(gdb) disas run
Dump of assembler code for function run:
0x0804978a <run+0>: push ebp
0x0804978b <run+1>: mov ebp,esp
0x0804978d <run+3>: push ebx
0x0804978e <run+4>: sub esp,0x34
0x08049791 <run+7>: mov DWORD PTR [ebp-0xc],0x0 //val1(ebp-0xc) = 0
0x08049798 <run+14>: mov DWORD PTR [ebp-0x10],0x0 //val2(ebp-0x10) = 0
0x0804979f <run+21>: jmp 0x80497fb <run+113>
0x080497a1 <run+23>: mov ebx,DWORD PTR [ebp-0x10] //edx = val2
0x080497a4 <run+26>: call 0x8048a98 <random@plt>
0x080497a9 <run+31>: mov DWORD PTR [ebp+ebx*4-0x20],eax
0x080497ad <run+35>: mov eax,DWORD PTR [ebp-0x10]
0x080497b0 <run+38>: mov eax,DWORD PTR [ebp+eax*4-0x20]
0x080497b4 <run+42>: add DWORD PTR [ebp-0xc],eax
0x080497b7 <run+45>: mov eax,DWORD PTR [ebp-0x10]
0x080497ba <run+48>: lea edx,[eax*4+0x0]
0x080497c1 <run+55>: lea eax,[ebp-0x20]
0x080497c4 <run+58>: add eax,edx
0x080497c6 <run+60>: mov DWORD PTR [esp+0x8],0x4
0x080497ce <run+68>: mov DWORD PTR [esp+0x4],eax
0x080497d2 <run+72>: mov DWORD PTR [esp],0x0
0x080497d9 <run+79>: call 0x8048ac8 <write@plt>
0x080497de <run+84>: cmp eax,0x4
0x080497e1 <run+87>: je 0x80497f7 <run+109>
0x080497e3 <run+89>: mov DWORD PTR [esp+0x4],0x8049c94
0x080497eb <run+97>: mov DWORD PTR [esp],0x1
0x080497f2 <run+104>: call 0x8048bc8 <errx@plt>
//얘는 :(
0x080497f7 <run+109>: add DWORD PTR [ebp-0x10],0x1 //val2++;
0x080497fb <run+113>: cmp DWORD PTR [ebp-0x10],0x3 //val2랑 3이랑 비교
0x080497ff <run+117>: jle 0x80497a1 <run+23> //3이 더 크면 점프
0x08049801 <run+119>: mov DWORD PTR [esp+0x8],0x4
0x08049809 <run+127>: lea eax,[ebp-0x24]
0x0804980c <run+130>: mov DWORD PTR [esp+0x4],eax
0x08049810 <run+134>: mov DWORD PTR [esp],0x0
0x08049817 <run+141>: call 0x8048b28 <read@plt>
0x0804981c <run+146>: cmp eax,0x4
0x0804981f <run+149>: je 0x8049835 <run+171>
0x08049821 <run+151>: mov DWORD PTR [esp+0x4],0x8049c98
0x08049829 <run+159>: mov DWORD PTR [esp],0x1
0x08049830 <run+166>: call 0x8048bc8 <errx@plt>
//얘는 :<
0x08049835 <run+171>: mov eax,DWORD PTR [ebp-0x24]
0x08049838 <run+174>: cmp DWORD PTR [ebp-0xc],eax
0x0804983b <run+177>: jne 0x804984b <run+193>
0x0804983d <run+179>: mov DWORD PTR [esp],0x8049c9c
0x08049844 <run+186>: call 0x8048c58 <puts@plt>
0x08049849 <run+191>: jmp 0x8049857 <run+205>
(gdb) x/s 0x8049c9c
0x8049c9c: "you added them correctly"
0x0804984b <run+193>: mov DWORD PTR [esp],0x8049cb5
0x08049852 <run+200>: call 0x8048c58 <puts@plt>
(gdb) x/s 0x8049cb5
0x8049cb5: "sorry, try again. invalid"
0x08049857 <run+205>: add esp,0x34
0x0804985a <run+208>: pop ebx
0x0804985b <run+209>: pop ebp
0x0804985c <run+210>: ret
저 위에부분 동적분석아니고선 분석이 애매해서 소스찾아봤는데
for(i = 0; i < 4; i++) {
quad[i] = random();
result += quad[i];
if(write(0, &(quad[i]), sizeof(result)) != sizeof(result)) {
errx(1, ":(\n");
}
}
if(read(0, &wanted, sizeof(result)) != sizeof(result)) {
errx(1, ":<\n");
이렇게되어있었음
머 찾아서 보면 랜덤 4번 돌리고 quad 배열에 결과 각각 집어넣고
result에는 그 쿼드 배열들은 전부 더한 값이 들어간다.
그리고 유저에게 wanted라는 값을 입력받아서 result 값하고 같으면 깨는거임.
import socket, struct
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.40.141', 2997))
result = 0
for i in range(4):
data = struct.unpack('<I', s.recv(4))[0]
result += data
print data
print result
s.send(struct.pack('<I', result))
print s.recv(1024)
s.close()
C:\Users\user>E:\pwnable\protostar\net2.py
110949206
655712397
760580171
1070980192
2598221966
you added them correctly