read-a-binary
## solve
バイナリファイルが与えられるので、これを解読していく。
bash
❯ file read-a-binary
read-a-binary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=39f3250c99fe90e9c99759973d01bd2dbcb6e1a5, for GNU/Linux 3.2.0, not strippedstrings で露出するか見てみるが、特に flag らしきものは露出しなかった。
bash
❯ strings read-a-binary
/lib64/ld-linux-x86-64.so.2
puts
__libc_start_main
printf
__isoc99_scanf
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
GLIBC_2.34
__gmon_start__
PTE1
H=(@@
Input >
%95s
Correct! The flag is %s
Incorrect...
9*3$"
GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
crt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
main.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
puts@GLIBC_2.2.5
_edata
_fini
printf@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
_end
_dl_relocate_static_pie
__bss_start
main
__isoc99_scanf@GLIBC_2.7
__TMC_END__
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got
.got.plt
.data
.bss
.comment実行権限を与えて実行してみる。
bash
❯ chmod +x ./read-a-binary
bash
❯ ./read-a-binary
Input > test
Incorrect...正しい Input を入れることができれば良さそうなことがわかるので、objdump で中身を見てみるが、これもみても flag は露出していない。
bash
❯ objdump -d -Mintel ./read-a-binary
./read-a-binary: file format elf64-x86-64
Disassembly of section .init:
0000000000401000 <_init>:
401000: f3 0f 1e fa endbr64
401004: 48 83 ec 08 sub rsp,0x8
401008: 48 8b 05 d1 2f 00 00 mov rax,QWORD PTR [rip+0x2fd1] # 403fe0 <__gmon_start__@Base>
40100f: 48 85 c0 test rax,rax
401012: 74 02 je 401016 <_init+0x16>
401014: ff d0 call rax
401016: 48 83 c4 08 add rsp,0x8
40101a: c3 ret
Disassembly of section .plt:
0000000000401020 <.plt>:
401020: ff 35 ca 2f 00 00 push QWORD PTR [rip+0x2fca] # 403ff0 <_GLOBAL_OFFSET_TABLE_+0x8>
401026: ff 25 cc 2f 00 00 jmp QWORD PTR [rip+0x2fcc] # 403ff8 <_GLOBAL_OFFSET_TABLE_+0x10>
40102c: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
401030: f3 0f 1e fa endbr64
401034: 68 00 00 00 00 push 0x0
401039: e9 e2 ff ff ff jmp 401020 <_init+0x20>
40103e: 66 90 xchg ax,ax
401040: f3 0f 1e fa endbr64
401044: 68 01 00 00 00 push 0x1
401049: e9 d2 ff ff ff jmp 401020 <_init+0x20>
40104e: 66 90 xchg ax,ax
401050: f3 0f 1e fa endbr64
401054: 68 02 00 00 00 push 0x2
401059: e9 c2 ff ff ff jmp 401020 <_init+0x20>
40105e: 66 90 xchg ax,ax
Disassembly of section .plt.sec:
0000000000401060 <puts@plt>:
401060: f3 0f 1e fa endbr64
401064: ff 25 96 2f 00 00 jmp QWORD PTR [rip+0x2f96] # 404000 <puts@GLIBC_2.2.5>
40106a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
0000000000401070 <printf@plt>:
401070: f3 0f 1e fa endbr64
401074: ff 25 8e 2f 00 00 jmp QWORD PTR [rip+0x2f8e] # 404008 <printf@GLIBC_2.2.5>
40107a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
