本文共 2166 字,大约阅读时间需要 7 分钟。
IDA 分析源程序,发现字符串中有upx,upx -d解压后IDA可以继续分析。程序malloc一块内存,调用strcpy拷贝了flag。
$ file flagflag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped$ upx -d ./flag Ultimate Packer for eXecutables Copyright (C) 1996 - 2013UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013 File size Ratio Format Name -------------------- ------ ----------- ----------- 887219 <- 335288 37.79% linux/ElfAMD flagUnpacked 1 file.$ file flagflag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=96ec4cc272aeb383bd9ed26c0d4ac0eb5db41b16, not strippedIDA disassemble
.text:0000000000401164 ; __unwind {.text:0000000000401164 push rbp.text:0000000000401165 mov rbp, rsp.text:0000000000401168 sub rsp, 10h.text:000000000040116C mov edi, offset aIWillMallocAnd ; "I will malloc() and strcpy the flag the"....text:0000000000401171 call puts.text:0000000000401176 mov edi, 64h.text:000000000040117B call malloc.text:0000000000401180 mov [rbp+dest], rax.text:0000000000401184 mov rdx, cs:flag.text:000000000040118B mov rax, [rbp+dest].text:000000000040118F mov rsi, rdx ; src.text:0000000000401192 mov rdi, rax ; dest.text:0000000000401195 call _strcpy.text:000000000040119A mov eax, 0.text:000000000040119F leave.text:00000000004011A0 retn.text:00000000004011A0 ; } // starts at 401164.text:00000000004011A0 main endp.data:00000000006C2070 flag dq offset aUpxSoundsLikeA.data:00000000006C2070 ; DATA XREF: main+20↑r.data:00000000006C2070 ; "UPX...? sounds like a delivery service "...
PS: 这题gdb动态调试也可以。
flag见IDA反汇编结果:"UPX...? sounds like a delivery service "...