汇编的没啥好说的,写就完事了,注意发送到时候别用sendline,他会把最后的换行当成代码执行然后报错

19

原以为19很难,需要自己写跳转表,还专门放在最后做的,结果。。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
context.log_level='info'

r = process(["/challenge/embryoasm_level19"])

shellcode = """
    CMP RDI, 4
    JL AAA
    MOV RDI, 4
AAA:
    mov rax, rdi
    mov rbx, 8
    mul rbx
    mov ebx, DWORD PTR [rax+rsi]
    jmp rbx
"""
payload = asm(shellcode, arch='amd64')
log.success(str(payload))

r.send(payload)
r.interactive()

23

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import *
context.log_level='info'

r = process(["/challenge/embryoasm_level23"])


# most_common_byte(src_addr, size):
#     b = 0
#     i = 0
#     for i <= size-1:
#         curr_byte = [src_addr + i]
#         [stack_base - curr_byte] += 1
#     b = 0

#     max_freq = 0
#     max_freq_byte = 0
#     for b <= 0xff:
#         if [stack_base - b] > max_freq:
#             max_freq = [stack_base - b]
#             max_freq_byte = b 

#     return max_freq_byte 



shellcode = """
    push rbp
    mov rbp, rsp
    sub rsp, 0x100
    mov rbx, -1
AAA:
    add rbx, 1
    cmp rbx, rsi
    je BBB
    mov cl, byte ptr [rdi+rbx]
    add BYTE ptr [rsp+rcx], 1
    jmp AAA

BBB:
    mov rbx, -1
    xor rcx, rcx
    xor rdx, rdx
CCC:
    add rbx, 1
    cmp rbx, 0x100
    je DDD
    cmp BYTE ptr [rsp+rbx], CL
    jle CCC
    mov CL, BYTE ptr [rsp+rbx]
    mov rdx, rbx
    JMP CCC

DDD:
    mov rax, rdx
    mov rsp, rbp
    pop rbp
    ret
"""


# shellcode2="""
#     mov rax, qword ptr [rdi]
#     mov rbx, qword ptr [rdi+8]
#     mov rcx, qword ptr [rdi+0x10]
#     mov rdx, qword ptr [rdi+0x18]
#     mov r8, qword ptr [rdi+0x20]
#     mov r9, qword ptr [rdi+0x28]
#     mov r10, qword ptr [rdi+0x30]
# """
payload = asm(shellcode, arch='amd64')
log.success(str(payload))

r.send(payload)
r.interactive()