roaris commented 3 months ago

https://github.com/SECCON/SECCON_Beginners_CTF_2023/tree/main/reversing/poker

roaris commented 3 months ago

$ ./poker

██╗███╗   ██╗██████╗ ██╗ █████╗ ███╗   ██╗    ██████╗  ██████╗ ██╗  ██╗███████╗██████╗
██║████╗  ██║██╔══██╗██║██╔══██╗████╗  ██║    ██╔══██╗██╔═══██╗██║ ██╔╝██╔════╝██╔══██╗
██║██╔██╗ ██║██║  ██║██║███████║██╔██╗ ██║    ██████╔╝██║   ██║█████╔╝ █████╗  ██████╔╝
██║██║╚██╗██║██║  ██║██║██╔══██║██║╚██╗██║    ██╔═══╝ ██║   ██║██╔═██╗ ██╔══╝  ██╔══██╗
██║██║ ╚████║██████╔╝██║██║  ██║██║ ╚████║    ██║     ╚██████╔╝██║  ██╗███████╗██║  ██║
╚═╝╚═╝  ╚═══╝╚═════╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝  ╚═

================
| Score :   0  |
================

[?] Enter 1 or 2: 1
[-] Player 2 wins! Your score is reseted...

================
| Score :   0  |
================

[?] Enter 1 or 2: 2
[+] Player 2 wins! You got score!

================
| Score :   1  |
================

[?] Enter 1 or 2: 1
[-] Player 2 wins! Your score is reseted...

================
| Score :   0  |
================

[?] Enter 1 or 2:

roaris commented 3 months ago

IDAでmain関数を確認する sub_21C3は、実行時に一番初めに出てくる「INDIAN POKER」を表示する関数のようだ rbp+var_8に格納されている値はループ変数で、0 ~ 0x62(=98)の合計99回ループが回っていることが確認出来る rbp+var_4に格納されている値は現在のスコアである sub_2222の引数に渡されていて、sub_2222は現在のスコアを表示する関数である sub_2179は入力を受け取る関数で、1か2が入力されたら、入力された値を返す現在のスコアと、入力された値を引数として、sub_1FB7が呼ばれている sub_1FB7は結構複雑で、アセンブリの状態で読むのは難しい sub_1FB7の戻り値は、rbp+var_4に格納されるそして、rbp+var_4に格納されている値(=現在のスコア)が0x63(=99)よりも大きかったら、ループを抜けて、sub_11A0を呼び出す普通に実行しても、現在のスコアは99よりも大きくなることはないそのため、sub_11A0がフラグを出力する関数になっているだろうと考えられる sub_11A0は難読化されていて、アセンブリの状態で読むのはほぼ不可能(?)だろう

main関数

sub_21C3

sub_2222

sub_2179

sub_1FB7

sub_11A0

roaris commented 3 months ago

gdbで現在のスコアを100に書き換えて、sub_11A0を実行することを考えるしかし、以下のようにmain関数にbreakpointを設定しようとすると、main関数が定義されていないと出てくる

$ gdb -q poker
Reading symbols from poker...
(No debugging symbols found in poker)
gdb-peda$ b main
Function "main" not defined.

No debugging symbols found in pokerとあるように、今回のバイナリではシンボル情報がstripされている(消されている)

fileコマンドの結果の最後にstrippedとあるのが分かる

$ file poker
poker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7d0fc5db7a8f299ccf155729cc1183f5f6cb1bb4, for GNU/Linux 3.2.0, stripped

ではなぜIDAはmain関数を特定出来たのだろうか？

roaris commented 3 months ago

https://greentea-hoge.hatenablog.com/entry/2021/03/06/190904 シンボル情報がstripされているときの動的解析について書かれているこの手順に従ってみる

とりあえず実行する


$ gdb -q poker
Reading symbols from poker...
(No debugging symbols found in poker)
gdb-peda$ r
Starting program: /home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

██╗███╗ ██╗██████╗ ██╗ █████╗ ███╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗ ██║████╗ ██║██╔══██╗██║██╔══██╗████╗ ██║ ██╔══██╗██╔═══██╗██║ ██╔╝██╔════╝██╔══██╗ ██║██╔██╗ ██║██║ ██║██║███████║██╔██╗ ██║ ██████╔╝██║ ██║█████╔╝ █████╗ ██████╔╝ ██║██║╚██╗██║██║ ██║██║██╔══██║██║╚██╗██║ ██╔═══╝ ██║ ██║██╔═██╗ ██╔══╝ ██╔══██╗ ██║██║ ╚████║██████╔╝██║██║ ██║██║ ╚████║ ██║ ╚██████╔╝██║ ██╗███████╗██║ ██║ ╚═╝╚═╝ ╚═══╝╚═════╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═

================ | Score : 0 |

[?] Enter 1 or 2: ^C Program received signal SIGINT, Interrupt. Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled off'.

Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled on'. [----------------------------------registers-----------------------------------] RAX: 0xfffffffffffffe00 RBX: 0x7ffff7f9eaa0 --> 0xfbad2288 RCX: 0x7ffff7ec2a5d (<GI___libc_read+13>: cmp rax,0xfffffffffffff000) RDX: 0x400 RSI: 0x55555555a6b0 --> 0x0 RDI: 0x0 RBP: 0x7ffff7f9b600 --> 0x0 RSP: 0x7fffffffd658 --> 0x7ffff7e4bd74 (<_IO_new_file_underflow+404>: test rax,rax) RIP: 0x7ffff7ec2a5d (<GI_libc_read+13>: cmp rax,0xfffffffffffff000) R8 : 0x400 R9 : 0x410 R10: 0x1000 R11: 0x246 R12: 0x7ffff7f9f780 --> 0xfbad2a84 R13: 0xa68 ('h\n') R14: 0x7ffff7f9ad00 --> 0x0 R15: 0x7ffff7f9b768 --> 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7ec2a57 <GI_libc_read+7>: je 0x7ffff7ec2a70 <GI_libc_read+32> 0x7ffff7ec2a59 <GI_libc_read+9>: xor eax,eax 0x7ffff7ec2a5b <GI_libc_read+11>: syscall => 0x7ffff7ec2a5d <GI_libc_read+13>: cmp rax,0xfffffffffffff000 0x7ffff7ec2a63 <GI_libc_read+19>: ja 0x7ffff7ec2ac0 <GI_libc_read+112> 0x7ffff7ec2a65 <GI_libc_read+21>: ret 0x7ffff7ec2a66 <GI_libc_read+22>: cs nop WORD PTR [rax+rax*1+0x0] 0x7ffff7ec2a70 <GI_libc_read+32>: sub rsp,0x28 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffd658 --> 0x7ffff7e4bd74 (<_IO_new_file_underflow+404>: test rax,rax) 0008| 0x7fffffffd660 --> 0x7fffffffd778 --> 0x7ffff7e25ea8 (<printf_buffer+136>: mov edi,DWORD PTR [rbx+0x20]) 0016| 0x7fffffffd668 --> 0x7ffff7f9b600 --> 0x0 0024| 0x7fffffffd670 --> 0x7ffff7fc36a0 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f 0032| 0x7fffffffd678 --> 0x7ffff7f9eaa0 --> 0xfbad2288 0040| 0x7fffffffd680 --> 0x7ffff7f9b600 --> 0x0 0048| 0x7fffffffd688 --> 0x7ffff7f9f580 --> 0x7ffff7f9b820 --> 0x7ffff7f625f7 --> 0x5a5400544d470043 ('C') 0056| 0x7fffffffd690 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGINT 0x00007ffff7ec2a5d in __GI___libc_read (fd=0x0, buf=0x55555555a6b0, nbytes=0x400) at ../sysdeps/unix/sysv/linux/read.c:26 26 ../sysdeps/unix/sysv/linux/read.c: No such file or directory.


2. 1度実行したことで、libcが動的リンクされた状態になり、libc中の__libc_start_main関数という、main関数を呼び出すための関数にbreakpointを設定出来るようになる

gdb-peda$ b __libc_start_main Breakpoint 1 at 0x7ffff7df2700: file ../csu/libc-start.c, line 311.


