5.1 file 명령어를 사용해 식별하기
binary@binary-VirtualBox:~/code/chapter5$ file payload
payload: ASCII text
binary@binary-VirtualBox:~/code/chapter5$ base64 -d payload > decoded_payload
binary@binary-VirtualBox:~/code/chapter5$ ls
decoded_payload levels.db oracle payload
binary@binary-VirtualBox:~/code/chapter5$ file -z decoded_payload
decoded_payload: POSIX tar archive (GNU) (gzip compressed data, last modified: Mon Apr 10 19:08:12 2017, from Unix)
binary@binary-VirtualBox:~/code/chapter5$ tar zxvf ./decoded_payload
ctf
67b8601
binary@binary-VirtualBox:~/code/chapter5$ ls
67b8601 ctf decoded_payload levels.db oracle payload
C
복사
5.2 ldd 명령어를 사용해 의존성 점검하기
binary@binary-VirtualBox:~/code/chapter5$ ./ctf
./ctf: error while loading shared libraries: lib5ae9b7f.so: cannot open shared object file: No such file or directory
binary@binary-VirtualBox:~/code/chapter5$
binary@binary-VirtualBox:~/code/chapter5$ ldd ctf
linux-vdso.so.1 => (0x00007ffca9564000)
lib5ae9b7f.so => not found
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f91ad011000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f91acdfb000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f91aca31000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f91ac728000)
/lib64/ld-linux-x86-64.so.2 (0x00007f91ad393000)
binary@binary-VirtualBox:~/code/chapter5$ grep 'ELF' * | more
Binary file 67b8601 matches
Binary file ctf matches
C
복사
5.3 xxd 명령어를 사용해 파일 내부 내용 확인하기
binary@binary-VirtualBox:~/code/chapter5$ xxd 67b8601 | head -n 15
00000000: 424d 3800 0c00 0000 0000 3600 0000 2800 BM8.......6...(.
00000010: 0000 0002 0000 0002 0000 0100 1800 0000 ................
00000020: 0000 0200 0c00 c01e 0000 c01e 0000 0000 ................
00000030: 0000 0000 7f45 4c46 0201 0100 0000 0000 .....ELF........
00000040: 0000 0000 0300 3e00 0100 0000 7009 0000 ......>.....p...
00000050: 0000 0000 4000 0000 0000 0000 7821 0000 ....@.......x!..
00000060: 0000 0000 0000 0000 4000 3800 0700 4000 ........@.8...@.
00000070: 1b00 1a00 0100 0000 0500 0000 0000 0000 ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090: 0000 0000 f40e 0000 0000 0000 f40e 0000 ................
000000a0: 0000 0000 0000 2000 0000 0000 0100 0000 ...... .........
000000b0: 0600 0000 f01d 0000 0000 0000 f01d 2000 .............. .
000000c0: 0000 0000 f01d 2000 0000 0000 6802 0000 ...... .....h...
000000d0: 0000 0000 7002 0000 0000 0000 0000 2000 ....p......... .
000000e0: 0000 0000 0200 0000 0600 0000 081e 0000 ................
binary@binary-VirtualBox:~/code/chapter5$ dd skip=52 count=64 if=67b8601 of=elf_header bs=1
64+0 records in
64+0 records out
64 bytes copied, 0,000324368 s, 197 kB/s
binary@binary-VirtualBox:~/code/chapter5$ ls
67b8601 ctf decoded_payload elf_header levels.db oracle payload
binary@binary-VirtualBox:~/code/chapter5$ xxd elf_header
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
00000010: 0300 3e00 0100 0000 7009 0000 0000 0000 ..>.....p.......
00000020: 4000 0000 0000 0000 7821 0000 0000 0000 @.......x!......
00000030: 0000 0000 4000 3800 0700 4000 1b00 1a00 ....@.8...@.....
C
복사
5.4 readelf 명령어를 사용해 elf 파일 형식 추출하기
binary@binary-VirtualBox:~/code/chapter5$ readelf -h elf_header
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x970
Start of program headers: 64 (bytes into file)
Start of section headers: 8568 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 7
Size of section headers: 64 (bytes)
Number of section headers: 27
Section header string table index: 26
readelf: Error: Reading 0x6c0 bytes extends past end of file for section headers
readelf: Error: Reading 0x188 bytes extends past end of file for program headers
C
복사
5.5 nm 명령어를 사용해 심벌 정보 분석하기
binary@binary-VirtualBox:~/code/chapter5$ nm lib5ae9b7f.so
nm: lib5ae9b7f.so: no symbols
binary@binary-VirtualBox:~/code/chapter5$ nm -D lib5ae9b7f.so
0000000000202058 B __bss_start
w __cxa_finalize
0000000000202058 D _edata
0000000000202060 B _end
0000000000000d20 T _fini
w __gmon_start__
00000000000008c0 T _init
w _ITM_deregisterTMCloneTable
w _ITM_registerTMCloneTable
w _Jv_RegisterClasses
U malloc
U memcpy
U __stack_chk_fail
0000000000000c60 T _Z11rc4_decryptP11rc4_state_tPhi
0000000000000c70 T _Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE
0000000000000b40 T _Z11rc4_encryptP11rc4_state_tPhi
0000000000000bc0 T _Z11rc4_encryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE
0000000000000cb0 T _Z8rc4_initP11rc4_state_tPhi
U _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_createERmm
U _ZSt19__throw_logic_errorPKc
binary@binary-VirtualBox:~/code/chapter5$ nm -D --demangle lib5ae9b7f.so
0000000000202058 B __bss_start
w __cxa_finalize
0000000000202058 D _edata
0000000000202060 B _end
0000000000000d20 T _fini
w __gmon_start__
00000000000008c0 T _init
w _ITM_deregisterTMCloneTable
w _ITM_registerTMCloneTable
w _Jv_RegisterClasses
U malloc
U memcpy
U __stack_chk_fail
0000000000000c60 T rc4_decrypt(rc4_state_t*, unsigned char*, int)
0000000000000c70 T rc4_decrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&)
0000000000000b40 T rc4_encrypt(rc4_state_t*, unsigned char*, int)
0000000000000bc0 T rc4_encrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&)
0000000000000cb0 T rc4_init(rc4_state_t*, unsigned char*, int)
U std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_create(unsigned long&, unsigned long)
U std::__throw_logic_error(char const*)
binary@binary-VirtualBox:~/code/chapter5$
--- c++filt
binary@binary-VirtualBox:~/code/chapter5$ c++filt _Z11rc4_decryptP11rc4_state_tPhi
rc4_decrypt(rc4_state_t*, unsigned char*, int)
binary@binary-VirtualBox:~/code/chapter5$
binary@binary-VirtualBox:~/code/chapter5$ export LD_LIBRARY_PATH=`pwd`
binary@binary-VirtualBox:~/code/chapter5$ ls
67b8601 ctf decoded_payload elf_header levels.db lib5ae9b7f.so oracle payload
binary@binary-VirtualBox:~/code/chapter5$ ./ctf
binary@binary-VirtualBox:~/code/chapter5$ echo $?
