How can you know str1 and str2? about ctf-notes HOT 1 CLOSED

daoduythuan commented on August 20, 2024

How can you know str1 and str2?

from ctf-notes.

Comments (1)

73696e65 commented on August 20, 2024

The first part (I used input AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA because there is a length check):

gdb-peda$ context
[----------------------------------registers-----------------------------------]
EAX: 0xffffd9a4 ("ahJd\024\032G\031\003r6\bl\033.jl\032UghvFd{\035P\177gc\022\005a\005")
EBX: 0x1e
ECX: 0x0
EDX: 0x3c ('<')
ESI: 0xffffd9d4 ('A' <repeats 30 times>, "\n")
EDI: 0x0
EBP: 0x0
ESP: 0xffffd9a4 ("ahJd\024\032G\031\003r6\bl\033.jl\032UghvFd{\035P\177gc\022\005a\005")
EIP: 0x8048121 (mov    dl,BYTE PTR [eax])
EFLAGS: 0x297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804811b:	xor    ecx,ecx
   0x804811d:	cmp    ecx,ebx
   0x804811f:	jge    0x8048131
=> 0x8048121:	mov    dl,BYTE PTR [eax]
   0x8048123:	xor    dl,BYTE PTR [esi+ecx*1]
   0x8048126:	mov    BYTE PTR [esi+ecx*1],dl
   0x8048129:	add    eax,0x1
   0x804812c:	add    ecx,0x1
[------------------------------------stack-------------------------------------]
0000| 0xffffd9a4 ("ahJd\024\032G\031\003r6\bl\033.jl\032UghvFd{\035P\177gc\022\005a\005")
0004| 0xffffd9a8 --> 0x19471a14
0008| 0xffffd9ac --> 0x8367203
0012| 0xffffd9b0 --> 0x6a2e1b6c
0016| 0xffffd9b4 --> 0x67551a6c
0020| 0xffffd9b8 ("hvFd{\035P\177gc\022\005a\005")
0024| 0xffffd9bc --> 0x7f501d7b
0028| 0xffffd9c0 --> 0x5126367
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
gdb-peda$ x /30bx $eax
0xffffd9a4:	0x61	0x68	0x4a	0x64	0x14	0x1a	0x47	0x19
0xffffd9ac:	0x03	0x72	0x36	0x08	0x6c	0x1b	0x2e	0x6a
0xffffd9b4:	0x6c	0x1a	0x55	0x67	0x68	0x76	0x46	0x64
0xffffd9bc:	0x7b	0x1d	0x50	0x7f	0x67	0x63

The second part:

gdb-peda$
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x1e
ECX: 0x1d
EDX: 0x22 ('"')
ESI: 0xffffd9d4 (" )\v%U[\006XB3wI-Zo+-[\024&)7\a%:\\\021>&\"\n")
EDI: 0x8049bcc (xor    ebp,DWORD PTR [ebx])
EBP: 0x0
ESP: 0xffffd9cc --> 0x1d
EIP: 0x8048053 (mov    edx,edi)
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804804d:	xor    eax,eax
   0x804804f:	test   ecx,ecx
   0x8048051:	je     0x8048064
=> 0x8048053:	mov    edx,edi
   0x8048055:	add    edx,ecx
   0x8048057:	mov    bl,BYTE PTR [edx]
   0x8048059:	mov    edx,esi
   0x804805b:	add    edx,ecx
[------------------------------------stack-------------------------------------]
0000| 0xffffd9cc --> 0x1d
0004| 0xffffd9d0 --> 0x8048145 (test   eax,eax)
0008| 0xffffd9d4 (" )\v%U[\006XB3wI-Zo+-[\024&)7\a%:\\\021>&\"\n")
0012| 0xffffd9d8 --> 0x58065b55
0016| 0xffffd9dc ("B3wI-Zo+-[\024&)7\a%:\\\021>&\"\n")
0020| 0xffffd9e0 ("-Zo+-[\024&)7\a%:\\\021>&\"\n")
0024| 0xffffd9e4 --> 0x26145b2d
0028| 0xffffd9e8 --> 0x25073729
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048053 in ?? ()
gdb-peda$ x /30bx $edi
0x8049bcc:	0x33	0x2b	0x79	0x49	0x26	0x2a	0x76	0x2f
0x8049bd4:	0x2e	0x2b	0x73	0x49	0x24	0x36	0x6a	0x2b
0x8049bdc:	0x38	0x49	0x78	0x25	0x2d	0x22	0x12	0x21
0x8049be4:	0x29	0x30	0x12	0x30	0x2e	0x2a

Basically what the "reversed" binary does is it validates if *edi+count - *esi+count == 0 (byte ptr, see the disassembly around 0x8048053) where esi points to the string which is obtained previously with xoring input ^ eax. See the output from the first string above (0x8048123).

from ctf-notes.

How can you know str1 and str2? about ctf-notes HOT 1 CLOSED

Comments (1)

Related Issues (3)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent