The exercise goes: We examine the file with gdb and see that it is loading an encoded shellcode to the Stack and storing the xor decoding key in rbx. We need to decode the shellcode after it is loaded to the Stack and then run the shellcode to get the flag.
Here the objdump of the initial file:
loaded_shellcode: file format elf64-x86-64
Disassembly of section .text:
0000000000401000 <_start>:
401000: 48 b8 d7 4b de 7c 5c movabs rax,0xa284ee5c7cde4bd7
401007: ee 84 a2
40100a: 50 push rax
40100b: 48 b8 9a 84 10 05 11 movabs rax,0x935add110510849a
401012: dd 5a 93
401015: 50 push rax
401016: 48 b8 00 75 69 ab 9d movabs rax,0x10b29a9dab697500
40101d: 9a b2 10
401020: 50 push rax
401021: 48 b8 9a 45 96 0d eb movabs rax,0x200ce3eb0d96459a
401028: e3 0c 20
40102b: 50 push rax
40102c: 48 b8 62 84 10 05 e3 movabs rax,0xe64c30e305108462
401033: 30 4c e6
401036: 50 push rax
401037: 48 b8 51 0c 3e 7c 5c movabs rax,0x69cd355c7c3e0c51
40103e: 35 cd 69
401041: 50 push rax
401042: 48 b8 d6 85 a1 84 25 movabs rax,0x65659a2584a185d6
401049: 9a 65 65
40104c: 50 push rax
40104d: 48 b8 00 50 6c 6c 50 movabs rax,0x69ff00506c6c5000
401054: 00 ff 69
401057: 50 push rax
401058: 48 b8 81 56 50 aa 34 movabs rax,0x3127e434aa505681
40105f: e4 27 31
401062: 50 push rax
401063: 48 b8 48 ff 69 1e 57 movabs rax,0x6af2a5571e69ff48
40106a: a5 f2 6a
40106d: 50 push rax
40106e: 48 b8 e6 09 07 f2 af movabs rax,0x6d179aaff20709e6
401075: 9a 17 6d
401078: 50 push rax
401079: 48 b8 c9 f1 5b 31 52 movabs rax,0x9ae3f152315bf1c9
401080: f1 e3 9a
401083: 50 push rax
401084: 48 b8 9a 17 00 09 bb movabs rax,0x373ab4bb0900179a
40108b: b4 3a 37
40108e: 50 push rax
40108f: 48 b8 a3 a2 9a 05 44 movabs rax,0x69751244059aa2a3
401096: 12 75 69
401099: 50 push rax
40109a: 48 bb d2 44 21 4d 14 movabs rbx,0x2144d2144d2144d2
4010a1: d2 44 21
This is the assembly code I'm using:
global _start
section .text
_start:
mov rax,0xa284ee5c7cde4bd7
push rax
mov rax,0x935add110510849a
push rax
mov rax,0x10b29a9dab697500
push rax
mov rax,0x200ce3eb0d96459a
push rax
mov rax,0xe64c30e305108462
push rax
mov rax,0x69cd355c7c3e0c51
push rax
mov rax,0x65659a2584a185d6
push rax
mov rax,0x69ff00506c6c5000
push rax
mov rax,0x3127e434aa505681
push rax
mov rax,0x6af2a5571e69ff48
push rax
mov rax,0x6d179aaff20709e6
push rax
mov rax,0x9ae3f152315bf1c9
push rax
mov rax,0x373ab4bb0900179a
push rax
mov rax,0x69751244059aa2a3
push rax
mov rbx,0x2144d2144d2144d2
mov rdx, rsp
add rcx, 14
sub rsp, 8
call decrypt
decrypt:
xor [rdx], rbx
add rdx, 8
loop decrypt
After going over $rdx with gdb and appending the values spits out the following Shell Code:
69751244059aa2a3373ab4bb0900179a9ae3f152315bf1c96d179aaff20709e66af2a5571e69ff483127e434aa50568169ff00506c6c500065659a2584a185d669cd355c7c3e0c51e64c30e305108462200ce3eb0d96459a10b29a9dab697500935add110510849aa284ee5c7cde4bd7
I'm supposed to get a flag to complete the exercise but I get an empty response, where did I go wrong?
断点必须放在 add rdx,8 而不是 xor [rdx],rbx 上。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.