1
C
복사
5.6 strings 명령어를 사용해 단서 찾기
바이너리에 사용된 문자열 정보를 점검할 수 있는 명령어
binary@binary-VirtualBox:~/code/chapter5$ strings ctf
/lib64/ld-linux-x86-64.so.2
lib5ae9b7f.so
__gmon_start__
_Jv_RegisterClasses
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
_Z8rc4_initP11rc4_state_tPhi
_init
_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE
_fini
libstdc++.so.6
__gxx_personality_v0
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc
_ZdlPv
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_
libgcc_s.so.1
_Unwind_Resume
libc.so.6
__printf_chk
fopen
puts
__stack_chk_fail
fgets
fseek
fclose
getenv
strcmp
__libc_start_main
_edata
__bss_start
_end
GCC_3.0
CXXABI_1.3
GLIBCXX_3.4.21
GLIBCXX_3.4
GLIBC_2.4
GLIBC_2.3.4
GLIBC_2.2.5
D$ H
D$PH
|$@H
D$PH9
|$ H
D$0H9
|$`H
t$`H
|$`H
D$pH9
T$ H
L$ 1
T$@H
p I9
|$@H
D$PH9
|$ H
D$0H9
|$`H
T$pH
AWAVA
AUATL
[]A\A]A^A_
DEBUG: argv[1] = %s
checking '%s'
show_me_the_flag
>CMb
-v@P^:
flag = %s
guess again!
It's kinda like Louisiana. Or Dagobah. Dagobah - Where Yoda lives!
;*3$"
zPLR
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.gcc_except_table
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment
C
복사
5.7 strace와 ltrace 명령어를 사용해 시스템콜 및 라이브러리 호출 추적하기
binary@binary-VirtualBox:~/code/chapter5$ strace ./ctf show_me_the_flag
execve("./ctf", ["./ctf", "show_me_the_flag"], [/* 31 vars */]) = 0
brk(NULL) = 0x1d52000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/home/binary/code/chapter5/tls/x86_64/lib5ae9b7f.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/binary/code/chapter5/tls/x86_64", 0x7ffe2228e840) = -1 ENOENT (No such file or directory)
open("/home/binary/code/chapter5/tls/lib5ae9b7f.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/binary/code/chapter5/tls", 0x7ffe2228e840) = -1 ENOENT (No such file or directory)
open("/home/binary/code/chapter5/x86_64/lib5ae9b7f.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/binary/code/chapter5/x86_64", 0x7ffe2228e840) = -1 ENOENT (No such file or directory)
open("/home/binary/code/chapter5/lib5ae9b7f.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\t\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0664, st_size=10296, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe5007a0000
mmap(NULL, 2105440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe500379000
mprotect(0x7fe50037a000, 2097152, PROT_NONE) = 0
mmap(0x7fe50057a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7fe50057a000
close(3) = 0
open("/home/binary/code/chapter5/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=98537, ...}) = 0
mmap(NULL, 98537, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe500787000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \235\10\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=1566440, ...}) = 0
mmap(NULL, 3675136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe4ffff7000
mprotect(0x7fe500169000, 2097152, PROT_NONE) = 0
mmap(0x7fe500369000, 49152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x172000) = 0x7fe500369000
mmap(0x7fe500375000, 13312, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fe500375000
close(3) = 0
open("/home/binary/code/chapter5/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p*\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=89696, ...}) = 0
mmap(NULL, 2185488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe4ffde1000
mprotect(0x7fe4ffdf7000, 2093056, PROT_NONE) = 0
mmap(0x7fe4ffff6000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7fe4ffff6000
close(3) = 0
open("/home/binary/code/chapter5/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe500786000
mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe4ffa17000
mprotect(0x7fe4ffbd7000, 2097152, PROT_NONE) = 0
mmap(0x7fe4ffdd7000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7fe4ffdd7000
mmap(0x7fe4ffddd000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fe4ffddd000
close(3) = 0
open("/home/binary/code/chapter5/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0V\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=1088952, ...}) = 0
mmap(NULL, 3178744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe4ff70e000
mprotect(0x7fe4ff816000, 2093056, PROT_NONE) = 0
mmap(0x7fe4ffa15000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x107000) = 0x7fe4ffa15000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe500785000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe500783000
arch_prctl(ARCH_SET_FS, 0x7fe500783740) = 0
mprotect(0x7fe4ffdd7000, 16384, PROT_READ) = 0
mprotect(0x7fe4ffa15000, 4096, PROT_READ) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe500782000
mprotect(0x7fe500369000, 40960, PROT_READ) = 0
mprotect(0x7fe50057a000, 4096, PROT_READ) = 0
mprotect(0x601000, 4096, PROT_READ) = 0
mprotect(0x7fe5007a1000, 4096, PROT_READ) = 0
munmap(0x7fe500787000, 98537) = 0
brk(NULL) = 0x1d52000
brk(0x1d84000) = 0x1d84000
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
write(1, "checking 'show_me_the_flag'\n", 28checking 'show_me_the_flag'
) = 28
write(1, "ok\n", 3ok
) = 3
exit_group(1) = ?
