我正在尝试使用radare2找到二进制文件的密码 - 又是一个crackme :-)
我已经以为我找到了密码(“pass”),但这似乎不是正确的密码。或者有一个我还没有发现的技巧......
这是代码和我的想法:
/ (fcn) sym.main 134
| int sym.main (int argc, char **argv, char **envp);
| ; var int var_dh @ rbp-0xd
| ; var int var_9h @ rbp-0x9
| ; var int var_8h @ rbp-0x8
| ; DATA XREF from entry0 (0x6dd)
| 0x000008bc 55 push rbp
| 0x000008bd 4889e5 mov rbp, rsp
| 0x000008c0 4883ec10 sub rsp, 0x10
内存设置
| 0x000008c4 64488b042528. mov rax, qword fs:[0x28] ; [0x28:8]=0x1a30 ; '('
| 0x000008cd 488945f8 mov qword [var_8h], rax
| 0x000008d1 31c0 xor eax, eax
| 0x000008d3 c745f3000000. mov dword [var_dh], 0
| 0x000008da c645f700 mov byte [var_9h], 0
| 0x000008de 488d3d140100. lea rdi, qword str.Enter__pass__: ; 0x9f9 ; "Enter \"pass\": "
| 0x000008e5 e896fdffff call sym.imp.puts ; int puts(const char *s)
设置var_dh、var_9和var_8h = 0,显示信息 'Enter "pass":'
| 0x000008ea 488b151f0720. mov rdx, qword [obj.stdin] ; obj.__TMC_END ; [0x201010:8]=0
| 0x000008f1 488d45f3 lea rax, qword [var_dh]
| 0x000008f5 be05000000 mov esi, 5
| 0x000008fa 4889c7 mov rdi, rax
| 0x000008fd e89efdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream)
获取用户输入
| 0x00000902 488d45f3 lea rax, qword [var_dh]
| 0x00000906 ba04000000 mov edx, 4
| 0x0000090b 488d35030100. lea rsi, qword str.pass ; 0xa15 ; "pass"
| 0x00000912 4889c7 mov rdi, rax
| 0x00000915 e856fdffff call sym.imp.strncmp ; int strncmp(const char *s1, const char *s2, size_t n)
| 0x0000091a 85c0 test eax, eax
将用户输入与“pass”进行比较
| 0x0000091c 90 nop
| 0x0000091d b800000000 mov eax, 0
| 0x00000922 90 nop
| 0x00000923 90 nop
| 0x00000924 90 nop
| 0x00000925 90 nop
| 0x00000926 90 nop
| 0x00000927 b800000000 mov eax, 0
| 0x0000092c 488b4df8 mov rcx, qword [var_8h]
| 0x00000930 6448330c2528. xor rcx, qword fs:[0x28]
| ,=< 0x00000939 7405 je 0x940
| | 0x0000093b e850fdffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
| | ; CODE XREF from sym.main (0x939)
| `-> 0x00000940 c9 leave
\ 0x00000941 c3 ret
退出程序,当密码错误?!
也许我只是见树不见林...