pwn入门题x2
pwn1
这题由于事先知道源码 从main里调用get_flag函数 然后比较magic与password变量的值,不相等跳出,相等应该就能print出flag
先用objdump看一下main和get_flag
![pwn入门题x2 pwn入门题x2](https://cdn.ancii.com/article/image/v1/sY/fn/RV/VRfYnsfiw8FmOoknmURpINNpVSAFhSOluTdiTXAF7Ar8p_OJobaIK3D-5NX6X_L1sV1vNupQhjGyuBWLhJ5MBfZEETMlKi7aG0hP36pq_EKPRZkldUlwJ_CPmJ638zw5.png)
![pwn入门题x2 pwn入门题x2](https://cdn.ancii.com/article/image/v1/sY/fn/RV/VRfYnsfiw8FmOoknmURpINNpVSAFhSOluTdiTXAF7Ar8p_OJobaIK3D-5NX6X_L1sV1vNupQhjGyuBWLhJ5MBeCj4uK_U5muVKgPeo28cz6PdcB7x2M6Lhd5WNQL7S1K.png)
其中getflag里有
![pwn入门题x2 pwn入门题x2](https://cdn.ancii.com/article/image/v1/sY/fn/RV/VRfYnsfiw8FmOoknmURpINNpVSAFhSOluTdiTXAF7Ar8p_OJobaIK3D-5NX6X_L1sV1vNupQhjGyuBWLhJ5MBR3Vv9txkbpXktXTHmPQ2DYMJrWauSOaYw6lWTeyD69w.png)
这个cmp应该就是比较那两个变量
开gdb调试
打断点b *0x8048720 之后run 然后随便输入一个值
![pwn入门题x2 pwn入门题x2](https://cdn.ancii.com/article/image/v1/sY/fn/RV/VRfYnsfiw8FmOoknmURpINNpVSAFhSOluTdiTXAF7Ar8p_OJobaIK3D-5NX6X_L1sV1vNupQhjGyuBWLhJ5MBVZYnHep0YvMRxtEmmWe0taGS2l-21EDORvjKfK-Cdxp.png)
此时能看到停在了cmp处,上面是寄存器的地址
让eax=edx 然后continue
得到flag
![pwn入门题x2 pwn入门题x2](https://cdn.ancii.com/article/image/v1/sY/fn/RV/VRfYnsfiw8FmOoknmURpINNpVSAFhSOluTdiTXAF7Ar8p_OJobaIK3D-5NX6X_L1sV1vNupQhjGyuBWLhJ5MBdeokRFTHkFgFi6kIyviqFI2eGK09aJ-FaBIcuYYaTyI.png)
pwn2
ida查看一下
直接F5把main转换成伪代码
![pwn入门题x2 pwn入门题x2](https://cdn.ancii.com/article/image/v1/sY/fn/RV/VRfYnsfiw8FmOoknmURpINNpVSAFhSOluTdiTXAF7Ar8p_OJobaIK3D-5NX6X_L1sV1vNupQhjGyuBWLhJ5MBfanFWi1Y2e2Rj5KslxMfcgDEc66vBhunhk1TFu9jr9m.png)
flag已经出来了,为了方便查看,这里用gdb把flag输出出来,
开gdb,进入main
![pwn入门题x2 pwn入门题x2](https://cdn.ancii.com/article/image/v1/sY/fn/RV/VRfYnsfiw8FmOoknmURpINNpVSAFhSOluTdiTXAF7Ar8p_OJobaIK3D-5NX6X_L1sV1vNupQhjGyuBWLhJ5MBXArfdIywgpvJAK-k8Q-aD4FzyzJZCeZHvv3Pif4MN9n.png)
还是cmp函数eax
继续加断点,然后run
![pwn入门题x2 pwn入门题x2](https://cdn.ancii.com/article/image/v1/sY/fn/RV/VRfYnsfiw8FmOoknmURpINNpVSAFhSOluTdiTXAF7Ar8p_OJobaIK3D-5NX6X_L1sV1vNupQhjGyuBWLhJ5MBV5-lCBCfciP5sEZXcbS7OuygjTxNPNBbW1XUcUuxVjy.png)
可以看到0x23333就是IDA伪代码里的if中的144179
另eax=144179 然后continue
得到flag
![pwn入门题x2 pwn入门题x2](https://cdn.ancii.com/article/image/v1/sY/fn/RV/VRfYnsfiw8FmOoknmURpINNpVSAFhSOluTdiTXAF7Ar8p_OJobaIK3D-5NX6X_L1sV1vNupQhjGyuBWLhJ5MBfQbCNWAG_5ynrE2unlc3jarVlyptUGt0fKNsQ2wPbjo.png)