:   ret
End of assembler dump.

這邊我有在組合語言上面寫上註解。

簡單講就是他一開始設定一個變數 count ，跑 0 - 11
如果 count 是偶數，取 password1[count]
如果 count 是奇數，取 password[count]
最後可以得到: