1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
| [0x08048380]> aas
Cannot analyze at 0x08048620
[0x08048380]> afl
0x080482fc 1 17 sym._init
0x080484d0 7 277 -> 112 sym.frame_dummy
0x080485e0 5 49 sym.__do_global_ctors_aux
0x08048611 1 12 sym._fini
0x08048450 8 113 -> 111 sym.__do_global_dtors_aux
0x08048114 44 524 -> 608 sym..interp
0x08048380 1 62 entry0
0x08048370 1 6 sym.imp.__libc_start_main
0x080486c4 1 14 loc.__GNU_EH_FRAME_HDR
0x080486e8 3 34 sym..eh_frame
0x08048724 1 10 obj.__EH_FRAME_BEGIN
0x080483c0 4 49 -> 40 sym.deregister_tm_clones
0x0804876c 1 4 obj.__FRAME_END
0x0804852c 6 172 main
0x08048515 1 23 sym.bounce
0x08048320 1 6 sym.imp.printf
0x08048330 1 6 sym.imp.puts
0x08048340 1 6 sym.imp.strncpy
0x08048350 1 6 sym.imp.memset
0x08048360 1 6 sym.imp.exit
[0x08048380]> s main
[0x0804852c]> pdf
/ (fcn) main 172
| int main (int argc, char **argv, char **envp);
| ; var int32_t var_108h @ ebp-0x108
| ; arg int32_t arg_4h @ esp+0x4
| ; DATA XREF from entry0 @ 0x80483b4
| 0x0804852c 8d4c2404 lea ecx, [arg_4h]
| 0x08048530 83e4f0 and esp, 0xfffffff0
| 0x08048533 ff71fc push dword [ecx - 4]
| 0x08048536 55 push ebp
| 0x08048537 89e5 mov ebp, esp
| 0x08048539 53 push ebx
| 0x0804853a 51 push ecx
| 0x0804853b 81ec00010000 sub esp, 0x100
| 0x08048541 89cb mov ebx, ecx
| 0x08048543 83ec0c sub esp, 0xc
| 0x08048546 6820860408 push str.Welcome_to_phoenix_format_two__brought_to_you_by_https:__exploit.education ; sym..rodata
| ; 0x8048620 ; "Welcome to phoenix/format-two, brought to you by https://exploit.education"
| 0x0804854b e8e0fdffff call sym.imp.puts ; int puts(const char *s)
| 0x08048550 83c410 add esp, 0x10
| 0x08048553 833b01 cmp dword [ebx], 1
| ,=< 0x08048556 7e4b jle 0x80485a3
| | 0x08048558 83ec04 sub esp, 4
| | 0x0804855b 6800010000 push 0x100 ; 256
| | 0x08048560 6a00 push 0
| | 0x08048562 8d85f8feffff lea eax, [var_108h]
| | 0x08048568 50 push eax
| | 0x08048569 e8e2fdffff call sym.imp.memset ; void *memset(void *s, int c, size_t n)
| | 0x0804856e 83c410 add esp, 0x10
| | 0x08048571 8b4304 mov eax, dword [ebx + 4]
| | 0x08048574 83c004 add eax, 4
| | 0x08048577 8b00 mov eax, dword [eax]
| | 0x08048579 83ec04 sub esp, 4
| | 0x0804857c 6800010000 push 0x100 ; 256
| | 0x08048581 50 push eax
| | 0x08048582 8d85f8feffff lea eax, [var_108h]
| | 0x08048588 50 push eax
| | 0x08048589 e8b2fdffff call sym.imp.strncpy ; char *strncpy(char *dest, const char *src, size_t n)
| | 0x0804858e 83c410 add esp, 0x10
| | 0x08048591 83ec0c sub esp, 0xc
| | 0x08048594 8d85f8feffff lea eax, [var_108h]
| | 0x0804859a 50 push eax
| | 0x0804859b e875ffffff call sym.bounce
| | 0x080485a0 83c410 add esp, 0x10
| `-> 0x080485a3 a168980408 mov eax, dword [obj.changeme] ; [0x8049868:4]=0
| 0x080485a8 85c0 test eax, eax
| ,=< 0x080485aa 7412 je 0x80485be
| | 0x080485ac 83ec0c sub esp, 0xc
| | 0x080485af 686c860408 push str.Well_done__the__changeme__variable_has_been_changed_correctly ; 0x804866c ; "Well done, the 'changeme' variable has been changed correctly!"
