flag
References
Question
Papa brought me a packed present! let's open it.
Download : http://pwnable.kr/bin/flag
This is reversing task. all you need is binary
Writeup
- 查看檔案類型:
root@kali:~/CTF/pwnable# file flag flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped - 執行後:
root@kali:~/CTF/pwnable# ./flag I will malloc() and strcpy the flag there. take it. - xxd分析:
root@kali:~/CTF/pwnable# xxd flag | tail 00051d20: 77c4 8a1d b0f1 d302 6973 b0a0 c023 8d6d w.......is...#.m 00051d30: 616b 424e 9948 2c86 8ec3 0232 2a45 db17 akBN.H,....2*E.. 00051d40: 0981 0be3 b91f 2656 2211 c349 4608 1fb8 ......&V"..IF... 00051d50: 3b9d c5c0 e820 1e5f 5f00 01a2 30b0 9943 ;.... .__...0..C 00051d60: e968 58b1 f464 65e3 b58b 137a 54de 7375 .hX..de....zT.su 00051d70: 6022 5d52 d7e5 00bb c625 8581 116d 4992 `"]R.....%...mI. 00051d80: 9041 9f00 a092 24ff 0000 0000 5550 5821 .A....$.....UPX! 00051d90: 0000 0000 5550 5821 0d16 0807 19cc 204a ....UPX!...... J 00051da0: dbd8 21c5 3145 0100 5e70 0000 217c 0d00 ..!.1E..^p..!|.. 00051db0: 4919 0089 bc00 0000 I....... - checksec (很方便的分析保護機制工具):
root@kali:~/CTF/pwnable# checksec flag [*] '/root/CTF/pwnable/flag' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE Packer: Packed with UPX- 看來是UPX加殼過
使用upx脫殼:
root@kali:~/CTF/pwnable# upx -q -d flag -o flag_upx Ultimate Packer for eXecutables Copyright (C) 1996 - 2013 UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013 File size Ratio Format Name -------------------- ------ ----------- ----------- 887219 <- 335288 37.79% linux/ElfAMD flag_upx Unpacked 1 file.將脫殼後的flag_upx拿去IDA Pro分析
- 在main可看到
cs:flag字樣
- 雙擊後可以發現flag:
UPX...? sounds like a delivery service :)
- 在main可看到
直接
strings也是會發現flagroot@kali:~/CTF/pwnable# strings flag_upx | grep -iC2 flag []A\A] UPX...? sounds like a delivery service :) I will malloc() and strcpy the flag there. take it.