assembly 我正在做一个htb练习,我的外壳代码没有给予正确的答案

ut6juiuv  于 2022-11-13  发布在  其他
关注(0)|答案(1)|浏览(214)

练习如下:我们使用gdb检查文件,发现它正在将编码的shellcode加载到Stack中,并将xor解码密钥存储在rbx中。在将shellcode加载到Stack后,我们需要对其进行解码,然后运行shellcode以获取标志。
下面是初始文件的objdump:

loaded_shellcode:     file format elf64-x86-64

Disassembly of section .text:

0000000000401000 <_start>:
  401000:   48 b8 d7 4b de 7c 5c    movabs rax,0xa284ee5c7cde4bd7
  401007:   ee 84 a2 
  40100a:   50                      push   rax
  40100b:   48 b8 9a 84 10 05 11    movabs rax,0x935add110510849a
  401012:   dd 5a 93 
  401015:   50                      push   rax
  401016:   48 b8 00 75 69 ab 9d    movabs rax,0x10b29a9dab697500
  40101d:   9a b2 10 
  401020:   50                      push   rax
  401021:   48 b8 9a 45 96 0d eb    movabs rax,0x200ce3eb0d96459a
  401028:   e3 0c 20 
  40102b:   50                      push   rax
  40102c:   48 b8 62 84 10 05 e3    movabs rax,0xe64c30e305108462
  401033:   30 4c e6 
  401036:   50                      push   rax
  401037:   48 b8 51 0c 3e 7c 5c    movabs rax,0x69cd355c7c3e0c51
  40103e:   35 cd 69 
  401041:   50                      push   rax
  401042:   48 b8 d6 85 a1 84 25    movabs rax,0x65659a2584a185d6
  401049:   9a 65 65 
  40104c:   50                      push   rax
  40104d:   48 b8 00 50 6c 6c 50    movabs rax,0x69ff00506c6c5000
  401054:   00 ff 69 
  401057:   50                      push   rax
  401058:   48 b8 81 56 50 aa 34    movabs rax,0x3127e434aa505681
  40105f:   e4 27 31 
  401062:   50                      push   rax
  401063:   48 b8 48 ff 69 1e 57    movabs rax,0x6af2a5571e69ff48
  40106a:   a5 f2 6a 
  40106d:   50                      push   rax
  40106e:   48 b8 e6 09 07 f2 af    movabs rax,0x6d179aaff20709e6
  401075:   9a 17 6d 
  401078:   50                      push   rax
  401079:   48 b8 c9 f1 5b 31 52    movabs rax,0x9ae3f152315bf1c9
  401080:   f1 e3 9a 
  401083:   50                      push   rax
  401084:   48 b8 9a 17 00 09 bb    movabs rax,0x373ab4bb0900179a
  40108b:   b4 3a 37 
  40108e:   50                      push   rax
  40108f:   48 b8 a3 a2 9a 05 44    movabs rax,0x69751244059aa2a3
  401096:   12 75 69 
  401099:   50                      push   rax
  40109a:   48 bb d2 44 21 4d 14    movabs rbx,0x2144d2144d2144d2
  4010a1:   d2 44 21

这是我使用的汇编代码:

global _start
section .text
_start:
mov rax,0xa284ee5c7cde4bd7
push rax
mov rax,0x935add110510849a
push rax
mov rax,0x10b29a9dab697500
push rax
mov rax,0x200ce3eb0d96459a
push rax
mov rax,0xe64c30e305108462
push rax
mov rax,0x69cd355c7c3e0c51
push rax
mov rax,0x65659a2584a185d6
push rax
mov rax,0x69ff00506c6c5000
push rax
mov rax,0x3127e434aa505681
push rax
mov rax,0x6af2a5571e69ff48
push rax
mov rax,0x6d179aaff20709e6
push rax
mov rax,0x9ae3f152315bf1c9
push rax
mov rax,0x373ab4bb0900179a
push rax
mov rax,0x69751244059aa2a3
push rax
mov rbx,0x2144d2144d2144d2

mov rdx, rsp
add rcx, 14
sub rsp, 8
call decrypt

decrypt:
    xor [rdx], rbx
    add rdx, 8
    loop decrypt

在使用gdb遍历$rdx并附加值后,将生成以下Shell代码:

69751244059aa2a3373ab4bb0900179a9ae3f152315bf1c96d179aaff20709e66af2a5571e69ff483127e434aa50568169ff00506c6c500065659a2584a185d669cd355c7c3e0c51e64c30e305108462200ce3eb0d96459a10b29a9dab697500935add110510849aa284ee5c7cde4bd7

我应该得到一个标志来完成练习,但我得到了一个空的响应,我哪里做错了?

l7wslrjt

l7wslrjt1#

断点必须放置在add rdx,8而不是xor [rdx],rbx上。

相关问题