| | 0x080485b4 e877fdffff call sym.imp.puts ; int puts(const char *s)
| | 0x080485b9 83c410 add esp, 0x10
| ,==< 0x080485bc eb10 jmp 0x80485ce
| |`-> 0x080485be 83ec0c sub esp, 0xc
| | 0x080485c1 68ab860408 push str.Better_luck_next_time ; 0x80486ab ; "Better luck next time!\n"
| | 0x080485c6 e865fdffff call sym.imp.puts ; int puts(const char *s)
| | 0x080485cb 83c410 add esp, 0x10
| | ; CODE XREF from main @ 0x80485bc
| `--> 0x080485ce 83ec0c sub esp, 0xc
| 0x080485d1 6a00 push 0
\ 0x080485d3 e888fdffff call sym.imp.exit ; void exit(int status)
[0x0804852c]> agf
[0x0804852c]> # int main (int argc, char **argv, char **envp);
.----------------------------------------------------------------------------------------.
| 0x804852c |
| (fcn) main 172 |
| int main (int argc, char **argv, char **envp); |
| ; var int32_t var_108h @ ebp-0x108 |
| ; arg int32_t arg_4h @ esp+0x4 |
| ; DATA XREF from entry0 @ 0x80483b4 |
| lea ecx, [arg_4h] |
| and esp, 0xfffffff0 |
| push dword [ecx - 4] |
| push ebp |
| mov ebp, esp |
| push ebx |
| push ecx |
| sub esp, 0x100 |
| mov ebx, ecx |
| sub esp, 0xc |
| ; sym..rodata |
| ; 0x8048620 |
| ; "Welcome to phoenix/format-two, brought to you by https://exploit.education" |
| push str.Welcome_to_phoenix_format_two__brought_to_you_by_https:__exploit.education |
| ; int puts(const char *s) |
| call sym.imp.puts;[oa] |
| add esp, 0x10 |
| cmp dword [ebx], 1 |
| jle 0x80485a3 |
`----------------------------------------------------------------------------------------'
f t
| |
| '---------------------------------------------------.
.---' |
.---------------------------------------------------------. |
| 0x8048558 | |
| sub esp, 4 | |
| ; 256 | |
| push 0x100 | |
| push 0 | |
| lea eax, [var_108h] | |
| push eax | |
| ; void *memset(void *s, int c, size_t n) | |
| call sym.imp.memset;[ob] | |
| add esp, 0x10 | |
| mov eax, dword [ebx + 4] | |
| add eax, 4 | |
| mov eax, dword [eax] | |
| sub esp, 4 | |
| ; 256 | |
| push 0x100 | |
| push eax | |
| lea eax, [var_108h] | |
| push eax | |
| ; char *strncpy(char *dest, const char *src, size_t n) | |
| call sym.imp.strncpy;[oc] | |
| add esp, 0x10 | |
| sub esp, 0xc | |
| lea eax, [var_108h] | |
| push eax | |
| call sym.bounce;[od] | |
| add esp, 0x10 | |
`---------------------------------------------------------' |
v |
| |
'----------------------------. |
| .--------------------------'
| |
.----------------------------------.
| 0x80485a3 |
| ; [0x8049868:4]=0 |
| mov eax, dword [obj.changeme] |
| test eax, eax |
| je 0x80485be |
`----------------------------------'
f t
| |
| '-----------------------.
.-----------------------------------------------------' |
| |
.---------------------------------------------------------------------------. .-----------------------------------.
| 0x80485ac | | 0x80485be |
| sub esp, 0xc | | sub esp, 0xc |
| ; 0x804866c | | ; 0x80486ab |
| ; "Well done, the 'changeme' variable has been changed correctly!" | | ; "Better luck next time!\n" |
| push str.Well_done__the__changeme__variable_has_been_changed_correctly | | push str.Better_luck_next_time |
| ; int puts(const char *s) | | ; int puts(const char *s) |
| call sym.imp.puts;[oa] | | call sym.imp.puts;[oa] |
| add esp, 0x10 | | add esp, 0x10 |
| jmp 0x80485ce | `-----------------------------------'
`---------------------------------------------------------------------------' v
v |
| |
'---------------------------------------------------. |
| .-------------------------'
| |
.-----------------------------------.
| 0x80485ce |
| ; CODE XREF from main @ 0x80485bc |
| sub esp, 0xc |
| push 0 |
| ; void exit(int status) |
| call sym.imp.exit;[oe] |
`-----------------------------------'
[0x0804852c]> pdf @ sym.bounce
/ (fcn) sym.bounce 23
| sym.bounce (int32_t arg_8h);
| ; arg int32_t arg_8h @ ebp+0x8
| ; CALL XREF from main @ 0x804859b
| 0x08048515 55 push ebp
| 0x08048516 89e5 mov ebp, esp
| 0x08048518 83ec08 sub esp, 8
| 0x0804851b 83ec0c sub esp, 0xc
| 0x0804851e ff7508 push dword [arg_8h]
| 0x08048521 e8fafdffff call sym.imp.printf ; int printf(const char *format)
| 0x08048526 83c410 add esp, 0x10
| 0x08048529 90 nop
| 0x0804852a c9 leave
\ 0x0804852b c3 ret
|