0000000000401080 <__isoc99_scanf@plt>:
401080: f3 0f 1e fa endbr64
401084: ff 25 86 2f 00 00 jmp QWORD PTR [rip+0x2f86] # 404010 <__isoc99_scanf@GLIBC_2.7>
40108a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
Disassembly of section .text:
0000000000401090 <_start>:
401090: f3 0f 1e fa endbr64
401094: 31 ed xor ebp,ebp
401096: 49 89 d1 mov r9,rdx
401099: 5e pop rsi
40109a: 48 89 e2 mov rdx,rsp
40109d: 48 83 e4 f0 and rsp,0xfffffffffffffff0
4010a1: 50 push rax
4010a2: 54 push rsp
4010a3: 45 31 c0 xor r8d,r8d
4010a6: 31 c9 xor ecx,ecx
4010a8: 48 c7 c7 76 11 40 00 mov rdi,0x401176
4010af: ff 15 23 2f 00 00 call QWORD PTR [rip+0x2f23] # 403fd8 <__libc_start_main@GLIBC_2.34>
4010b5: f4 hlt
4010b6: 66 2e 0f 1f 84 00 00 cs nop WORD PTR [rax+rax*1+0x0]
4010bd: 00 00 00
00000000004010c0 <_dl_relocate_static_pie>:
4010c0: f3 0f 1e fa endbr64
4010c4: c3 ret
4010c5: 66 2e 0f 1f 84 00 00 cs nop WORD PTR [rax+rax*1+0x0]
4010cc: 00 00 00
4010cf: 90 nop
00000000004010d0 <deregister_tm_clones>:
4010d0: b8 28 40 40 00 mov eax,0x404028
4010d5: 48 3d 28 40 40 00 cmp rax,0x404028
4010db: 74 13 je 4010f0 <deregister_tm_clones+0x20>
4010dd: b8 00 00 00 00 mov eax,0x0
4010e2: 48 85 c0 test rax,rax
4010e5: 74 09 je 4010f0 <deregister_tm_clones+0x20>
4010e7: bf 28 40 40 00 mov edi,0x404028
4010ec: ff e0 jmp rax
4010ee: 66 90 xchg ax,ax
4010f0: c3 ret
4010f1: 66 66 2e 0f 1f 84 00 data16 cs nop WORD PTR [rax+rax*1+0x0]
4010f8: 00 00 00 00
4010fc: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
0000000000401100 <register_tm_clones>:
401100: be 28 40 40 00 mov esi,0x404028
401105: 48 81 ee 28 40 40 00 sub rsi,0x404028
40110c: 48 89 f0 mov rax,rsi
40110f: 48 c1 ee 3f shr rsi,0x3f
401113: 48 c1 f8 03 sar rax,0x3
401117: 48 01 c6 add rsi,rax
40111a: 48 d1 fe sar rsi,1
40111d: 74 11 je 401130 <register_tm_clones+0x30>
40111f: b8 00 00 00 00 mov eax,0x0
401124: 48 85 c0 test rax,rax
401127: 74 07 je 401130 <register_tm_clones+0x30>
401129: bf 28 40 40 00 mov edi,0x404028
40112e: ff e0 jmp rax
401130: c3 ret
401131: 66 66 2e 0f 1f 84 00 data16 cs nop WORD PTR [rax+rax*1+0x0]
401138: 00 00 00 00
40113c: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
0000000000401140 <__do_global_dtors_aux>:
401140: f3 0f 1e fa endbr64
401144: 80 3d dd 2e 00 00 00 cmp BYTE PTR [rip+0x2edd],0x0 # 404028 <__TMC_END__>
40114b: 75 13 jne 401160 <__do_global_dtors_aux+0x20>
40114d: 55 push rbp
40114e: 48 89 e5 mov rbp,rsp
401151: e8 7a ff ff ff call 4010d0 <deregister_tm_clones>
401156: c6 05 cb 2e 00 00 01 mov BYTE PTR [rip+0x2ecb],0x1 # 404028 <__TMC_END__>
40115d: 5d pop rbp
40115e: c3 ret
40115f: 90 nop
401160: c3 ret
401161: 66 66 2e 0f 1f 84 00 data16 cs nop WORD PTR [rax+rax*1+0x0]
