만두만두

Uncrackable 3 write upMainActivity다른 부분들에 대해서는 분석을 상세히 서술할 필요가 없을 것 같아, 필요한 부분들에 대해서만 간단히 짚고 넘어간다.package sg.vantagepoint.uncrackable3; ​ import android.app.AlertDialog; import android.content.DialogInterface; import android.os.AsyncTask; import android.os.Bundle; import android.os.Debug; import android.os.SystemClock; import android.support.v7.app.AppCompatActivity; import android.util.Log; imp..

[Defenit CTF 2020] warmup writeupSummaryoverwrite snprintf's ret and brute forcingCode Analysis__int64 initialize() { __int64 result; // rax ​ setvbuf(stdin, 0LL, 2, 0LL); setvbuf(stdout, 0LL, 2, 0LL); setvbuf(stderr, 0LL, 2, 0LL); fd = open("flag.txt", 0); result = (unsigned int)fd; if ( fd x/40gx $rsp 0x7fff6ec57380: 0x2432312563303225 0x00007fff6e6e6868 0x7fff6ec57390: 0x000000006562b026 0x00..

[bytebandits 2020] baby_rust writeup[Summary] rust reversingch4rli3kop at ubuntu in ~/WRITE-UP/bytebandits2020/baby_rust $ ./chall AAAAAAAAA you fail대충 위와같이 동작하는 프로그램Analysissub_0053A0() 함수가 키 포인트다. 0x0543D에 존재하는 sub_0092A0()을 통해 사용자의 입력을 받는다.힙을 할당하여 사용자의 입력 값을 저장하는데, 이후 힙 할당을 하고 사용자의 입력 값을 복사하는 작업을 두 번정도 한다. (아마 rust 상의 function을 이동할 때마다 새로운 힙에 데이터를 복사하는 것 같다.)그리고 사용자의 입력은 0x054A8에 위치한 다음의 루틴에서..

[bytebandits 2020] fmt-me writeup[summary] fsb Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000)Analysisint get_int() { char s; // [rsp+0h] [rbp-20h] unsigned __int64 v2; // [rsp+18h] [rbp-8h] ​ v2 = __readfsqword(0x28u); fgets(&s, 10, stdin); return atoi(&s); } ​ int __cdecl main(int argc, const char **argv, const char **envp) { char buf; // [r..

[pwnable.kr] fix writeup [summary] stack unlimited, control espWhy bother to make your own shellcode? I can simply copy&paste from shell-storm.org so I just copied it from shell-storm then used it for my buffer overflow exercise but it doesn't work :( can you please help me to fix this?? ​ ​ ssh fix@pwnable.kr -p2222 (pw:guest)ㄱㄱ#include ​ // 23byte shellcode from http://shell-storm.org/shellcod..

[pwnable.kr] dragon writeup [summary] byte overflow I made a RPG game for my little brother. But to trick him, I made it impossible to win. I hope he doesn't get too angry with me :P! ​ Author : rookiss Download : http://pwnable.kr/bin/dragon ​ Running at : nc pwnable.kr 9004structure00000000 Monster struc ; (sizeof=0x10, mappedto_1) 00000000 ptr dd ? ; offset 00000004 num dd ? 00000008 HP db ? ..

[pwnable.kr] fsb writeup [summary] format string bug, double staged fsb#include #include #include ​ unsigned long long key; char buf[100]; char buf2[100]; ​ int fsb(char** argv, char** envp){ char* args[]={"/bin/sh", 0}; int i; ​ char*** pargv = &argv; char*** penvp = &envp; char** arg; char* c; for(arg=argv;*arg;arg++) for(c=*arg; *c;c++) *c='\0'; for(arg=envp;*arg;arg++) for(c=*arg; *c;c++) *c..

[pwnable.kr] tiny_easy writeup [summary] brute forceI made a pretty difficult pwn task. However I also made a dumb rookie mistake and made it too easy :( This is based on real event :) enjoy. ​ ssh tiny_easy@pwnable.kr -p2222 (pw:guest)objdump로도 코드가 안보이고 심볼이 없어서 gdb로도 알 수가 없어서 일단 scp를 이용해서 바이너리를 받아왔다.ch4rli3kop@DESKTOP-D8UTNRD:~/pwn$ scp -P 2222 tiny_easy@pwnable.kr:/home/tiny_easy/tiny_easy /mn..

[pwnable.kr] ascii_easy writeup[summary] call execve, symbolic linkWe often need to make 'printable-ascii-only' exploit payload. You wanna try? ​ hint : you don't necessarily have to jump at the beggining of a function. try to land anyware. ​ ​ ssh ascii_easy@pwnable.kr -p2222 (pw:guest)이틀동안 캐삽질해서 겨우 푼 문제다;;입력에 필터 걸어놓는거 진짜 싫음code#include #include #include #include #include #include ​ #define BAS..

[pwnable.kr] otp writeup [summary] signal(SIGXFSZ), setrlimit, sigignore ...#include #include #include #include ​ int main(int argc, char* argv[]){ char fname[128]; unsigned long long otp[2]; ​ if(argc!=2){ printf("usage : ./otp [passcode]\n"); return 0; } ​ int fd = open("/dev/urandom", O_RDONLY); if(fd==-1) exit(-1); ​ if(read(fd, otp, 16)!=16) exit(-1); close(fd); ​ sprintf(fname, "/tmp/%llu"..