3. __libc_start_main関数の第1引数にmain関数のアドレスが渡されるので、rdiレジスタの値がmain関数のアドレスである

gdb-peda$ b libc_start_main Breakpoint 1 at 0x7ffff7df2700: file ../csu/libc-start.c, line 311. gdb-peda$ r Starting program: /home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [----------------------------------registers-----------------------------------] RAX: 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f RBX: 0x0 RCX: 0x5555555562e0 (endbr64) RDX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker") RSI: 0x1 RDI: 0x555555556262 (endbr64) RBP: 0x0 RSP: 0x7fffffffdfd8 --> 0x5555555550de (hlt) RIP: 0x7ffff7df2700 (<libc_start_main_impl>: push r15) R8 : 0x555555556350 (endbr64) R9 : 0x7ffff7fcfb10 (<_dl_fini>: push r15) R10: 0x7ffff7fcb7c8 --> 0xa0012000000c1 R11: 0x206 R12: 0x5555555550b0 (endbr64) R13: 0x7fffffffdff0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7df26f2 <libc_start_call_main+162>: jmp 0x7ffff7df26ca <__libc_start_call_main+122> 0x7ffff7df26f4: data16 cs nop WORD PTR [rax+rax*1+0x0] 0x7ffff7df26ff: nop => 0x7ffff7df2700 <libc_start_main_impl>: push r15 0x7ffff7df2702 <libc_start_main_impl+2>: mov r15,rcx 0x7ffff7df2705 <__libc_start_main_impl+5>: push r14 0x7ffff7df2707 <libc_start_main_impl+7>: push r13 0x7ffff7df2709 <__libc_start_main_impl+9>: push r12 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdfd8 --> 0x5555555550de (hlt) 0008| 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f 0016| 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f 0024| 0x7fffffffdff0 --> 0x1 0032| 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker") 0040| 0x7fffffffe000 --> 0x0 0048| 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64") 0056| 0x7fffffffe010 --> 0x7fffffffe2ec ("LANG=en_US.UTF-8") [------------------------------------------------------------------------------] Legend: code, data, rodata, value

Breakpoint 1, __libc_start_main_impl (main=0x555555556262, argc=0x1, argv=0x7fffffffdff8, init=0x5555555562e0, fini=0x555555556350, rtld_fini=0x7ffff7fcfb10 <_dl_fini>, stack_end=0x7fffffffdfe8) at ../csu/libc-start.c:311 311 ../csu/libc-start.c: No such file or directory.

0x555555556262がmain関数のアドレス

4. main関数にbreakpointを設定し、実行する(__libc_start_main関数に設定したbreakpointは削除している)

gdb-peda$ b *0x555555556262 Breakpoint 2 at 0x555555556262 gdb-peda$ info breakpoints Num Type Disp Enb Address What 1 breakpoint keep y 0x00007ffff7df2700 in __libc_start_main_impl at ../csu/libc-start.c:311 breakpoint already hit 1 time 2 breakpoint keep y 0x0000555555556262 gdb-peda$ delete 1 gdb-peda$ r Starting program: /home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [----------------------------------registers-----------------------------------] RAX: 0x555555556262 (endbr64) RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker") RCX: 0x7ffff7f9e840 --> 0x7ffff7fa0300 --> 0x0 RDX: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64") RSI: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker") RDI: 0x1 RBP: 0x1 RSP: 0x7fffffffdee8 --> 0x7ffff7df26ca (<libc_start_call_main+122>: mov edi,eax) RIP: 0x555555556262 (endbr64) R8 : 0x555555556350 (endbr64) R9 : 0x7ffff7fcfb10 (<_dl_fini>: push r15) R10: 0x7ffff7fcb858 --> 0xa00120000000e R11: 0x7ffff7fe1e30 (<_dl_audit_preinit>: mov eax,DWORD PTR [rip+0x1b022] # 0x7ffff7ffce58 <_rtld_global_ro+888>) R12: 0x0 R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64") R14: 0x0 R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x55555555625f: nop 0x555555556260: leave 0x555555556261: ret => 0x555555556262: endbr64 0x555555556266: push rbp 0x555555556267: mov rbp,rsp 0x55555555626a: sub rsp,0x10 0x55555555626e: mov DWORD PTR [rbp-0x4],0x0 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdee8 --> 0x7ffff7df26ca (<libc_start_call_main+122>: mov edi,eax) 0008| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f 0016| 0x7fffffffdef8 --> 0x555555556262 (endbr64) 0024| 0x7fffffffdf00 --> 0x155554040 0032| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker") 0040| 0x7fffffffdf10 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker") 0048| 0x7fffffffdf18 --> 0xfdcc92ad3261d288 0056| 0x7fffffffdf20 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value