+++ exited with 1 +++
binary@binary-VirtualBox:~/code/chapter5$ ltrace ./ctf show_me_the_flag
__libc_start_main(0x400bc0, 2, 0x7fffbecbace8, 0x4010c0 <unfinished ...>
__printf_chk(1, 0x401158, 0x7fffbecbb6e0, 160checking 'show_me_the_flag'
) = 28
strcmp("show_me_the_flag", "show_me_the_flag") = 0
puts("ok"ok
) = 3
_Z8rc4_initP11rc4_state_tPhi(0x7fffbecbaab0, 0x4011c0, 66, -1) = 0
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc(0x7fffbecba9f0, 0x40117b, 58, 3) = 0x7fffbecba9f0
_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE(0x7fffbecbaa50, 0x7fffbecbaab0, 0x7fffbecba9f0, 0x7e889f91) = 0x7fffbecbaa50
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_(0x7fffbecba9f0, 0x7fffbecbaa50, 0x7fffbecbaa60, 0) = 0
getenv("GUESSME") = nil
+++ exited (status 1) +++
binary@binary-VirtualBox:~/code/chapter5$ ltrace -i -C ./ctf show_me_the_flag
[0x400fe9] __libc_start_main(0x400bc0, 2, 0x7ffe340a27d8, 0x4010c0 <unfinished ...>
[0x400c44] __printf_chk(1, 0x401158, 0x7ffe340a46e0, 160checking 'show_me_the_flag'
) = 28
[0x400c51] strcmp("show_me_the_flag", "show_me_the_flag") = 0
[0x400cf0] puts("ok"ok
) = 3
[0x400d07] rc4_init(rc4_state_t*, unsigned char*, int)(0x7ffe340a25a0, 0x4011c0, 66, -1) = 0
[0x400d14] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*)(0x7ffe340a24e0, 0x40117b, 58, 3) = 0x7ffe340a24e0
[0x400d29] rc4_decrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&)(0x7ffe340a2540, 0x7ffe340a25a0, 0x7ffe340a24e0, 0x7e889f91) = 0x7ffe340a2540
[0x400d36] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)(0x7ffe340a24e0, 0x7ffe340a2540, 0x7ffe340a2550, 0) = 0
[0x400d53] getenv("GUESSME") = nil
[0xffffffffffffffff] +++ exited (status 1) +++
binary@binary-VirtualBox:~/code/chapter5$ GUESSME=`foobar` ./ctf show_me_the_flag
foobar: command not found
checking 'show_me_the_flag'
ok
guess again!
binary@binary-VirtualBox:~/code/chapter5$ GUESSME=`foobar` ltrace -i -C ./ctf show_me_the_flag
foobar: command not found
[0x400fe9] __libc_start_main(0x400bc0, 2, 0x7ffc47c27638, 0x4010c0 <unfinished ...>
[0x400c44] __printf_chk(1, 0x401158, 0x7ffc47c296d7, 160checking 'show_me_the_flag'
) = 28
[0x400c51] strcmp("show_me_the_flag", "show_me_the_flag") = 0
[0x400cf0] puts("ok"ok
) = 3
[0x400d07] rc4_init(rc4_state_t*, unsigned char*, int)(0x7ffc47c27400, 0x4011c0, 66, -1) = 0
[0x400d14] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*)(0x7ffc47c27340, 0x40117b, 58, 3) = 0x7ffc47c27340
[0x400d29] rc4_decrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&)(0x7ffc47c273a0, 0x7ffc47c27400, 0x7ffc47c27340, 0x7e889f91) = 0x7ffc47c273a0
[0x400d36] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)(0x7ffc47c27340, 0x7ffc47c273a0, 0x7ffc47c273b0, 0) = 0
[0x400d53] getenv("GUESSME") = ""
[0x400d6e] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*)(0x7ffc47c27360, 0x401183, 5, 18) = 0x7ffc47c27360
[0x400d88] rc4_decrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&)(0x7ffc47c273c0, 0x7ffc47c27400, 0x7ffc47c27360, 0x401183) = 0x7ffc47c273c0
[0x400d9a] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)(0x7ffc47c27360, 0x7ffc47c273c0, 0x1fb30a0, 0) = 0
[0x400db4] operator delete(void*)(0x1fb30a0, 0x1fb30a0, 21, 0) = 0
[0x400dd7] puts("guess again!"guess again!
) = 13
[0x400c8d] operator delete(void*)(0x1fb3050, 0x1fb2c20, 0x7fdfbb20b780, -1) = 0
[0xffffffffffffffff] +++ exited (status 1) +++
C
복사
5.8 objdump 명령어를 사용해 기계어 수준 동작 확인하기
binary@binary-VirtualBox:~/code/chapter5$ objdump -s --section .rodata ctf
ctf: file format elf64-x86-64
Contents of section .rodata:
401140 01000200 44454255 473a2061 7267765b ....DEBUG: argv[
401150 315d203d 20257300 63686563 6b696e67 1] = %s.checking
401160 20272573 270a0073 686f775f 6d655f74 '%s'..show_me_t
401170 68655f66 6c616700 6f6b004f 89df919f he_flag.ok.O....
401180 887e009a 5b38babe 27ac0e3e 434d6285 .~..[8..'..>CMb.
401190 55868954 3848a34d 00192d76 40505e3a U..T8H.M..-v@P^:
4011a0 00726200 666c6167 203d2025 730a0067 .rb.flag = %s..g
4011b0 75657373 20616761 696e2100 00000000 uess again!.....
4011c0 49742773 206b696e 6461206c 696b6520 It's kinda like
4011d0 4c6f7569 7369616e 612e204f 72204461 Louisiana. Or Da
4011e0 676f6261 682e2044 61676f62 6168202d gobah. Dagobah -
4011f0 20576865 72652059 6f646120 6c697665 Where Yoda live
401200 73210000 00000000 s!......