401168: 00 00 00 00
40116c: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
0000000000401170 <frame_dummy>:
401170: f3 0f 1e fa endbr64
401174: eb 8a jmp 401100 <register_tm_clones>
0000000000401176 <main>:
401176: f3 0f 1e fa endbr64
40117a: 55 push rbp
40117b: 48 89 e5 mov rbp,rsp
40117e: 48 81 ec d0 00 00 00 sub rsp,0xd0
401185: 48 8d 05 78 0e 00 00 lea rax,[rip+0xe78] # 402004 <_IO_stdin_used+0x4>
40118c: 48 89 c7 mov rdi,rax
40118f: b8 00 00 00 00 mov eax,0x0
401194: e8 d7 fe ff ff call 401070 <printf@plt>
401199: 48 8d 45 90 lea rax,[rbp-0x70]
40119d: 48 89 c6 mov rsi,rax
4011a0: 48 8d 05 66 0e 00 00 lea rax,[rip+0xe66] # 40200d <_IO_stdin_used+0xd>
4011a7: 48 89 c7 mov rdi,rax
4011aa: b8 00 00 00 00 mov eax,0x0
4011af: e8 cc fe ff ff call 401080 <__isoc99_scanf@plt>
4011b4: c6 85 30 ff ff ff 41 mov BYTE PTR [rbp-0xd0],0x41
4011bb: c6 85 31 ff ff ff 6c mov BYTE PTR [rbp-0xcf],0x6c
4011c2: c6 85 32 ff ff ff 70 mov BYTE PTR [rbp-0xce],0x70
4011c9: c6 85 33 ff ff ff 61 mov BYTE PTR [rbp-0xcd],0x61
4011d0: c6 85 34 ff ff ff 63 mov BYTE PTR [rbp-0xcc],0x63
4011d7: c6 85 35 ff ff ff 61 mov BYTE PTR [rbp-0xcb],0x61
4011de: c6 85 36 ff ff ff 7b mov BYTE PTR [rbp-0xca],0x7b
4011e5: c6 85 37 ff ff ff 44 mov BYTE PTR [rbp-0xc9],0x44
4011ec: c6 85 38 ff ff ff 65 mov BYTE PTR [rbp-0xc8],0x65
4011f3: c6 85 39 ff ff ff 63 mov BYTE PTR [rbp-0xc7],0x63
4011fa: c6 85 3a ff ff ff 6f mov BYTE PTR [rbp-0xc6],0x6f
401201: c6 85 3b ff ff ff 6d mov BYTE PTR [rbp-0xc5],0x6d
401208: c6 85 3c ff ff ff 70 mov BYTE PTR [rbp-0xc4],0x70
40120f: c6 85 3d ff ff ff 69 mov BYTE PTR [rbp-0xc3],0x69
401216: c6 85 3e ff ff ff 65 mov BYTE PTR [rbp-0xc2],0x65
40121d: c6 85 3f ff ff ff 72 mov BYTE PTR [rbp-0xc1],0x72
401224: c6 85 40 ff ff ff 73 mov BYTE PTR [rbp-0xc0],0x73
40122b: c6 85 41 ff ff ff 5f mov BYTE PTR [rbp-0xbf],0x5f
401232: c6 85 42 ff ff ff 63 mov BYTE PTR [rbp-0xbe],0x63
401239: c6 85 43 ff ff ff 61 mov BYTE PTR [rbp-0xbd],0x61
401240: c6 85 44 ff ff ff 6e mov BYTE PTR [rbp-0xbc],0x6e
401247: c6 85 45 ff ff ff 5f mov BYTE PTR [rbp-0xbb],0x5f
40124e: c6 85 46 ff ff ff 6f mov BYTE PTR [rbp-0xba],0x6f
401255: c6 85 47 ff ff ff 70 mov BYTE PTR [rbp-0xb9],0x70
40125c: c6 85 48 ff ff ff 74 mov BYTE PTR [rbp-0xb8],0x74
401263: c6 85 49 ff ff ff 69 mov BYTE PTR [rbp-0xb7],0x69
40126a: c6 85 4a ff ff ff 6d mov BYTE PTR [rbp-0xb6],0x6d
401271: c6 85 4b ff ff ff 69 mov BYTE PTR [rbp-0xb5],0x69
401278: c6 85 4c ff ff ff 7a mov BYTE PTR [rbp-0xb4],0x7a
40127f: c6 85 4d ff ff ff 65 mov BYTE PTR [rbp-0xb3],0x65
401286: c6 85 4e ff ff ff 5f mov BYTE PTR [rbp-0xb2],0x5f
40128d: c6 85 4f ff ff ff 72 mov BYTE PTR [rbp-0xb1],0x72
