Excuse the ads! We need some help to keep our site up.
Lazenca.0x0 I have opened an online candy store. |
lazenca0x0@ubuntu:~/Documents/CTF/SECCON2017$ file ./Lazenca.0x0 ./Lazenca.0x0: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1bfd795acede916210985e5865d2de9697e7505a, stripped lazenca0x0@ubuntu:~/Documents/CTF/SECCON2017$ checksec.sh --file ./Lazenca.0x0 RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH ./Lazenca.0x0 lazenca0x0@ubuntu:~/Documents/CTF/SECCON2017$ |
typedef struct ORDER{
char orderCode[8];
unsigned int orderNumber;
char orderCandyName[8];
int candyCode;
};
typedef struct CANDIES {
char candyName[8];
unsigned int orderNumber;
int candyCode;
};
typedef struct STOCK{
char candyName[8];
unsigned int candyNumber;
int candyPrice;
char *candyDescription;
};
typedef struct IDPW{
long empty[2];
char id[IDPWMAX];
char pw[IDPWMAX];
long state;
char description[88];
};
typedef struct ACCOUNT{
long state;
long number;
struct IDPW *fd;
long bk;
}; |
해당 함수는 addAccount() 함수를 이용해 새로운 계정을 생성합니다.
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
signed int state; // [rsp+4h] [rbp-Ch]
state = 1;
signal(14, handler);
alarm(0x1Eu);
title();
setCandy();
gOrderCnt = 0;
gLoginFailCnt = 0;
while ( !gLoginAccount )
{
if ( (unsigned int)login() )
{
gLoginFailCnt = 0;
LABEL_14:
while ( state && gLoginAccount )
{
Menu();
printf("Command : ");
switch ( (unsigned int)retNumber(2LL) )
{
case 0u:
state = 0;
break;
case 1u:
printStock();
break;
case 2u:
purchase();
break;
case 3u:
charge();
break;
case 4u:
if ( gLoginAccount->state == 1 )
orderMenu();
break;
case 5u:
if ( gLoginAccount->state == 1 )
Account();
break;
case 9u:
logout(2LL);
break;
default:
goto LABEL_14;
}
}
}
else
{
if ( gLoginFailCnt == 2 )
exit(1);
++gLoginFailCnt;
puts("\nCreate an account?");
puts("0) Yes\n1) No");
if ( !(unsigned int)retNumber(2LL) )
addAccount(3LL);
}
}
return 0LL;
} |
lazenca0x0@ubuntu:~/Documents/CTF/SECCON2017$ gdb -q ./L* Reading symbols from ./Lazenca.0x0...(no debugging symbols found)...done. gdb-peda$ readelf .interp = 0x400238 .note.ABI-tag = 0x400254 .note.gnu.build-id = 0x400274 .gnu.hash = 0x400298 .dynsym = 0x4002b8 .dynstr = 0x4004c8 .gnu.version = 0x400580 .gnu.version_r = 0x4005b0 .rela.dyn = 0x4005e0 .rela.plt = 0x4005f8 .init = 0x4007d8 .plt = 0x400800 .plt.got = 0x400950 .text = 0x400960 .fini = 0x4029c4 .rodata = 0x4029d0 .eh_frame_hdr = 0x40376c .eh_frame = 0x403888 .init_array = 0x603e08 .fini_array = 0x603e18 .jcr = 0x603e20 .dynamic = 0x603e28 .got = 0x603ff8 .got.plt = 0x604000 .data = 0x6040b8 .bss = 0x6040e0 gdb-peda$ x/2gx 0x603e08 0x603e08: 0x0000000000400a30 0x000000000040266b gdb-peda$ x/5i 0x000000000040266b 0x40266b: push rbp 0x40266c: mov rbp,rsp 0x40266f: sub rsp,0x10 0x402673: mov rax,QWORD PTR fs:0x28 0x40267c: mov QWORD PTR [rbp-0x8],rax gdb-peda$ |
| Flag |
|---|