binary@binary-VirtualBox:~/code/chapter5$
C
복사
binary@binary-VirtualBox:~/code/chapter5$ objdump -M intel -d ctf
ctf: file format elf64-x86-64
Disassembly of section .init:
0000000000400a68 <_init@@Base>:
400a68: 48 83 ec 08 sub rsp,0x8
400a6c: 48 8b 05 85 15 20 00 mov rax,QWORD PTR [rip+0x201585] # 601ff8 <_fini@@Base+0x200ec4>
400a73: 48 85 c0 test rax,rax
400a76: 74 05 je 400a7d <_init@@Base+0x15>
400a78: e8 33 01 00 00 call 400bb0 <_Unwind_Resume@plt+0x10>
400a7d: 48 83 c4 08 add rsp,0x8
400a81: c3 ret
Disassembly of section .plt:
0000000000400a90 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt-0x10>:
400a90: ff 35 72 15 20 00 push QWORD PTR [rip+0x201572] # 602008 <_fini@@Base+0x200ed4>
400a96: ff 25 74 15 20 00 jmp QWORD PTR [rip+0x201574] # 602010 <_fini@@Base+0x200edc>
400a9c: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
0000000000400aa0 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt>:
400aa0: ff 25 72 15 20 00 jmp QWORD PTR [rip+0x201572] # 602018 <_fini@@Base+0x200ee4>
400aa6: 68 00 00 00 00 push 0x0
400aab: e9 e0 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400ab0 <puts@plt>:
400ab0: ff 25 6a 15 20 00 jmp QWORD PTR [rip+0x20156a] # 602020 <_fini@@Base+0x200eec>
400ab6: 68 01 00 00 00 push 0x1
400abb: e9 d0 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400ac0 <fseek@plt>:
400ac0: ff 25 62 15 20 00 jmp QWORD PTR [rip+0x201562] # 602028 <_fini@@Base+0x200ef4>
400ac6: 68 02 00 00 00 push 0x2
400acb: e9 c0 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400ad0 <_ZdlPv@plt>:
400ad0: ff 25 5a 15 20 00 jmp QWORD PTR [rip+0x20155a] # 602030 <_fini@@Base+0x200efc>
400ad6: 68 03 00 00 00 push 0x3
400adb: e9 b0 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400ae0 <__printf_chk@plt>:
400ae0: ff 25 52 15 20 00 jmp QWORD PTR [rip+0x201552] # 602038 <_fini@@Base+0x200f04>
400ae6: 68 04 00 00 00 push 0x4
400aeb: e9 a0 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400af0 <fopen@plt>:
400af0: ff 25 4a 15 20 00 jmp QWORD PTR [rip+0x20154a] # 602040 <_fini@@Base+0x200f0c>
400af6: 68 05 00 00 00 push 0x5
400afb: e9 90 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b00 <__libc_start_main@plt>:
400b00: ff 25 42 15 20 00 jmp QWORD PTR [rip+0x201542] # 602048 <_fini@@Base+0x200f14>
400b06: 68 06 00 00 00 push 0x6
400b0b: e9 80 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b10 <fgets@plt>:
400b10: ff 25 3a 15 20 00 jmp QWORD PTR [rip+0x20153a] # 602050 <_fini@@Base+0x200f1c>
400b16: 68 07 00 00 00 push 0x7
400b1b: e9 70 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b20 <_Z8rc4_initP11rc4_state_tPhi@plt>:
400b20: ff 25 32 15 20 00 jmp QWORD PTR [rip+0x201532] # 602058 <_fini@@Base+0x200f24>
400b26: 68 08 00 00 00 push 0x8
400b2b: e9 60 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b30 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt>:
400b30: ff 25 2a 15 20 00 jmp QWORD PTR [rip+0x20152a] # 602060 <_fini@@Base+0x200f2c>
400b36: 68 09 00 00 00 push 0x9
400b3b: e9 50 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b40 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc@plt>:
400b40: ff 25 22 15 20 00 jmp QWORD PTR [rip+0x201522] # 602068 <_fini@@Base+0x200f34>
400b46: 68 0a 00 00 00 push 0xa
400b4b: e9 40 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b50 <getenv@plt>:
400b50: ff 25 1a 15 20 00 jmp QWORD PTR [rip+0x20151a] # 602070 <_fini@@Base+0x200f3c>
400b56: 68 0b 00 00 00 push 0xb
400b5b: e9 30 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b60 <__stack_chk_fail@plt>:
400b60: ff 25 12 15 20 00 jmp QWORD PTR [rip+0x201512] # 602078 <_fini@@Base+0x200f44>
400b66: 68 0c 00 00 00 push 0xc
400b6b: e9 20 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b70 <strcmp@plt>:
400b70: ff 25 0a 15 20 00 jmp QWORD PTR [rip+0x20150a] # 602080 <_fini@@Base+0x200f4c>
400b76: 68 0d 00 00 00 push 0xd
400b7b: e9 10 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b80 <fclose@plt>:
400b80: ff 25 02 15 20 00 jmp QWORD PTR [rip+0x201502] # 602088 <_fini@@Base+0x200f54>
400b86: 68 0e 00 00 00 push 0xe
