- gdb
- pwndbg
- pwntools
- Ghidra and/or IDA
- Veles (optional)
- Challenges
- cmd1 / cmd2
- random
-
file
-
xxd / strings
:%!xxd :%!xxd -r -
sha1sum / ssdeep / diff
-
Challenges
- crackme0x00a
- crackme0x00b
- File formats
Relocatable file -> Executable file
Relocatable file -> Shared object
- readelf / objdump / veles
Headers
readelf -h
Section header table (sections)
Linking view
readelf -S
Program header table (segments)
Execution view
readelf -l
Relocations
readelf -r
Dynamic
readelf -d
-
Linking
- ldd
- ltrace / strace
-
Challenges
- fixme0x0a
- trace
- preload - make yourself a root! (write shared lib and use LD_PRELOAD in a way that executing
whoamiwill return root)
$ whoami root
- The code
$ objdump -d -M intel -j.text crackme0x00b | grep '<main>' -A 10
08048494 <main>:
8048494: 55 push ebp
8048495: 89 e5 mov ebp,esp
8048497: 83 e4 f0 and esp,0xfffffff0
804849a: 83 c4 80 add esp,0xffffff80
804849d: b8 d0 85 04 08 mov eax,0x80485d0
80484a2: 89 04 24 mov DWORD PTR [esp],eax
80484a5: e8 d6 fe ff ff call 8048380 <printf@plt>
80484aa: b8 e1 85 04 08 mov eax,0x80485e1
80484af: 8d 54 24 1c lea edx,[esp+0x1c]
80484b3: 89 54 24 04 mov DWORD PTR [esp+0x4],edx
Addresses Raw bytes Mnemonics Operands
-
Registers
-
Basic x86 asm operations
| Command | Description |
|---|---|
| mov eax, 5 | eax = 5 |
| lea ebx, [eax-0x20] | ebx = eax-20 |
| mov eax, [ebx + ecx*4 + 0x6] | eax = (ebx + ecx4 + 6) |
| lea eax, [ebx + ecx*4 + 0x6] | eax = ebx + ecx*4 + 6 |
| push eax | Push eax into stack |
| pop eax | Pop eax from stack |
| jmp eax | eip = eax |
| cmp eax, 0xe | set bits in EFLAGS |
| jz $+10 | if ZF=1 then eip = eip+10 |
| ja $+10 | if ZF=0 && CF=0 then eip = eip+10 |
| jg $+10 | if ZF=0 && SF = OF then eip = eip+10 |
| call 0xdead | push esp, eip = 0xdead |
| leave | esp = ebp, pop eb |
| ret | pop eip |
- (pwn)gdb
# confing
set disable-randomization on # derandomization of virtual address space
set disassembly-flavor intel # intel vs AT&T
set print elements 0 # print long strings
set follow-fork-mode parent # for threaded apps
source /path/to/pwndbg/gdbinit.py # edit this
set banner-color cyan
set memory-heap-color cyan
# cmds
start / run - start the program
s / so / ni / nextcall / nextret - stepping
break *addr - brakpoints
c - continue until breakpoint
x/10xw addr - dump memory
x/2i addr
x/50xg function\_name
info frame
info breakpoints
info registers
context
vmmap
stack 100
probeleak
telescope
-
Virtual map
- Sections / stack
-
Function calls
-
Challenges
-
crackme0x01
-
test_gdb - questions to answer:
location (address on stack) of saved EIP in function some_func and main location of saved EBP distance between buffer_a and some_func saved EIP distance between pointer to buffer_a (argument) and main saved EIP why printf outputs spaces before our input why write outputs some garbage (and what that garbage is) difference between read(0, buf, 10) and scanf("%10s", buf) difference between unsigned char and char what libraries are loaded -
-
Linear / recursive
- anti_disasm
-
IDA / Ghidra
-
Challenges
- crackme0x03
- crackme0x04
- crackme0x09
-
asm / disasm
-
checksec / constgrep
-
ELF
-
remote / process
-
Challenges
- write template for the Stats
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * LOGIN = '' PASS = '' def setup_connection(): s = remote() def solve_task(s, username, password, taskname, flag): pass def list_tasks(s, lab_no): pass def show_stats(s, all=False, task_no=None): pass def exit(s): pass if __name__ == "__main__": s = setup_connection() list_tasks(s, 1) exit(s) s.interactive() s.close()- check out exploit template or here
- bomb
- lab1_home1
- lab1_home3