RingZer0-11 - Time to Learn x86 ASM & gdb
Time to learn x86 ASM & gdb
Started by loading the binary in assembly and running pdissas
I’m using gdb-peda, so i look at the code and we can see that there’s a memory
space that is being allocated. It looks like they’re adding values to a memory
space.
So what i decide to do is to setup a breakpoint near the end and look at the EAX register.
pdisass
Dump of assembler code for function main:
0x0804846c <+0>: push ebp
0x0804846d <+1>: mov ebp,esp
0x0804846f <+3>: push edi
0x08048470 <+4>: and esp,0xfffffff0
0x08048473 <+7>: sub esp,0x30
0x08048476 <+10>: mov DWORD PTR [esp+0x2c],0x0
0x0804847e <+18>: mov DWORD PTR [esp],0x18
0x08048485 <+25>: call 0x8048330 <malloc@plt>
0x0804848a <+30>: mov DWORD PTR [esp+0x2c],eax
0x0804848e <+34>: mov DWORD PTR [esp+0x8],0x18
0x08048496 <+42>: mov DWORD PTR [esp+0x4],0x0
0x0804849e <+50>: mov eax,DWORD PTR [esp+0x2c]
0x080484a2 <+54>: mov DWORD PTR [esp],eax
0x080484a5 <+57>: call 0x8048370 <memset@plt>
0x080484aa <+62>: mov eax,DWORD PTR [esp+0x2c]
0x080484ae <+66>: mov DWORD PTR [eax],0x47414c46
0x080484b4 <+72>: mov DWORD PTR [eax+0x4],0x3930342d
0x080484bb <+79>: mov WORD PTR [eax+0x8],0x32
0x080484c1 <+85>: mov eax,DWORD PTR [esp+0x2c]
0x080484c5 <+89>: mov DWORD PTR [esp+0x1c],0xffffffff
0x080484cd <+97>: mov edx,eax
0x080484cf <+99>: mov eax,0x0
0x080484d4 <+104>: mov ecx,DWORD PTR [esp+0x1c]
0x080484d8 <+108>: mov edi,edx
0x080484da <+110>: repnz scas al,BYTE PTR es:[edi]
0x080484dc <+112>: mov eax,ecx
0x080484de <+114>: not eax
0x080484e0 <+116>: lea edx,[eax-0x1]
0x080484e3 <+119>: mov eax,DWORD PTR [esp+0x2c]
0x080484e7 <+123>: add eax,edx
0x080484e9 <+125>: mov DWORD PTR [eax],0x75393438
0x080484ef <+131>: mov DWORD PTR [eax+0x4],0x6a326f69
0x080484f6 <+138>: mov WORD PTR [eax+0x8],0x66
0x080484fc <+144>: mov DWORD PTR [esp],0x80485f8
0x08048503 <+151>: call 0x8048340 <puts@plt>
0x08048508 <+156>: mov eax,DWORD PTR [esp+0x2c]
0x0804850c <+160>: mov DWORD PTR [esp+0x1c],0xffffffff
0x08048514 <+168>: mov edx,eax
0x08048516 <+170>: mov eax,0x0
0x0804851b <+175>: mov ecx,DWORD PTR [esp+0x1c]
0x0804851f <+179>: mov edi,edx
0x08048521 <+181>: repnz scas al,BYTE PTR es:[edi]
0x08048523 <+183>: mov eax,ecx
0x08048525 <+185>: not eax
0x08048527 <+187>: lea edx,[eax-0x1]
0x0804852a <+190>: mov eax,DWORD PTR [esp+0x2c]
0x0804852e <+194>: add eax,edx
0x08048530 <+196>: mov DWORD PTR [eax],0x6a736c6b
0x08048536 <+202>: mov DWORD PTR [eax+0x4],0x6c6b34
0x0804853d <+209>: mov DWORD PTR [esp],0x8048603
=> 0x08048544 <+216>: call 0x8048340 <puts@plt>
0x08048549 <+221>: mov eax,0x0
0x0804854e <+226>: mov edi,DWORD PTR [ebp-0x4]
0x08048551 <+229>: leave
0x08048552 <+230>: ret
br *0x08048544
start
c
[----------------------------------registers-----------------------------------]
EAX: 0x804b01a ("klsj4kl")
EBX: 0x0
ECX: 0xffffffec
EDX: 0x12
ESI: 0xf7fa7000 --> 0x1b1db0
EDI: 0x804b01b ("lsj4kl")
EBP: 0xffffd1e8 --> 0x0
ESP: 0xffffd1b0 --> 0x8048603 ("Where is the flag?")