400b8b: e9 00 ff ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400b90 <__gxx_personality_v0@plt>:
400b90: ff 25 fa 14 20 00 jmp QWORD PTR [rip+0x2014fa] # 602090 <_fini@@Base+0x200f5c>
400b96: 68 0f 00 00 00 push 0xf
400b9b: e9 f0 fe ff ff jmp 400a90 <_init@@Base+0x28>
0000000000400ba0 <_Unwind_Resume@plt>:
400ba0: ff 25 f2 14 20 00 jmp QWORD PTR [rip+0x2014f2] # 602098 <_fini@@Base+0x200f64>
400ba6: 68 10 00 00 00 push 0x10
400bab: e9 e0 fe ff ff jmp 400a90 <_init@@Base+0x28>
Disassembly of section .plt.got:
0000000000400bb0 <.plt.got>:
400bb0: ff 25 42 14 20 00 jmp QWORD PTR [rip+0x201442] # 601ff8 <_fini@@Base+0x200ec4>
400bb6: 66 90 xchg ax,ax
Disassembly of section .text:
0000000000400bc0 <.text>:
400bc0: 55 push rbp
400bc1: 53 push rbx
400bc2: 48 81 ec 08 02 00 00 sub rsp,0x208
400bc9: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
400bd0: 00 00
400bd2: 48 89 84 24 f8 01 00 mov QWORD PTR [rsp+0x1f8],rax
400bd9: 00
400bda: 31 c0 xor eax,eax
400bdc: 48 8d 44 24 10 lea rax,[rsp+0x10]
400be1: 83 ff 01 cmp edi,0x1
400be4: 48 c7 44 24 08 00 00 mov QWORD PTR [rsp+0x8],0x0
400beb: 00 00
400bed: c6 44 24 10 00 mov BYTE PTR [rsp+0x10],0x0
400bf2: 48 c7 44 24 28 00 00 mov QWORD PTR [rsp+0x28],0x0
400bf9: 00 00
400bfb: 48 89 04 24 mov QWORD PTR [rsp],rax
400bff: 48 8d 44 24 30 lea rax,[rsp+0x30]
400c04: c6 44 24 30 00 mov BYTE PTR [rsp+0x30],0x0
400c09: 48 c7 44 24 48 00 00 mov QWORD PTR [rsp+0x48],0x0
400c10: 00 00
400c12: c6 44 24 50 00 mov BYTE PTR [rsp+0x50],0x0
400c17: 48 89 44 24 20 mov QWORD PTR [rsp+0x20],rax
400c1c: 48 8d 44 24 50 lea rax,[rsp+0x50]
400c21: 48 89 44 24 40 mov QWORD PTR [rsp+0x40],rax
400c26: 0f 8e 97 00 00 00 jle 400cc3 <_Unwind_Resume@plt+0x123>
400c2c: 48 8b 5e 08 mov rbx,QWORD PTR [rsi+0x8]
400c30: bf 01 00 00 00 mov edi,0x1
400c35: be 58 11 40 00 mov esi,0x401158
400c3a: 31 c0 xor eax,eax
400c3c: 48 89 da mov rdx,rbx
400c3f: e8 9c fe ff ff call 400ae0 <__printf_chk@plt>
400c44: be 67 11 40 00 mov esi,0x401167
400c49: 48 89 df mov rdi,rbx
400c4c: e8 1f ff ff ff call 400b70 <strcmp@plt>
400c51: 85 c0 test eax,eax
400c53: 0f 84 8d 00 00 00 je 400ce6 <_Unwind_Resume@plt+0x146>
400c59: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0]
400c60: bb 01 00 00 00 mov ebx,0x1
400c65: 48 8b 7c 24 40 mov rdi,QWORD PTR [rsp+0x40]
400c6a: 48 8d 44 24 50 lea rax,[rsp+0x50]
400c6f: 48 39 c7 cmp rdi,rax
400c72: 74 05 je 400c79 <_Unwind_Resume@plt+0xd9>
400c74: e8 57 fe ff ff call 400ad0 <_ZdlPv@plt>
400c79: 48 8b 7c 24 20 mov rdi,QWORD PTR [rsp+0x20]
400c7e: 48 8d 44 24 30 lea rax,[rsp+0x30]
400c83: 48 39 c7 cmp rdi,rax
400c86: 74 05 je 400c8d <_Unwind_Resume@plt+0xed>
400c88: e8 43 fe ff ff call 400ad0 <_ZdlPv@plt>
400c8d: 48 8b 3c 24 mov rdi,QWORD PTR [rsp]
400c91: 48 8d 44 24 10 lea rax,[rsp+0x10]
400c96: 48 39 c7 cmp rdi,rax
400c99: 74 05 je 400ca0 <_Unwind_Resume@plt+0x100>
400c9b: e8 30 fe ff ff call 400ad0 <_ZdlPv@plt>
400ca0: 48 8b 8c 24 f8 01 00 mov rcx,QWORD PTR [rsp+0x1f8]
400ca7: 00
400ca8: 64 48 33 0c 25 28 00 xor rcx,QWORD PTR fs:0x28
400caf: 00 00
400cb1: 89 d8 mov eax,ebx
400cb3: 0f 85 67 02 00 00 jne 400f20 <_Unwind_Resume@plt+0x380>
400cb9: 48 81 c4 08 02 00 00 add rsp,0x208
400cc0: 5b pop rbx
400cc1: 5d pop rbp
400cc2: c3 ret
400cc3: 83 3d ea 13 20 00 00 cmp DWORD PTR [rip+0x2013ea],0x0 # 6020b4 <_edata@@Base+0x4>
400cca: 74 94 je 400c60 <_Unwind_Resume@plt+0xc0>
400ccc: 48 8b 56 08 mov rdx,QWORD PTR [rsi+0x8]
400cd0: bf 01 00 00 00 mov edi,0x1
400cd5: be 44 11 40 00 mov esi,0x401144
400cda: 31 c0 xor eax,eax
400cdc: e8 ff fd ff ff call 400ae0 <__printf_chk@plt>
400ce1: e9 7a ff ff ff jmp 400c60 <_Unwind_Resume@plt+0xc0>
400ce6: bf 78 11 40 00 mov edi,0x401178
400ceb: e8 c0 fd ff ff call 400ab0 <puts@plt>
400cf0: 48 8d bc 24 c0 00 00 lea rdi,[rsp+0xc0]
400cf7: 00
400cf8: ba 42 00 00 00 mov edx,0x42
400cfd: be c0 11 40 00 mov esi,0x4011c0
400d02: e8 19 fe ff ff call 400b20 <_Z8rc4_initP11rc4_state_tPhi@plt>
400d07: be 7b 11 40 00 mov esi,0x40117b
400d0c: 48 89 e7 mov rdi,rsp
400d0f: e8 2c fe ff ff call 400b40 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc@plt>
400d14: 48 8d b4 24 c0 00 00 lea rsi,[rsp+0xc0]