401294: c6 85 50 ff ff ff 65 mov BYTE PTR [rbp-0xb0],0x65
40129b: c6 85 51 ff ff ff 64 mov BYTE PTR [rbp-0xaf],0x64
4012a2: c6 85 52 ff ff ff 75 mov BYTE PTR [rbp-0xae],0x75
4012a9: c6 85 53 ff ff ff 6e mov BYTE PTR [rbp-0xad],0x6e
4012b0: c6 85 54 ff ff ff 64 mov BYTE PTR [rbp-0xac],0x64
4012b7: c6 85 55 ff ff ff 61 mov BYTE PTR [rbp-0xab],0x61
4012be: c6 85 56 ff ff ff 6e mov BYTE PTR [rbp-0xaa],0x6e
4012c5: c6 85 57 ff ff ff 74 mov BYTE PTR [rbp-0xa9],0x74
4012cc: c6 85 58 ff ff ff 5f mov BYTE PTR [rbp-0xa8],0x5f
4012d3: c6 85 59 ff ff ff 61 mov BYTE PTR [rbp-0xa7],0x61
4012da: c6 85 5a ff ff ff 73 mov BYTE PTR [rbp-0xa6],0x73
4012e1: c6 85 5b ff ff ff 73 mov BYTE PTR [rbp-0xa5],0x73
4012e8: c6 85 5c ff ff ff 65 mov BYTE PTR [rbp-0xa4],0x65
4012ef: c6 85 5d ff ff ff 6d mov BYTE PTR [rbp-0xa3],0x6d
4012f6: c6 85 5e ff ff ff 62 mov BYTE PTR [rbp-0xa2],0x62
4012fd: c6 85 5f ff ff ff 6c mov BYTE PTR [rbp-0xa1],0x6c
401304: c6 85 60 ff ff ff 79 mov BYTE PTR [rbp-0xa0],0x79
40130b: c6 85 61 ff ff ff 5f mov BYTE PTR [rbp-0x9f],0x5f
401312: c6 85 62 ff ff ff 63 mov BYTE PTR [rbp-0x9e],0x63
401319: c6 85 63 ff ff ff 6f mov BYTE PTR [rbp-0x9d],0x6f
401320: c6 85 64 ff ff ff 64 mov BYTE PTR [rbp-0x9c],0x64
401327: c6 85 65 ff ff ff 65 mov BYTE PTR [rbp-0x9b],0x65
40132e: c6 85 66 ff ff ff 73 mov BYTE PTR [rbp-0x9a],0x73
401335: c6 85 67 ff ff ff 5f mov BYTE PTR [rbp-0x99],0x5f
40133c: c6 85 68 ff ff ff 74 mov BYTE PTR [rbp-0x98],0x74
401343: c6 85 69 ff ff ff 6f mov BYTE PTR [rbp-0x97],0x6f
40134a: c6 85 6a ff ff ff 5f mov BYTE PTR [rbp-0x96],0x5f
401351: c6 85 6b ff ff ff 65 mov BYTE PTR [rbp-0x95],0x65
401358: c6 85 6c ff ff ff 6c mov BYTE PTR [rbp-0x94],0x6c
40135f: c6 85 6d ff ff ff 65 mov BYTE PTR [rbp-0x93],0x65
401366: c6 85 6e ff ff ff 67 mov BYTE PTR [rbp-0x92],0x67
40136d: c6 85 6f ff ff ff 61 mov BYTE PTR [rbp-0x91],0x61
401374: c6 85 70 ff ff ff 6e mov BYTE PTR [rbp-0x90],0x6e
40137b: c6 85 71 ff ff ff 74 mov BYTE PTR [rbp-0x8f],0x74
401382: c6 85 72 ff ff ff 5f mov BYTE PTR [rbp-0x8e],0x5f
401389: c6 85 73 ff ff ff 70 mov BYTE PTR [rbp-0x8d],0x70
401390: c6 85 74 ff ff ff 73 mov BYTE PTR [rbp-0x8c],0x73
401397: c6 85 75 ff ff ff 65 mov BYTE PTR [rbp-0x8b],0x65
40139e: c6 85 76 ff ff ff 75 mov BYTE PTR [rbp-0x8a],0x75
4013a5: c6 85 77 ff ff ff 64 mov BYTE PTR [rbp-0x89],0x64
4013ac: c6 85 78 ff ff ff 6f mov BYTE PTR [rbp-0x88],0x6f
4013b3: c6 85 79 ff ff ff 5f mov BYTE PTR [rbp-0x87],0x5f
4013ba: c6 85 7a ff ff ff 63 mov BYTE PTR [rbp-0x86],0x63
4013c1: c6 85 7b ff ff ff 6f mov BYTE PTR [rbp-0x85],0x6f
4013c8: c6 85 7c ff ff ff 64 mov BYTE PTR [rbp-0x84],0x64
4013cf: c6 85 7d ff ff ff 65 mov BYTE PTR [rbp-0x83],0x65
