Pwn的Patch小知识

唉,sb比赛,支持LM

Patch

格式化字符串

模板在buu的heap那里

1
2
3
4
5
6
7
8
9
10
eh_frame:0000000000001478                               myPrintf proc near                      ; CODE XREF: banner+58↑p
.eh_frame:0000000000001478                                                                       ; banner+69↑p
.eh_frame:0000000000001478 55                            push    rbp
.eh_frame:0000000000001479 48 89 E5                      mov     rbp, rsp
.eh_frame:000000000000147C 48 89 FE                      mov     rsi, rdi
.eh_frame:000000000000147F 48 8D 3D 37 FE FF FF          lea     rdi, aS                         ; "%s"
.eh_frame:0000000000001486 E8 65 F4 FF FF                call    _printf
.eh_frame:0000000000001486
.eh_frame:000000000000148B C9                            leave
.eh_frame:000000000000148C C3                            retn

UAF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
.eh_frame:08048CEC                         myFree          proc near
.eh_frame:08048CEC
.eh_frame:08048CEC                         arg_0           = dword ptr  8
.eh_frame:08048CEC
.eh_frame:08048CEC 55                                      push    ebp
.eh_frame:08048CED 89 E5                                   mov     ebp, esp
.eh_frame:08048CEF 8B 45 08                                mov     eax, [ebp+arg_0]
.eh_frame:08048CF2 8B 00                                   mov     eax, [eax]
.eh_frame:08048CF4 50                                      push    eax             ; ptr
.eh_frame:08048CF5 E8 76 F7 FF FF                          call    _free
.eh_frame:08048CFA 8B 45 08                                mov     eax, [ebp+arg_0]
.eh_frame:08048CFD 90                                      nop
.eh_frame:08048CFE 90                                      nop
.eh_frame:08048CFF C7 00 00 00 00 00                       mov     dword ptr [eax], 0
.eh_frame:08048D05 C9                                      leave
.eh_frame:08048D06 C3                                      retn
1
2
3
4
5
6
7
.text:08048863 83 C4 10                                add     esp, 10h
.text:08048866 C7 C0 48 A0 04 08                       mov     eax, offset notelist
.text:0804886C 8B 55 F4                                mov     edx, [ebp+var_C]
.text:0804886F 8D 04 90                    patch  -->  lea     eax, [eax+edx*4]
.text:08048872 83 EC 0C                                sub     esp, 0Ch
.text:08048875 50                                      push    eax             ; ptr
.text:08048876 E8 71 04 00 00              patch  -->  call    myFree
1
2
3
4
5
6
if ( result )
{
  free(*(void **)(notelist[v2] + 4));
  myFree((void **)&notelist[v2]);<-- 一定修这个,上面那个可修可不修
  return puts("Success");
}

跳转指令

无符号跳转

汇编指令 描述
JA 无符号大于则跳转
JNA 无符号不大于则跳转
JAE 无符号大于等于则跳转(同JNB)
JNAE 无符号不大于等于则跳转(同JB)
JB 无符号小于则跳转
JNB 无符号不小于则跳转
JBE 无符号小于等于则跳转(同JNA)
JBNE 无符号不小于等于则跳转(同JA)

有符号跳转

汇编指令 描述
JG 有符号大于则跳转
JNG 有符号不大于则跳转
JGE 有符号大于等于则跳转(同JNL)
JNGE 有符号不大于等于则跳转(同JL)
JL 有符号小于则跳转
JNL 有符号不小于则跳转
JLE 有符号小于等于则跳转(同JNG)
JNLE 有符号不小于等于则跳转(同JG)

Patch 在Pe上的问题

这次patch改eh_frame段权限没用,赛后问烧麦师傅,得到了一些知识了解

XMAN:就是linux他实际上看内存的权限检查的是segment,你只修了section但是segment的包含那段内存的部分还是可读。逆向也是遇到过很多次,section全部patch成0程序是能正常识别的,就是因为实际上是取segment里的数据去搞的。这样是把这个section分到load的segment那一类,然后load是rwx的吧

xia0:改eh_frame那个segment也可以,换成PT_LOAD就可以了,这样,改eh_frame那个seg就也能exec