400d1b: 00
400d1c: 48 8d 7c 24 60 lea rdi,[rsp+0x60]
400d21: 48 89 e2 mov rdx,rsp
400d24: e8 77 fd ff ff call 400aa0 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt>
400d29: 48 8d 74 24 60 lea rsi,[rsp+0x60]
400d2e: 48 89 e7 mov rdi,rsp
400d31: e8 fa fd ff ff call 400b30 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt>
400d36: 48 8b 7c 24 60 mov rdi,QWORD PTR [rsp+0x60]
400d3b: 48 8d 44 24 70 lea rax,[rsp+0x70]
400d40: 48 39 c7 cmp rdi,rax
400d43: 74 05 je 400d4a <_Unwind_Resume@plt+0x1aa>
400d45: e8 86 fd ff ff call 400ad0 <_ZdlPv@plt>
400d4a: 48 8b 3c 24 mov rdi,QWORD PTR [rsp]
400d4e: e8 fd fd ff ff call 400b50 <getenv@plt>
400d53: 48 85 c0 test rax,rax
400d56: 48 89 c3 mov rbx,rax
400d59: 0f 84 01 ff ff ff je 400c60 <_Unwind_Resume@plt+0xc0>
400d5f: 48 8d 7c 24 20 lea rdi,[rsp+0x20]
400d64: be 83 11 40 00 mov esi,0x401183
400d69: e8 d2 fd ff ff call 400b40 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc@plt>
400d6e: 48 8d 54 24 20 lea rdx,[rsp+0x20]
400d73: 48 8d b4 24 c0 00 00 lea rsi,[rsp+0xc0]
400d7a: 00
400d7b: 48 8d bc 24 80 00 00 lea rdi,[rsp+0x80]
400d82: 00
400d83: e8 18 fd ff ff call 400aa0 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt>
400d88: 48 8d b4 24 80 00 00 lea rsi,[rsp+0x80]
400d8f: 00
400d90: 48 8d 7c 24 20 lea rdi,[rsp+0x20]
400d95: e8 96 fd ff ff call 400b30 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt>
400d9a: 48 8b bc 24 80 00 00 mov rdi,QWORD PTR [rsp+0x80]
400da1: 00
400da2: 48 8d 84 24 90 00 00 lea rax,[rsp+0x90]
400da9: 00
400daa: 48 39 c7 cmp rdi,rax
400dad: 74 05 je 400db4 <_Unwind_Resume@plt+0x214>
400daf: e8 1c fd ff ff call 400ad0 <_ZdlPv@plt>
400db4: 48 8b 4c 24 20 mov rcx,QWORD PTR [rsp+0x20]
400db9: 31 c0 xor eax,eax
400dbb: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]
400dc0: 0f b6 14 03 movzx edx,BYTE PTR [rbx+rax*1]
400dc4: 84 d2 test dl,dl
400dc6: 74 05 je 400dcd <_Unwind_Resume@plt+0x22d>
400dc8: 3a 14 01 cmp dl,BYTE PTR [rcx+rax*1]
400dcb: 74 13 je 400de0 <_Unwind_Resume@plt+0x240>
400dcd: bf af 11 40 00 mov edi,0x4011af
400dd2: e8 d9 fc ff ff call 400ab0 <puts@plt>
400dd7: e9 84 fe ff ff jmp 400c60 <_Unwind_Resume@plt+0xc0>
400ddc: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
400de0: 48 83 c0 01 add rax,0x1
400de4: 48 83 f8 15 cmp rax,0x15
400de8: 75 d6 jne 400dc0 <_Unwind_Resume@plt+0x220>
400dea: 48 8d 7c 24 40 lea rdi,[rsp+0x40]
400def: be 99 11 40 00 mov esi,0x401199
400df4: e8 47 fd ff ff call 400b40 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc@plt>
400df9: 48 8d 54 24 40 lea rdx,[rsp+0x40]
400dfe: 48 8d b4 24 c0 00 00 lea rsi,[rsp+0xc0]
400e05: 00
400e06: 48 8d bc 24 a0 00 00 lea rdi,[rsp+0xa0]
400e0d: 00
400e0e: e8 8d fc ff ff call 400aa0 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt>
400e13: 48 8d b4 24 a0 00 00 lea rsi,[rsp+0xa0]
400e1a: 00
400e1b: 48 8d 7c 24 40 lea rdi,[rsp+0x40]
400e20: e8 0b fd ff ff call 400b30 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt>
400e25: 48 8b bc 24 a0 00 00 mov rdi,QWORD PTR [rsp+0xa0]
400e2c: 00
400e2d: 48 8d 84 24 b0 00 00 lea rax,[rsp+0xb0]
400e34: 00
400e35: 48 39 c7 cmp rdi,rax
400e38: 74 05 je 400e3f <_Unwind_Resume@plt+0x29f>
400e3a: e8 91 fc ff ff call 400ad0 <_ZdlPv@plt>
400e3f: 48 8b 7c 24 40 mov rdi,QWORD PTR [rsp+0x40]
400e44: be a1 11 40 00 mov esi,0x4011a1
400e49: e8 a2 fc ff ff call 400af0 <fopen@plt>
400e4e: 48 85 c0 test rax,rax
400e51: 48 89 c5 mov rbp,rax
400e54: 0f 84 06 fe ff ff je 400c60 <_Unwind_Resume@plt+0xc0>
400e5a: 31 d2 xor edx,edx
400e5c: be b0 fc 01 00 mov esi,0x1fcb0
400e61: 48 89 c7 mov rdi,rax
400e64: e8 57 fc ff ff call 400ac0 <fseek@plt>
400e69: 85 c0 test eax,eax
400e6b: 89 c3 mov ebx,eax
400e6d: 0f 85 ed fd ff ff jne 400c60 <_Unwind_Resume@plt+0xc0>
400e73: 48 8d bc 24 d0 01 00 lea rdi,[rsp+0x1d0]
400e7a: 00
400e7b: 48 89 ea mov rdx,rbp
400e7e: be 21 00 00 00 mov esi,0x21
400e83: e8 88 fc ff ff call 400b10 <fgets@plt>
400e88: 48 85 c0 test rax,rax
400e8b: 0f 84 cf fd ff ff je 400c60 <_Unwind_Resume@plt+0xc0>
400e91: 48 89 ef mov rdi,rbp
400e94: c6 84 24 f0 01 00 00 mov BYTE PTR [rsp+0x1f0],0x0
400e9b: 00
