pwnable flag

Papa brought me a packed present! let's open it.

Download : http://pwnable.kr/bin/flag

This is reversing task. all you need is binary

---

저 링크로 다운로드를 받으면 elf file을 얻을 수 있다.

$ wget http://pwnable.kr/bin/flag
$ file flag
flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header

실행 권한을 주고 실행시키면 

$ chmod +x flag
$ ./flag
I will malloc() and strcpy the flag there. take it.

 

문자열을 확인하면 upx (Ultimate Packer for eXecutables)포맷으로 packing된 것을 확인할 수 있다.

$ strings flag
...
PROT_EXEC|PROT_WRITE failed.
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.08 Copyright (C) 1996-2011 the UPX Team. All Rights Reserved. $
...

packing을 풀어도 여전히 실행하면 같은 출력이 나오지만

static으로 링크된 라이브러리와 심볼들을 확인할 수 있다. not stripped 상태에서는 파일 내 symbol table이 유지되어있으므로 함수이름도 확인할 수 있다.

$ upx -d flag
$ ./flag
I will malloc() and strcpy the flag there. take it.
$ file flag
flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=96ec4cc272aeb383bd9ed26c0d4ac0eb5db41b16, not stripped

 

(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
   0x0000000000401164 <+0>:     push   rbp
   0x0000000000401165 <+1>:     mov    rbp,rsp
   0x0000000000401168 <+4>:     sub    rsp,0x10
   0x000000000040116c <+8>:     mov    edi,0x496658
   0x0000000000401171 <+13>:    call   0x402080 <puts>
   0x0000000000401176 <+18>:    mov    edi,0x64
   0x000000000040117b <+23>:    call   0x4099d0 <malloc>
   0x0000000000401180 <+28>:    mov    QWORD PTR [rbp-0x8],rax
   0x0000000000401184 <+32>:    mov    rdx,QWORD PTR [rip+0x2c0ee5]        # 0x6c2070 <flag>
   0x000000000040118b <+39>:    mov    rax,QWORD PTR [rbp-0x8]
   0x000000000040118f <+43>:    mov    rsi,rdx
   0x0000000000401192 <+46>:    mov    rdi,rax
   0x0000000000401195 <+49>:    call   0x400320
   0x000000000040119a <+54>:    mov    eax,0x0
   0x000000000040119f <+59>:    leave
   0x00000000004011a0 <+60>:    ret
End of assembler dump.
(gdb) x/1s *0x6c2070
0x496628:       "UPX...? sounds like a delivery service :)"