把這系列的最後一題寫完,雖然難易度上面寫這題是最難
但我感覺四題難度都是相同的0.0
今天講最後一個,也就是 We Love MD5
這邊直接先上 main 的組合語言來看
Dump of assembler code for function main:
0x0000000000400d2e <+0>: push rbp
0x0000000000400d2f <+1>: mov rbp,rsp
0x0000000000400d32 <+4>: sub rsp,0x50
0x0000000000400d36 <+8>: mov DWORD PTR [rbp-0x44],edi # rbp-0x44 = argc
0x0000000000400d39 <+11>: mov QWORD PTR [rbp-0x50],rsi # rbp-0x50 = argv
0x0000000000400d3d <+15>: mov rax,QWORD PTR fs:0x28
0x0000000000400d46 <+24>: mov QWORD PTR [rbp-0x8],rax # rbp-0x8 = canary
0x0000000000400d4a <+28>: xor eax,eax
0x0000000000400d4c <+30>: mov QWORD PTR [rbp-0x30],0x0
0x0000000000400d54 <+38>: mov QWORD PTR [rbp-0x28],0x0
0x0000000000400d5c <+46>: mov QWORD PTR [rbp-0x20],0x0
0x0000000000400d64 <+54>: mov QWORD PTR [rbp-0x18],0x0
0x0000000000400d6c <+62>: mov BYTE PTR [rbp-0x10],0x0
0x0000000000400d70 <+66>: mov esi,0x20 # esi = 32
0x0000000000400d75 <+71>: lea rdi,[rip+0x2d9384] # 0x6da100 <password>, "8fe219cf0c7d27adf43ede6fcad19280"
0x0000000000400d7c <+78>: call 0x400b9d <str2md5> # ans = str2md5(password, 32)
0x0000000000400d81 <+83>: mov QWORD PTR [rbp-0x38],rax # rbp-0x38 = ans
0x0000000000400d85 <+87>: cmp DWORD PTR [rbp-0x44],0x1 # if no input any arg then exit(1)
0x0000000000400d89 <+91>: jg 0x400d9e <main+112>
0x0000000000400d8b <+93>: lea rdi,[rip+0xb05b6] # 0x4b1348, "\nEnter password as command line argument\n\nchallenge <password> "
0x0000000000400d92 <+100>: call 0x411b90 <puts>
0x0000000000400d97 <+105>: mov eax,0x1
0x0000000000400d9c <+110>: jmp 0x400e09 <main+219> # exit
0x0000000000400d9e <+112>: mov eax,DWORD PTR [rbp-0x44] # eax = argc = 2
0x0000000000400da1 <+115>: cdqe # let edx = 0
0x0000000000400da3 <+117>: shl rax,0x3 # rax = 16
0x0000000000400da7 <+121>: lea rdx,[rax-0x8] # rdx = 8
0x0000000000400dab <+125>: mov rax,QWORD PTR [rbp-0x50]
0x0000000000400daf <+129>: add rax,rdx
0x0000000000400db2 <+132>: mov rcx,QWORD PTR [rax] # rcx = argv[1] , our input
0x0000000000400db5 <+135>: lea rax,[rbp-0x30] # rax = 0
0x0000000000400db9 <+139>: mov edx,0x20 # edx = 32
0x0000000000400dbe <+144>: mov rsi,rcx
0x0000000000400dc1 <+147>: mov rdi,rax
0x0000000000400dc4 <+150>: call 0x4004b0 # 0x4004b0( 0 ,input ,32)
0x0000000000400dc9 <+155>: mov rcx,QWORD PTR [rbp-0x38] # rcx = ans
0x0000000000400dcd <+159>: lea rax,[rbp-0x30] # rax = 0
0x0000000000400dd1 <+163>: mov edx,0x20
0x0000000000400dd6 <+168>: mov rsi,rcx
0x0000000000400dd9 <+171>: mov rdi,rax
0x0000000000400ddc <+174>: call 0x4004a8 # 0x4004a8( 0, ans, 32)
0x0000000000400de1 <+179>: test eax,eax
0x0000000000400de3 <+181>: jne 0x400df8 <main+202>
0x0000000000400de5 <+183>: lea rdi,[rip+0xb059c] # 0x4b1388 , "190da373f10ae1afeb51fbc85609f9ce"
0x0000000000400dec <+190>: call 0x400cd3 <print_flag>
0x0000000000400df1 <+195>: mov eax,0x0
0x0000000000400df6 <+200>: jmp 0x400e09 <main+219>
0x0000000000400df8 <+202>: lea rdi,[rip+0xb05aa] # 0x4b13a9, "Wrong"
0x0000000000400dff <+209>: call 0x411b90 <puts>
0x0000000000400e04 <+214>: mov eax,0x1
0x0000000000400e09 <+219>: mov rdx,QWORD PTR [rbp-0x8]
0x0000000000400e0d <+223>: xor rdx,QWORD PTR fs:0x28
0x0000000000400e16 <+232>: je 0x400e1d <main+239>
0x0000000000400e18 <+234>: call 0x4512e0 <__stack_chk_fail_local>
0x0000000000400e1d <+239>: leave
0x0000000000400e1e <+240>: ret
End of assembler dump.
前面開頭的組合語言一樣,先直接看 main+71 ,可以看到他把
8fe219cf0c7d27adf43ede6fcad19280 這串拿去算 md5,之後
他把剛剛算出來的結果存在 [rbp-0x38] 這邊,然後往下看其實會覺得
跟前面題目看起來就 87 % 像,這裡我們就直接照著把
8fe219cf0c7d27adf43ede6fcad19280 算 md5 丟上去會發現就是答案了
iThome鐵人賽
看影片追技術