search

roaris / ctf-log

0 stars 0 forks source link

picoCTF: GDB Test Drive (Reverse Engineering) #16

Open roaris opened 3 months ago

roaris commented 3 months ago

https://play.picoctf.org/practice/challenge/273

gdb+pedaのインストール : https://roaris.github.io/logseq/#/page/65ae8ef4-7987-4368-992a-84dd1c553b0d

roaris commented 3 months ago

問題文の通りに進めるとフラグが得られる

gdb-peda$ break *(main+99)
Breakpoint 1 at 0x132a
gdb-peda$ r
Starting program: /home/roaris/picoCTF/reversing/273/gdbme
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled off'.

Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled on'.
[----------------------------------registers-----------------------------------]
RAX: 0x6630624760433530 ('05C`Gb0f')
RBX: 0x7fffffffe078 --> 0x7fffffffe31c ("/home/roaris/picoCTF/reversing/273/gdbme")
RCX: 0x7ffff7f9e840 --> 0x7ffff7fa0300 --> 0x0
RDX: 0x4e67646635656666 ('ffe5fdgN')
RSI: 0x7fffffffe078 --> 0x7fffffffe31c ("/home/roaris/picoCTF/reversing/273/gdbme")
RDI: 0x186a0
RBP: 0x7fffffffdf60 --> 0x1
RSP: 0x7fffffffdf10 --> 0x7fffffffe078 --> 0x7fffffffe31c ("/home/roaris/picoCTF/reversing/273/gdbme")
RIP: 0x55555555532a (<main+99>: call   0x555555555110 <sleep@plt>)
R8 : 0x555555555400 (<__libc_csu_fini>: endbr64)
R9 : 0x7ffff7fcfb10 (<_dl_fini>:        push   r15)
R10: 0x7ffff7fcb858 --> 0xa00120000000e
R11: 0x7ffff7fe1e30 (<_dl_audit_preinit>:       mov    eax,DWORD PTR [rip+0x1b022]        # 0x7ffff7ffce58 <_rtld_global_ro+888>)
R12: 0x0
R13: 0x7fffffffe088 --> 0x7fffffffe345 ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555555531d <main+86>:    mov    QWORD PTR [rbp-0x18],rdx
   0x555555555321 <main+90>:    mov    BYTE PTR [rbp-0x10],0x0
   0x555555555325 <main+94>:    mov    edi,0x186a0
=> 0x55555555532a <main+99>:    call   0x555555555110 <sleep@plt>
   0x55555555532f <main+104>:   lea    rax,[rbp-0x30]
   0x555555555333 <main+108>:   mov    rsi,rax
   0x555555555336 <main+111>:   mov    edi,0x0
   0x55555555533b <main+116>:   call   0x555555555209 <rotate_encrypt>
Guessed arguments:
arg[0]: 0x186a0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf10 --> 0x7fffffffe078 --> 0x7fffffffe31c ("/home/roaris/picoCTF/reversing/273/gdbme")
0008| 0x7fffffffdf18 --> 0x100000000
0016| 0x7fffffffdf20 --> 0x0
0024| 0x7fffffffdf28 --> 0x0
0032| 0x7fffffffdf30 ("A:4@r%uL5b3F88bC05C`Gb0fffe5fdgN")
0040| 0x7fffffffdf38 ("5b3F88bC05C`Gb0fffe5fdgN")
0048| 0x7fffffffdf40 ("05C`Gb0fffe5fdgN")
0056| 0x7fffffffdf48 ("ffe5fdgN")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x000055555555532a in main ()
gdb-peda$ jump *(main+104)
Continuing at 0x55555555532f.
picoCTF{d3bugg3r_dr1v3_7776d758}
[Inferior 1 (process 1498) exited normally]
Warning: not running