본문 바로가기
reversing/reversing

SCTF Rev[100]

Richong 2018. 7. 7. 12:56
SMALL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/usr/bin/env python
 
import gdb
import time
 
 
gdb.execute("set pagination off")
 
 
heap_bp = [0x401773]
 
 
 
circle = {'d':0x60764C'f':0x60764D ,'j':0x60764E'k':0x60764F}
 
"""
d_flag = '$rbp-0x4c'
f_flag = '$rbp-0x4b'
j_flag = '$rbp-0x4a'
k_flag = '$rbp-0x49'
"""
 
f_flag = 0x40145D
j_flag =0x40147D
k_flag = 0x40149D 
d_flag =0x40143D 
 
 
rip = 0x40176f
gdb.execute("break *{0}".format(hex(0x40145B)),True,True)
gdb.execute("break *{0}".format(hex(0x40147B)),True,True)
gdb.execute("break *{0}".format(hex(0x40149B)),True,True)
gdb.execute("break *{0}".format(hex(0x4014bB)),True,True)
 
for bp in heap_bp:
    gdb.execute("break *{0}".format(hex(bp)),True,True)
 
gdb.execute("r")
 
count = 0
cnt = 0
 
d_cnt = 0
f_cnt = 0
j_cnt = 0
k_cnt = 0
 
while True:
    #    print(count)
    d = gdb.execute("x/b "+str(circle['d']),True,True)
    f = gdb.execute("x/b "+str(circle['f']),True,True)
    j = gdb.execute("x/b "+str(circle['j']),True,True)
    k = gdb.execute("x/b "+str(circle['k']),True,True)
#    cnt = gdb.execute('x/wx $rbp-0x40',True,True)
 #   print(cnt)
 
    if '32' not in str(d):
        if d_cnt%20==0:
            gdb.execute("set $rip="+str(d_flag),True,True)
            gdb.execute('c')
            gdb.execute("set $rip="+str(rip),True,True)
            gdb.execute('c')
    #    d_cnt+=1
            f_cnt=0
            j_cnt=0
            k_cnt=0
            print('d')
        d_cnt+=1
    if '32' not in f:
        if f_cnt%20==0:
            gdb.execute("set $rip="+str(f_flag),True,True)
            gdb.execute('c')
            gdb.execute("set $rip="+str(rip),True,True)
            gdb.execute('c')
 #           f_cnt+=1
            d_cnt=0
            j_cnt=0
            k_cnt=0
            print('f')
        f_cnt+=1
    if '32' not in j:
        if j_cnt%20==0:
            gdb.execute("set $rip="+str(j_flag),True,True)
            gdb.execute('c')
            gdb.execute("set $rip="+str(rip),True,True)
            gdb.execute('c')
  #          j_cnt+=1
            d_cnt=0
            f_cnt=0
            k_cnt=0
 
            print('j')
        j_cnt+=1
    if '32' not in k :
        if k_cnt%20==0:
            gdb.execute("set $rip="+str(k_flag),True,True)
            gdb.execute('c')
            gdb.execute("set $rip="+str(rip),True,True)
            gdb.execute('c')
   #         k_cnt+=1
            j_cnt=0
            f_cnt=0
            d_cnt=0
        print('k')
        k_cnt+=1
#    break
    gdb.execute('c')
    count+=1
 
cs
LIST

'reversing > reversing' 카테고리의 다른 글

유니콘[Unicorn] 활용  (1) 2018.09.19
디바이스 동적분석 환경 구축 [1] - Pro1  (0) 2018.07.24
GO 언어 리버싱  (0) 2018.06.12
python gdb 백업  (0) 2018.04.01
gdbserver script  (0) 2018.03.28

'reversing/reversing' Related Articles

티스토리툴바