Breakpoint 2, 0x0000555555556262 in ?? () gdb-peda$

roaris commented 3 months ago

ここまで進める

gdb-peda$ n
[-] Player 2 wins! Your score is reseted...
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x7ffff7ec2b00 (<__GI___libc_write+16>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x55555555a2a0 ("[-] Player 2 wins! Your score is reseted...\n═══╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7ffff7fa0a30 --> 0x0
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562ae (mov    DWORD PTR [rbp-0x4],eax)
R8 : 0x7ffff7f9e264 --> 0x27bbbc2eeb99685
R9 : 0x7ffff7f9e280 --> 0x8
R10: 0x4737484b ('KH7G')
R11: 0x202
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562a5:      mov    esi,edx
   0x5555555562a7:      mov    edi,eax
   0x5555555562a9:      call   0x555555555fb7
=> 0x5555555562ae:      mov    DWORD PTR [rbp-0x4],eax
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
   0x5555555562b5:      jle    0x5555555562c3
   0x5555555562b7:      call   0x5555555551a0
   0x5555555562bc:      mov    eax,0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x0
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562ae in ?? ()
gdb-peda$

eaxレジスタの値を100に書き換えて、進める

gdb-peda$ set $eax = 100
gdb-peda$ n
[----------------------------------registers-----------------------------------]
RAX: 0x64 ('d')
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x7ffff7ec2b00 (<__GI___libc_write+16>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x55555555a2a0 ("[-] Player 2 wins! Your score is reseted...\n═══╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7ffff7fa0a30 --> 0x0
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562b1 (cmp    DWORD PTR [rbp-0x4],0x63)
R8 : 0x7ffff7f9e264 --> 0x27bbbc2eeb99685
R9 : 0x7ffff7f9e280 --> 0x8
R10: 0x4737484b ('KH7G')
R11: 0x202
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562a7:      mov    edi,eax
   0x5555555562a9:      call   0x555555555fb7
   0x5555555562ae:      mov    DWORD PTR [rbp-0x4],eax
=> 0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
   0x5555555562b5:      jle    0x5555555562c3
   0x5555555562b7:      call   0x5555555551a0
   0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x6400000000 ('')
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562b1 in ?? ()
gdb-peda$ n
[----------------------------------registers-----------------------------------]
RAX: 0x64 ('d')
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x7ffff7ec2b00 (<__GI___libc_write+16>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x55555555a2a0 ("[-] Player 2 wins! Your score is reseted...\n═══╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7ffff7fa0a30 --> 0x0
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562b5 (jle    0x5555555562c3)
R8 : 0x7ffff7f9e264 --> 0x27bbbc2eeb99685
R9 : 0x7ffff7f9e280 --> 0x8
R10: 0x4737484b ('KH7G')
R11: 0x202
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562a9:      call   0x555555555fb7
   0x5555555562ae:      mov    DWORD PTR [rbp-0x4],eax
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
=> 0x5555555562b5:      jle    0x5555555562c3
   0x5555555562b7:      call   0x5555555551a0
   0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
   0x5555555562c3:      add    DWORD PTR [rbp-0x8],0x1
                                                              JUMP is NOT taken
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x6400000000 ('')
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562b5 in ?? ()
gdb-peda$ n
[----------------------------------registers-----------------------------------]
RAX: 0x64 ('d')
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x7ffff7ec2b00 (<__GI___libc_write+16>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x55555555a2a0 ("[-] Player 2 wins! Your score is reseted...\n═══╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7ffff7fa0a30 --> 0x0
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562b7 (call   0x5555555551a0)
R8 : 0x7ffff7f9e264 --> 0x27bbbc2eeb99685
R9 : 0x7ffff7f9e280 --> 0x8
R10: 0x4737484b ('KH7G')
R11: 0x202
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562ae:      mov    DWORD PTR [rbp-0x4],eax
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
   0x5555555562b5:      jle    0x5555555562c3
=> 0x5555555562b7:      call   0x5555555551a0
   0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
   0x5555555562c3:      add    DWORD PTR [rbp-0x8],0x1
   0x5555555562c7:      cmp    DWORD PTR [rbp-0x8],0x62
No argument
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x6400000000 ('')
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562b7 in ?? ()
gdb-peda$ n
[!] You got a FLAG! ctf4b{4ll_w3_h4v3_70_d3cide_1s_wh4t_t0_d0_w1th_7he_71m3_7h47_i5_g1v3n_u5}
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x8d41c1d4
RDX: 0x1d7b63bb
RSI: 0x55555555a2a0 ("[!] You got a FLAG! ctf4b{4ll_w3_h4v3_70_d3cide_1s_wh4t_t0_d0_w1th_7he_71m3_7h47_i5_g1v3n_u5}\n\235  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7fffffffd9f0 --> 0x7fffffffda20 ("[!] You got a FLAG! ctf4b{4ll_w3_h4v3_70_d3cide_1s_wh4t_t0_d0_w1th_7he_71m3_7h47_i5_g1v3n_u5}\n")
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562bc (mov    eax,0x0)
R8 : 0x0
R9 : 0x0
R10: 0xffffffff
R11: 0x200
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
   0x5555555562b5:      jle    0x5555555562c3
   0x5555555562b7:      call   0x5555555551a0
=> 0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
   0x5555555562c3:      add    DWORD PTR [rbp-0x8],0x1
   0x5555555562c7:      cmp    DWORD PTR [rbp-0x8],0x62
   0x5555555562cb:      jle    0x555555556288
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x6400000000 ('')
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562bc in ?? ()
gdb-peda$