400e9c: e8 df fc ff ff call 400b80 <fclose@plt>
400ea1: 48 8d 94 24 d0 01 00 lea rdx,[rsp+0x1d0]
400ea8: 00
400ea9: 4c 8d 84 24 c0 01 00 lea r8,[rsp+0x1c0]
400eb0: 00
400eb1: 48 89 d0 mov rax,rdx
400eb4: 48 89 d1 mov rcx,rdx
400eb7: 0f b6 31 movzx esi,BYTE PTR [rcx]
400eba: 0f b6 78 1f movzx edi,BYTE PTR [rax+0x1f]
400ebe: 48 83 e8 01 sub rax,0x1
400ec2: 48 83 c1 01 add rcx,0x1
400ec6: 40 88 79 ff mov BYTE PTR [rcx-0x1],dil
400eca: 40 88 70 20 mov BYTE PTR [rax+0x20],sil
400ece: 49 39 c0 cmp r8,rax
400ed1: 75 e4 jne 400eb7 <_Unwind_Resume@plt+0x317>
400ed3: 48 8d b4 24 f0 01 00 lea rsi,[rsp+0x1f0]
400eda: 00
400edb: eb 0e jmp 400eeb <_Unwind_Resume@plt+0x34b>
400edd: 83 e8 1a sub eax,0x1a
400ee0: 88 02 mov BYTE PTR [rdx],al
400ee2: 48 83 c2 01 add rdx,0x1
400ee6: 48 39 d6 cmp rsi,rdx
400ee9: 74 17 je 400f02 <_Unwind_Resume@plt+0x362>
400eeb: 0f be 02 movsx eax,BYTE PTR [rdx]
400eee: 8d 48 9f lea ecx,[rax-0x61]
400ef1: 80 f9 19 cmp cl,0x19
400ef4: 77 ec ja 400ee2 <_Unwind_Resume@plt+0x342>
400ef6: 83 c0 0d add eax,0xd
400ef9: 83 f8 7a cmp eax,0x7a
400efc: 7f df jg 400edd <_Unwind_Resume@plt+0x33d>
400efe: 88 02 mov BYTE PTR [rdx],al
400f00: eb e0 jmp 400ee2 <_Unwind_Resume@plt+0x342>
400f02: 48 8d 94 24 d0 01 00 lea rdx,[rsp+0x1d0]
400f09: 00
400f0a: be a4 11 40 00 mov esi,0x4011a4
400f0f: bf 01 00 00 00 mov edi,0x1
400f14: 31 c0 xor eax,eax
400f16: e8 c5 fb ff ff call 400ae0 <__printf_chk@plt>
400f1b: e9 45 fd ff ff jmp 400c65 <_Unwind_Resume@plt+0xc5>
400f20: e8 3b fc ff ff call 400b60 <__stack_chk_fail@plt>
400f25: 48 8b bc 24 a0 00 00 mov rdi,QWORD PTR [rsp+0xa0]
400f2c: 00
400f2d: 48 8d 94 24 b0 00 00 lea rdx,[rsp+0xb0]
400f34: 00
400f35: 48 89 c3 mov rbx,rax
400f38: 48 39 d7 cmp rdi,rdx
400f3b: 74 05 je 400f42 <_Unwind_Resume@plt+0x3a2>
400f3d: e8 8e fb ff ff call 400ad0 <_ZdlPv@plt>
400f42: 48 8b 7c 24 40 mov rdi,QWORD PTR [rsp+0x40]
400f47: 48 8d 44 24 50 lea rax,[rsp+0x50]
400f4c: 48 39 c7 cmp rdi,rax
400f4f: 74 05 je 400f56 <_Unwind_Resume@plt+0x3b6>
400f51: e8 7a fb ff ff call 400ad0 <_ZdlPv@plt>
400f56: 48 8b 7c 24 20 mov rdi,QWORD PTR [rsp+0x20]
400f5b: 48 8d 44 24 30 lea rax,[rsp+0x30]
400f60: 48 39 c7 cmp rdi,rax
400f63: 74 05 je 400f6a <_Unwind_Resume@plt+0x3ca>
400f65: e8 66 fb ff ff call 400ad0 <_ZdlPv@plt>
400f6a: 48 8b 3c 24 mov rdi,QWORD PTR [rsp]
400f6e: 48 8d 44 24 10 lea rax,[rsp+0x10]
400f73: 48 39 c7 cmp rdi,rax
400f76: 74 05 je 400f7d <_Unwind_Resume@plt+0x3dd>
400f78: e8 53 fb ff ff call 400ad0 <_ZdlPv@plt>
400f7d: 48 89 df mov rdi,rbx
400f80: e8 1b fc ff ff call 400ba0 <_Unwind_Resume@plt>
400f85: 48 89 c3 mov rbx,rax
400f88: eb b8 jmp 400f42 <_Unwind_Resume@plt+0x3a2>
400f8a: 48 8b bc 24 80 00 00 mov rdi,QWORD PTR [rsp+0x80]
400f91: 00
400f92: 48 8d 94 24 90 00 00 lea rdx,[rsp+0x90]
400f99: 00
400f9a: 48 89 c3 mov rbx,rax
400f9d: 48 39 d7 cmp rdi,rdx
400fa0: 75 9b jne 400f3d <_Unwind_Resume@plt+0x39d>
400fa2: eb 9e jmp 400f42 <_Unwind_Resume@plt+0x3a2>
400fa4: 48 8b 7c 24 60 mov rdi,QWORD PTR [rsp+0x60]
400fa9: 48 8d 54 24 70 lea rdx,[rsp+0x70]
400fae: 48 89 c3 mov rbx,rax
400fb1: 48 39 d7 cmp rdi,rdx
400fb4: 75 87 jne 400f3d <_Unwind_Resume@plt+0x39d>
400fb6: eb 8a jmp 400f42 <_Unwind_Resume@plt+0x3a2>
400fb8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
400fbf: 00
400fc0: 31 ed xor ebp,ebp
400fc2: 49 89 d1 mov r9,rdx
400fc5: 5e pop rsi
400fc6: 48 89 e2 mov rdx,rsp
400fc9: 48 83 e4 f0 and rsp,0xfffffffffffffff0
400fcd: 50 push rax
400fce: 54 push rsp
400fcf: 49 c7 c0 30 11 40 00 mov r8,0x401130
400fd6: 48 c7 c1 c0 10 40 00 mov rcx,0x4010c0
400fdd: 48 c7 c7 c0 0b 40 00 mov rdi,0x400bc0
400fe4: e8 17 fb ff ff call 400b00 <__libc_start_main@plt>
400fe9: f4 hlt
400fea: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
400ff0: b8 b7 20 60 00 mov eax,0x6020b7
400ff5: 55 push rbp
400ff6: 48 2d b0 20 60 00 sub rax,0x6020b0
400ffc: 48 83 f8 0e cmp rax,0xe
401000: 48 89 e5 mov rbp,rsp
401003: 76 1b jbe 401020 <_Unwind_Resume@plt+0x480>
401005: b8 00 00 00 00 mov eax,0x0
40100a: 48 85 c0 test rax,rax
40100d: 74 11 je 401020 <_Unwind_Resume@plt+0x480>
40100f: 5d pop rbp
