Ghidraを勉強した記録として残しておく。
基本的な stack strings の問題なのでsimpleと名付けられたのだと思う。
simpleの入手先
表層解析で得られる文字列 incorrect を検索
普通にmain関数内
main関数のデコンパイル結果(当初)
undefined8 main(void)
{
size_t sVar1;
undefined8 uVar2;
char local_78 [48];
char local_48 [60];
uint local_c;
printf("input flag : ");
__isoc99_scanf(&DAT_00100922,local_48);
sVar1 = strlen(local_48);
if (sVar1 == 0x24) {
local_78[0] = 'F';
local_78[1] = 0x4c;
local_78[2] = 0x41;
local_78[3] = 0x47;
local_78[4] = 0x7b;
(中略)
local_78[31] = 0x69;
local_78[32] = 0x6e;
local_78[33] = 0x67;
local_78[34] = 0x73;
local_78[35] = 0x7d;
local_c = 0;
while (local_c < 0x24) {
if (local_48[(int)local_c] != local_78[(int)local_c]) {
puts("Incorrect");
return 1;
}
local_c = local_c + 1;
}
printf("Correct! Flag is %s\n",local_48);
uVar2 = 0;
}
else {
puts("incorrect");
uVar2 = 1;
}
return uVar2;
}
変数の型を変更してデコンパイル結果の誤りを正し,わかりやすい変数名に変更
undefined8 main(void)
{
size_t size;
undefined8 uVar1;
char flag [48];
char input_value [60];
int i;
printf("input flag : ");
__isoc99_scanf(&DAT_00100922,input_value);
size = strlen(input_value);
if (size == 0x24) {
flag[0] = 'F';
flag[1] = 0x4c;
flag[2] = 0x41;
flag[3] = 0x47;
flag[4] = 0x7b;
(中略)
flag[31] = 0x69;
flag[32] = 0x6e;
flag[33] = 0x67;
flag[34] = 0x73;
flag[35] = 0x7d;
i = 0;
while ((uint)i < 0x24) {
if (input_value[i] != flag[i]) {
puts("Incorrect");
return 1;
}
i = i + 1;
}
printf("Correct! Flag is %s\n",input_value);
uVar1 = 0;
}
else {
puts("incorrect");
uVar1 = 1;
}
return uVar1;
}
0x00100793から始まる stack strings の逆アセンブル部分
00100793 c6 45 90 46 MOV byte ptr [RBP + local_78],0x46
00100797 c6 45 91 4c MOV byte ptr [RBP + local_77],0x4c
0010079b c6 45 92 41 MOV byte ptr [RBP + local_76],0x41
0010079f c6 45 93 47 MOV byte ptr [RBP + local_75],0x47
001007a3 c6 45 94 7b MOV byte ptr [RBP + local_74],0x7b
(中略)
0010080f c6 45 af 69 MOV byte ptr [RBP + local_59],0x69
00100813 c6 45 b0 6e MOV byte ptr [RBP + local_58],0x6e
00100817 c6 45 b1 67 MOV byte ptr [RBP + local_57],0x67
0010081b c6 45 b2 73 MOV byte ptr [RBP + local_56],0x73
0010081f c6 45 b3 7d MOV byte ptr [RBP + local_55],0x7d
ソルバー ( Ghidra Script )
ans=[]
inst = getInstructionAt(toAddr(0x00100793))
i = 0
while i < 0x24:
ans.append(inst.getOpObjects(1)[0].getValue())
inst = inst.getNext()
i = i + 1
print(ans)
print(''.join(map(chr,ans)))