フラグが得られた

roaris commented 3 months ago

もちろんcmp DWORD PTR [rbp-0x4],0x63の実行前に、rbp-0x4に格納されている値を100に書き換えても上手くいく参考 : https://qiita.com/rarul/items/07b7d57040fab4eefce7

gdb-peda$ n
[----------------------------------registers-----------------------------------]
RAX: 0x2
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x7ffff7ec2b00 (<__GI___libc_write+16>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x55555555a2a0 ("[+] Player 1 wins! You got score!\n\235╚═════╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7ffff7fa0a30 --> 0x0
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562b1 (cmp    DWORD PTR [rbp-0x4],0x63)
R8 : 0x7ffff7f9e264 --> 0xfddef853a9ac6dca
R9 : 0x7ffff7f9e280 --> 0x8
R10: 0x31ada3ef
R11: 0x202
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562a7:      mov    edi,eax
   0x5555555562a9:      call   0x555555555fb7
   0x5555555562ae:      mov    DWORD PTR [rbp-0x4],eax
=> 0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
   0x5555555562b5:      jle    0x5555555562c3
   0x5555555562b7:      call   0x5555555551a0
   0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x200000001
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562b1 in ?? ()
gdb-peda$ p/x *(int*)(0x7fffffffdedc) = 100
$13 = 0x64
gdb-peda$ n
[----------------------------------registers-----------------------------------]
RAX: 0x2
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x7ffff7ec2b00 (<__GI___libc_write+16>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x55555555a2a0 ("[+] Player 1 wins! You got score!\n\235╚═════╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7ffff7fa0a30 --> 0x0
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562b5 (jle    0x5555555562c3)
R8 : 0x7ffff7f9e264 --> 0xfddef853a9ac6dca
R9 : 0x7ffff7f9e280 --> 0x8
R10: 0x31ada3ef
R11: 0x202
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562a9:      call   0x555555555fb7
   0x5555555562ae:      mov    DWORD PTR [rbp-0x4],eax
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
=> 0x5555555562b5:      jle    0x5555555562c3
   0x5555555562b7:      call   0x5555555551a0
   0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
   0x5555555562c3:      add    DWORD PTR [rbp-0x8],0x1
                                                              JUMP is NOT taken
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x6400000001
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562b5 in ?? ()
gdb-peda$ n
[----------------------------------registers-----------------------------------]
RAX: 0x2
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x7ffff7ec2b00 (<__GI___libc_write+16>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x55555555a2a0 ("[+] Player 1 wins! You got score!\n\235╚═════╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7ffff7fa0a30 --> 0x0
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562b7 (call   0x5555555551a0)
R8 : 0x7ffff7f9e264 --> 0xfddef853a9ac6dca
R9 : 0x7ffff7f9e280 --> 0x8
R10: 0x31ada3ef
R11: 0x202
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562ae:      mov    DWORD PTR [rbp-0x4],eax
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
   0x5555555562b5:      jle    0x5555555562c3
=> 0x5555555562b7:      call   0x5555555551a0
   0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
   0x5555555562c3:      add    DWORD PTR [rbp-0x8],0x1
   0x5555555562c7:      cmp    DWORD PTR [rbp-0x8],0x62
No argument
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x6400000001
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562b7 in ?? ()
gdb-peda$ n
[!] You got a FLAG! ctf4b{4ll_w3_h4v3_70_d3cide_1s_wh4t_t0_d0_w1th_7he_71m3_7h47_i5_g1v3n_u5}
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x8d41c1d4
RDX: 0x1d7b63bb
RSI: 0x55555555a2a0 ("[!] You got a FLAG! ctf4b{4ll_w3_h4v3_70_d3cide_1s_wh4t_t0_d0_w1th_7he_71m3_7h47_i5_g1v3n_u5}\n\235  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7fffffffd9f0 --> 0x7fffffffda20 ("[!] You got a FLAG! ctf4b{4ll_w3_h4v3_70_d3cide_1s_wh4t_t0_d0_w1th_7he_71m3_7h47_i5_g1v3n_u5}\n")
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562bc (mov    eax,0x0)
R8 : 0x0
R9 : 0x0
R10: 0xffffffff
R11: 0x200
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
   0x5555555562b5:      jle    0x5555555562c3
   0x5555555562b7:      call   0x5555555551a0
=> 0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
   0x5555555562c3:      add    DWORD PTR [rbp-0x8],0x1
   0x5555555562c7:      cmp    DWORD PTR [rbp-0x8],0x62
   0x5555555562cb:      jle    0x555555556288
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x6400000001
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562bc in ?? ()
gdb-peda$

