在linux里无法执行,于是查看文件发现没有执行权限,sudo chmod u+x 进行修改
放进ida,找不到main函数,只能找到这个__libc_start_main
.text:00000000004004AF mov r8, offset nullsub_1
.text:00000000004004B6 mov rcx, offset loc_4019A0
.text:00000000004004BD mov rdi, offset sub_400596
.text:00000000004004C4 call ___libc_start_main
而__libc_start_main定义如下,则可判定通过rdi传递的参数 sub_400596 即为 main 函数
int __libc_start_main(int *(main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end));
发现静态调试太复杂,结合 kali 下 edb 动态调试,以下是部分汇编代码
.text:00000000004005AE lea rdx, [rbp+var_140] ; 给140清零
.text:00000000004005B5 mov eax, 0
.text:00000000004005BA mov ecx, 25h
.text:00000000004005BF mov rdi, rdx
.text:00000000004005C2 rep stosq
.text:00000000004005C5 mov rax, 6A20612049206D41h ; 在140 存歌词
.text:00000000004005CF mov [rbp+var_140], rax
.text:00000000004005D6 mov rax, 756F79202C656B6Fh
.text:00000000004005E0 mov [rbp+var_138], rax
.text:00000000004005E7 mov rax, 746867696E6B2072h
.text:00000000004005F1 mov [rbp+var_130], rax
.text:00000000004005F8 mov rax, 756F7920726F202Ch
.text:0000000000400602 mov [rbp+var_128], rax
.text:0000000000400609 mov rax, 6568746F72622072h
.text:0000000000400613 mov [rbp+var_120], rax
.text:000000000040061A mov [rbp+var_118], 3F72h
main 的开始就是这样的过程,先给一片区域清零然后放入歌词;然后是一大片赋值,把各个歌词的首地址存到另一个地方
.text:000000000040138D lea rax, [rbp+var_1900] ; 转存到另一个地址
.text:0000000000401394 mov [rbp+var_D50], rax
.text:000000000040139B lea rax, [rbp+var_17D0]
.text:00000000004013A2 mov [rbp+var_D48], rax
.text:00000000004013A9 lea rax, [rbp+var_1570]
.text:00000000004013B0 mov [rbp+var_D40], rax
.text:00000000004013B7 lea rax, [rbp+var_140]
.text:00000000004013BE mov [rbp+var_D38], rax
.text:00000000004013C5 lea rax, [rbp+var_11E0]
.text:00000000004013CC mov [rbp+var_1470], rax
.text:00000000004013D3 lea rax, [rbp+var_1900]
.text:00000000004013DA mov [rbp+var_1468], rax
最后栈空间大概是这样
00007ffc:2f3ae770|7327746920776f4e|Now it's|
00007ffc:2f3ae778|67203b656e6f6720| gone; g|
00007ffc:2f3ae780|65726f6620656e6f|one fore|
00007ffc:2f3ae788|000000002c726576|ver,....|
00007ffc:2f3ae790|0000000000000000|........|
00007ffc:2f3ae7a0|0000000000000000|........|
......
00007ffc:2f3ae860|0000000000000000|........|
00007ffc:2f3ae868|0000000000000000|........|
00007ffc:2f3ae870|00007ffc2f3adf20| .:/....|ASCII "But I guess, what does it matter"
00007ffc:2f3ae878|00007ffc2f3ae180|..:/....|ASCII "What am I to you?"
00007ffc:2f3ae880|00007ffc2f3aeb00|..:/....|ASCII "Everyone... Bubblegum... I'm so dumb"
00007ffc:2f3ae888|00007ffc2f3af5b0|..:/....|ASCII "And you, Jake."
00007ffc:2f3ae890|0000000000000321|!.......|
00007ffc:2f3ae898|0000000000000000|........|
00007ffc:2f3ae8a0|206f6e20656b614d|Make no |
00007ffc:2f3ae8a8|21656b617473696d|mistake!|
00007ffc:2f3ae8b0|0000000000000000|........|
00007ffc:2f3ae8b8|0000000000000000|........|
......
00007ffc:2f3ae990|0000000000000000|........|
00007ffc:2f3ae998|0000000000000000|........|
00007ffc:2f3ae9a0|00007ffc2f3af350|P.:/....|ASCII "Do you look down on me 'cause I'm younger?"
00007ffc:2f3ae9a8|00007ffc2f3af480|..:/....|ASCII "I'm gonna sing a song that feels so real, it'll make this door break!"
00007ffc:2f3ae9b0|00007ffc2f3af810|..:/....|ASCII "Am I a joke, your knight, or your brother?"
00007ffc:2f3ae9b8|00007ffc2f3af5b0|..:/....|ASCII "And you, Jake."
上面一部分是歌词,下面一部分是索引
这两个在 main 函数开头的赋值也很值得琢磨,说明此程序需要参数,这也就是为什么程序会出现段错误
.text:00000000004005A1 mov [rbp+var_1C94], edi ; 1C94 = argc
.text:00000000004005A7 mov [rbp+var_1CA0], rsi ; 1CA0 = argv
下面就是主要的逻辑部分
v380 = &v235;
v379 = 1;
v378 = 0;
while ( 1 )
{
v377 = *argv[1];
if ( !v377 )
break;
if ( v379 & 1 )
v378 *= v379;
else
v378 /= v379;
v378 += (v377 - 32) * *((_DWORD *)v380 + 72);
v380 = (__int64 *)v380[v377 - 65 + 32LL];
++v379;
++argv[1];
}
暂且不用管v378的值;edb 指示出 v380 一开始指向 Everyone, Bubblegum, I’m so dumb,在网上可以找到一首名为 My Best Friends in the World 的歌曲,其开头就是 Everyone, Bubblegum, I’m so dumb,推测我们需要按照歌词的顺序“唱歌”,即选择正确的路径进行跳转Everyone, Bubblegum, I’m so dumb 的首地址为 7fffc2f3aeb00,而其下方第一个歌词索引的地址为 7fffc2f3aec00,两者相减为 0x100 = 256,除 8 等于 32,因此 v377 如果为 65 就选第一个索引,65 即 ‘A’,接下来就是选择题了
转自实验吧,原文作者实验吧ID faaaaaaaaaaaaaaa