4013d6: c6 85 7e ff ff ff 73 mov BYTE PTR [rbp-0x82],0x73
4013dd: c6 85 7f ff ff ff 7d mov BYTE PTR [rbp-0x81],0x7d
4013e4: c6 45 80 00 mov BYTE PTR [rbp-0x80],0x0
4013e8: c7 45 fc 00 00 00 00 mov DWORD PTR [rbp-0x4],0x0
4013ef: 48 c7 45 f0 00 00 00 mov QWORD PTR [rbp-0x10],0x0
4013f6: 00
4013f7: eb 31 jmp 40142a <main+0x2b4>
4013f9: 48 8d 55 90 lea rdx,[rbp-0x70]
4013fd: 48 8b 45 f0 mov rax,QWORD PTR [rbp-0x10]
401401: 48 01 d0 add rax,rdx
401404: 0f b6 10 movzx edx,BYTE PTR [rax]
401407: 48 8d 8d 30 ff ff ff lea rcx,[rbp-0xd0]
40140e: 48 8b 45 f0 mov rax,QWORD PTR [rbp-0x10]
401412: 48 01 c8 add rax,rcx
401415: 0f b6 00 movzx eax,BYTE PTR [rax]
401418: 38 c2 cmp dl,al
40141a: 74 09 je 401425 <main+0x2af>
40141c: c7 45 fc 01 00 00 00 mov DWORD PTR [rbp-0x4],0x1
401423: eb 0c jmp 401431 <main+0x2bb>
401425: 48 83 45 f0 01 add QWORD PTR [rbp-0x10],0x1
40142a: 48 83 7d f0 50 cmp QWORD PTR [rbp-0x10],0x50
40142f: 7e c8 jle 4013f9 <main+0x283>
401431: 83 7d fc 00 cmp DWORD PTR [rbp-0x4],0x0
401435: 75 22 jne 401459 <main+0x2e3>
401437: 48 8d 45 90 lea rax,[rbp-0x70]
40143b: 48 89 c6 mov rsi,rax
40143e: 48 8d 05 cd 0b 00 00 lea rax,[rip+0xbcd] # 402012 <_IO_stdin_used+0x12>
401445: 48 89 c7 mov rdi,rax
401448: b8 00 00 00 00 mov eax,0x0
40144d: e8 1e fc ff ff call 401070 <printf@plt>
401452: b8 00 00 00 00 mov eax,0x0
401457: eb 14 jmp 40146d <main+0x2f7>
401459: 48 8d 05 cb 0b 00 00 lea rax,[rip+0xbcb] # 40202b <_IO_stdin_used+0x2b>
401460: 48 89 c7 mov rdi,rax
401463: e8 f8 fb ff ff call 401060 <puts@plt>
401468: b8 01 00 00 00 mov eax,0x1
40146d: c9 leave
40146e: c3 ret
Disassembly of section .fini:
0000000000401470 <_fini>:
401470: f3 0f 1e fa endbr64
401474: 48 83 ec 08 sub rsp,0x8
401478: 48 83 c4 08 add rsp,0x8
40147c: c3 retGhidra でデコンパイルした main 関数をみると、露出していた。
c
bool main(void)
{
bool bVar1;
char local_d8 [96];
char local_78 [96];
long local_18;
int local_c;
printf("Input > ");
__isoc99_scanf(&DAT_0040200d,local_78);
builtin_strncpy(local_d8,
"Alpaca{Decompiers_can_optimize_redundant_assembly_codes_to_elegant_pseudo_codes}"
,0x51);
local_c = 0;
local_18 = 0;
do {
if (0x50 < local_18) {
LAB_00401431:
bVar1 = local_c != 0;
if (bVar1) {
puts("Incorrect...");
}
else {
printf("Correct! The flag is %s\n",local_78);
}
return bVar1;
}
if (local_78[local_18] != local_d8[local_18]) {
local_c = 1;
goto LAB_00401431;
}
local_18 = local_18 + 1;
} while( true );
}実行してみる。
bash
❯ ./read-a-binary
Input > Alpaca{Decompiers_can_optimize_redundant_assembly_codes_to_elegant_pseudo_codes}
Correct! The flag is Alpaca{Decompiers_can_optimize_redundant_assembly_codes_to_elegant_pseudo_codes}## flag
Alpaca{Decompiers_can_optimize_redundant_assembly_codes_to_elegant_pseudo_codes}