jle 0x5555555562c3の実行前に、フラグレジスタを書き換えても良い jle命令はZF=1 または SF!=OFの時にジャンプする SF=1, OF=0になっているので、set $eflags |= 1<<11でOFを1にすることで、SF=OFとしている各フラグが何ビット目かは https://www.wdic.org/w/SCI/EFLAGS を見ると分かる

gdb-peda$ n
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x7ffff7ec2b00 (<__GI___libc_write+16>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x55555555a2a0 ("[-] Player 2 wins! Your score is reseted...\n═══╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7ffff7fa0a30 --> 0x0
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562b5 (jle    0x5555555562c3)
R8 : 0x7ffff7f9e264 --> 0x2e09c31f763f4039
R9 : 0x7ffff7f9e280 --> 0x8
R10: 0x5dacd55c
R11: 0x202
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562a9:      call   0x555555555fb7
   0x5555555562ae:      mov    DWORD PTR [rbp-0x4],eax
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
=> 0x5555555562b5:      jle    0x5555555562c3
 | 0x5555555562b7:      call   0x5555555551a0
 | 0x5555555562bc:      mov    eax,0x0
 | 0x5555555562c1:      jmp    0x5555555562d2
 | 0x5555555562c3:      add    DWORD PTR [rbp-0x8],0x1
 |->   0x5555555562c3:  add    DWORD PTR [rbp-0x8],0x1
       0x5555555562c7:  cmp    DWORD PTR [rbp-0x8],0x62
       0x5555555562cb:  jle    0x555555556288
       0x5555555562cd:  mov    eax,0x0
                                                                  JUMP is taken
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x0
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562b5 in ?? ()
gdb-peda$ set $eflags |= 1<<11
gdb-peda$ n
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x7ffff7ec2b00 (<__GI___libc_write+16>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x55555555a2a0 ("[-] Player 2 wins! Your score is reseted...\n═══╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7ffff7fa0a30 --> 0x0
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562b7 (call   0x5555555551a0)
R8 : 0x7ffff7f9e264 --> 0x2e09c31f763f4039
R9 : 0x7ffff7f9e280 --> 0x8
R10: 0x5dacd55c
R11: 0x202
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0xa93 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction OVERFLOW)
[-------------------------------------code-------------------------------------]
   0x5555555562ae:      mov    DWORD PTR [rbp-0x4],eax
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
   0x5555555562b5:      jle    0x5555555562c3
=> 0x5555555562b7:      call   0x5555555551a0
   0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
   0x5555555562c3:      add    DWORD PTR [rbp-0x8],0x1
   0x5555555562c7:      cmp    DWORD PTR [rbp-0x8],0x62
No argument
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x0
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562b7 in ?? ()
gdb-peda$ n
[!] You got a FLAG! ctf4b{4ll_w3_h4v3_70_d3cide_1s_wh4t_t0_d0_w1th_7he_71m3_7h47_i5_g1v3n_u5}
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
RCX: 0x8d41c1d4
RDX: 0x1d7b63bb
RSI: 0x55555555a2a0 ("[!] You got a FLAG! ctf4b{4ll_w3_h4v3_70_d3cide_1s_wh4t_t0_d0_w1th_7he_71m3_7h47_i5_g1v3n_u5}\n\235  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚"...)
RDI: 0x7fffffffd9f0 --> 0x7fffffffda20 ("[!] You got a FLAG! ctf4b{4ll_w3_h4v3_70_d3cide_1s_wh4t_t0_d0_w1th_7he_71m3_7h47_i5_g1v3n_u5}\n")
RBP: 0x7fffffffdee0 --> 0x1
RSP: 0x7fffffffded0 --> 0x100000000
RIP: 0x5555555562bc (mov    eax,0x0)
R8 : 0x0
R9 : 0x0
R10: 0xffffffff
R11: 0x200
R12: 0x0
R13: 0x7fffffffe008 --> 0x7fffffffe2dc ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555562b1:      cmp    DWORD PTR [rbp-0x4],0x63
   0x5555555562b5:      jle    0x5555555562c3
   0x5555555562b7:      call   0x5555555551a0
=> 0x5555555562bc:      mov    eax,0x0
   0x5555555562c1:      jmp    0x5555555562d2
   0x5555555562c3:      add    DWORD PTR [rbp-0x8],0x1
   0x5555555562c7:      cmp    DWORD PTR [rbp-0x8],0x62
   0x5555555562cb:      jle    0x555555556288
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x100000000
0008| 0x7fffffffded8 --> 0x0
0016| 0x7fffffffdee0 --> 0x1
0024| 0x7fffffffdee8 --> 0x7ffff7df26ca (<__libc_start_call_main+122>:  mov    edi,eax)
0032| 0x7fffffffdef0 --> 0x7fffffffdfe0 --> 0x7fffffffdfe8 --> 0x7ffff7fc3160 --> 0x7ffff7dcb000 --> 0x3010102464c457f
0040| 0x7fffffffdef8 --> 0x555555556262 (endbr64)
0048| 0x7fffffffdf00 --> 0x155554040
0056| 0x7fffffffdf08 --> 0x7fffffffdff8 --> 0x7fffffffe299 ("/home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00005555555562bc in ?? ()
gdb-peda$