401010: bf b0 20 60 00 mov edi,0x6020b0
401015: ff e0 jmp rax
401017: 66 0f 1f 84 00 00 00 nop WORD PTR [rax+rax*1+0x0]
40101e: 00 00
401020: 5d pop rbp
401021: c3 ret
401022: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
401026: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
40102d: 00 00 00
401030: be b0 20 60 00 mov esi,0x6020b0
401035: 55 push rbp
401036: 48 81 ee b0 20 60 00 sub rsi,0x6020b0
40103d: 48 c1 fe 03 sar rsi,0x3
401041: 48 89 e5 mov rbp,rsp
401044: 48 89 f0 mov rax,rsi
401047: 48 c1 e8 3f shr rax,0x3f
40104b: 48 01 c6 add rsi,rax
40104e: 48 d1 fe sar rsi,1
401051: 74 15 je 401068 <_Unwind_Resume@plt+0x4c8>
401053: b8 00 00 00 00 mov eax,0x0
401058: 48 85 c0 test rax,rax
40105b: 74 0b je 401068 <_Unwind_Resume@plt+0x4c8>
40105d: 5d pop rbp
40105e: bf b0 20 60 00 mov edi,0x6020b0
401063: ff e0 jmp rax
401065: 0f 1f 00 nop DWORD PTR [rax]
401068: 5d pop rbp
401069: c3 ret
40106a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
401070: 80 3d 39 10 20 00 00 cmp BYTE PTR [rip+0x201039],0x0 # 6020b0 <_edata@@Base>
401077: 75 11 jne 40108a <_Unwind_Resume@plt+0x4ea>
401079: 55 push rbp
40107a: 48 89 e5 mov rbp,rsp
40107d: e8 6e ff ff ff call 400ff0 <_Unwind_Resume@plt+0x450>
401082: 5d pop rbp
401083: c6 05 26 10 20 00 01 mov BYTE PTR [rip+0x201026],0x1 # 6020b0 <_edata@@Base>
40108a: f3 c3 repz ret
40108c: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
401090: bf f0 1d 60 00 mov edi,0x601df0
401095: 48 83 3f 00 cmp QWORD PTR [rdi],0x0
401099: 75 05 jne 4010a0 <_Unwind_Resume@plt+0x500>
40109b: eb 93 jmp 401030 <_Unwind_Resume@plt+0x490>
40109d: 0f 1f 00 nop DWORD PTR [rax]
4010a0: b8 00 00 00 00 mov eax,0x0
4010a5: 48 85 c0 test rax,rax
4010a8: 74 f1 je 40109b <_Unwind_Resume@plt+0x4fb>
4010aa: 55 push rbp
4010ab: 48 89 e5 mov rbp,rsp
4010ae: ff d0 call rax
4010b0: 5d pop rbp
4010b1: e9 7a ff ff ff jmp 401030 <_Unwind_Resume@plt+0x490>
4010b6: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
4010bd: 00 00 00
4010c0: 41 57 push r15
4010c2: 41 56 push r14
4010c4: 41 89 ff mov r15d,edi
4010c7: 41 55 push r13
4010c9: 41 54 push r12
4010cb: 4c 8d 25 0e 0d 20 00 lea r12,[rip+0x200d0e] # 601de0 <_fini@@Base+0x200cac>
4010d2: 55 push rbp
4010d3: 48 8d 2d 0e 0d 20 00 lea rbp,[rip+0x200d0e] # 601de8 <_fini@@Base+0x200cb4>
4010da: 53 push rbx
4010db: 49 89 f6 mov r14,rsi
4010de: 49 89 d5 mov r13,rdx
4010e1: 4c 29 e5 sub rbp,r12
4010e4: 48 83 ec 08 sub rsp,0x8
4010e8: 48 c1 fd 03 sar rbp,0x3
4010ec: e8 77 f9 ff ff call 400a68 <_init@@Base>
4010f1: 48 85 ed test rbp,rbp
4010f4: 74 20 je 401116 <_Unwind_Resume@plt+0x576>
4010f6: 31 db xor ebx,ebx
4010f8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
4010ff: 00
401100: 4c 89 ea mov rdx,r13
401103: 4c 89 f6 mov rsi,r14
401106: 44 89 ff mov edi,r15d
401109: 41 ff 14 dc call QWORD PTR [r12+rbx*8]
40110d: 48 83 c3 01 add rbx,0x1
401111: 48 39 eb cmp rbx,rbp
401114: 75 ea jne 401100 <_Unwind_Resume@plt+0x560>
401116: 48 83 c4 08 add rsp,0x8
40111a: 5b pop rbx
40111b: 5d pop rbp
40111c: 41 5c pop r12
40111e: 41 5d pop r13
401120: 41 5e pop r14
401122: 41 5f pop r15
401124: c3 ret
401125: 90 nop
401126: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
40112d: 00 00 00
401130: f3 c3 repz ret
Disassembly of section .fini:
0000000000401134 <_fini@@Base>:
401134: 48 83 ec 08 sub rsp,0x8
401138: 48 83 c4 08 add rsp,0x8
40113c: c3 ret
binary@binary-VirtualBox:~/code/chapter5$
C
복사
5.9 gdb 명령어를 사용해 동적으로 문자열 버퍼 덤프하기
(gdb) b *0x400dc8
Breakpoint 1 at 0x400dc8
(gdb) set env GUESSME=foobar
(gdb) run show_me_the_flag
Starting program: /home/binary/code/chapter5/ctf show_me_the_flag
checking 'show_me_the_flag'
ok
(gdb) display/i $pc
1: x/i $pc
=> 0x400dc8: cmp (%rcx,%rax,1),%dl
(gdb) info registers rcx
rcx 0x615050 6377552
(gdb) x/s 0x615050
0x615050: "Crackers Don't Matter"
(gdb)
binary@binary-VirtualBox:~/code/chapter5$ ls
67b8601 ctf decoded_payload elf_header levels.db lib5ae9b7f.so oracle payload
binary@binary-VirtualBox:~/code/chapter5$ GUESSME="Crackers Don't Matter" ./ctf show_me_the_flag
checking 'show_me_the_flag'
ok
flag = 84b34c124b2ba5ca224af8e33b077e9e
C
복사