EIP: 0x8048544 (<main+216>: call 0x8048340 <puts@plt>)
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048530 <main+196>: mov DWORD PTR [eax],0x6a736c6b
0x8048536 <main+202>: mov DWORD PTR [eax+0x4],0x6c6b34
0x804853d <main+209>: mov DWORD PTR [esp],0x8048603
=> 0x8048544 <main+216>: call 0x8048340 <puts@plt>
0x8048549 <main+221>: mov eax,0x0
0x804854e <main+226>: mov edi,DWORD PTR [ebp-0x4]
0x8048551 <main+229>: leave
0x8048552 <main+230>: ret
Guessed arguments:
arg[0]: 0x8048603 ("Where is the flag?")
[------------------------------------stack-------------------------------------]
0000| 0xffffd1b0 --> 0x8048603 ("Where is the flag?")
0004| 0xffffd1b4 --> 0x0
0008| 0xffffd1b8 --> 0x18
0012| 0xffffd1bc --> 0x80485b2 (<__libc_csu_init+82>: add esi,0x1)
0016| 0xffffd1c0 --> 0x1
0020| 0xffffd1c4 --> 0xffffd284 --> 0xffffd422 ("/home/p0pp3t/Downloads/88eb31060c4abd0931878bf7d2dd8c1a")
0024| 0xffffd1c8 --> 0xffffd28c --> 0xffffd45a ("XDG_VTNR=7")
0028| 0xffffd1cc --> 0xffffffff
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
We can see that the register EAX has some string. If we look 50 bytes before and after
hexdump $eax-50 100
0x0804afe8 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0804aff8 : 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 ............!...
0x0804b008 : 46 4c 41 47 2d 34 30 39 32 38 34 39 75 69 6f 32 FLAG-4092849uio2
0x0804b018 : 6a 66 6b 6c 73 6a 34 6b 6c 00 00 00 09 04 00 00 jfklsj4kl.......
0x0804b028 : 4c 6f 61 64 69 6e 67 2e 2e 2e 0a 00 00 00 00 00 Loading.........
0x0804b038 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0804b048 : 00 00 00 00 ....
We can clearly see the flag.
We could have also look for the word flag through the memory using searchmem
searchmem FLAG
88eb31060c4abd0931878bf7d2dd8c1a : 0x80484b0 (<main+68>: inc esi)
88eb31060c4abd0931878bf7d2dd8c1a : 0x80494b0 ("FLAG\307@\004-409f\307@\b2")
[heap] : 0x804b008 ("FLAG-4092849uio2jfklsj4kl")
libc : 0xf7f5440d ("FLAGS2_FORTIFY")
ld-2.23.so : 0xf7ff34b8 ("FLAGS: 0x")
ld-2.23.so : 0xf7ff4fde ("FLAGS_1.\n")
ld-2.23.so : 0xf7ff5277 ("FLAGS_1)] == NULL || (info[VERSYMIDX (DT_FLAGS_1)]->d_un.d_val & ~DF_1_NOW) == 0")
ld-2.23.so : 0xf7ff52a0 ("FLAGS_1)]->d_un.d_val & ~DF_1_NOW) == 0")
ld-2.23.so : 0xf7ff52d0 ("FLAGS] == NULL || (info[DT_FLAGS]->d_un.d_val & ~DF_BIND_NOW) == 0")
ld-2.23.so : 0xf7ff52eb ("FLAGS]->d_un.d_val & ~DF_BIND_NOW) == 0")
The flag is FLAG-4092849uio2jfklsj4kl