roaris commented 3 months ago

フラグを出力する関数にbreakpointを設定すれば良いのでは？という気にもなる IDAで確認すると、main関数のアドレスは0x2262, フラグを出力する関数(sub_11A0)のアドレスは0x11A0だった実行時は0x555555556262がmain関数のアドレスなので、0x2262 - 0x11A0を、このアドレスから引いた値(=0x5555555551a0)がフラグを出力する関数のアドレスだろうというか実際に、call 0x5555555551a0とあるので、これは正しい

しかし、0x5555555551a0にbreakpointを設定して実行すると、どういう訳か入力が求められてしまった

gdb-peda$ info breakpoints
Num     Type           Disp Enb Address            What
4       breakpoint     keep y   0x00005555555551a0
gdb-peda$ r
Starting program: /home/roaris/SECCON_Beginners_CTF_2023/reversing/poker/files/poker
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

██╗███╗   ██╗██████╗ ██╗ █████╗ ███╗   ██╗    ██████╗  ██████╗ ██╗  ██╗███████╗██████╗
██║████╗  ██║██╔══██╗██║██╔══██╗████╗  ██║    ██╔══██╗██╔═══██╗██║ ██╔╝██╔════╝██╔══██╗
██║██╔██╗ ██║██║  ██║██║███████║██╔██╗ ██║    ██████╔╝██║   ██║█████╔╝ █████╗  ██████╔╝
██║██║╚██╗██║██║  ██║██║██╔══██║██║╚██╗██║    ██╔═══╝ ██║   ██║██╔═██╗ ██╔══╝  ██╔══██╗
██║██║ ╚████║██████╔╝██║██║  ██║██║ ╚████║    ██║     ╚██████╔╝██║  ██╗███████╗██║  ██║
╚═╝╚═╝  ╚═══╝╚═════╝ ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝  ╚═

================
| Score :   0  |
================

[?] Enter 1 or 2:

roaris commented 3 months ago

あと、PIE有効みたいだけど、main関数のアドレスが毎回0x555555556262で固定なのはなんでだろうか

$ checksec --file=poker
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified                                          Fortifiable      FILE
Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols        No    0                                                  2        poker

roaris / ctf-log

SECCON Beginners CTF 2023: Poker #54

main関数

sub_21C3

sub_2222

sub_2179

sub_1FB7

sub_11A0

================ | Score : 0 |