汇编的没啥好说的,写就完事了,注意发送到时候别用sendline,他会把最后的换行当成代码执行然后报错
19
原以为19很难,需要自己写跳转表,还专门放在最后做的,结果。。。。
from pwn import *
context.log_level='info'
r = process(["/challenge/embryoasm_level19"])
shellcode = """
CMP RDI, 4
JL AAA
MOV RDI, 4
AAA:
mov rax, rdi
mov rbx, 8
mul rbx
mov ebx, DWORD PTR [rax+rsi]
jmp rbx
"""
payload = asm(shellcode, arch='amd64')
log.success(str(payload))
r.send(payload)
r.interactive()
23
from pwn import *
context.log_level='info'
r = process(["/challenge/embryoasm_level23"])
# most_common_byte(src_addr, size):
# b = 0
# i = 0
# for i <= size-1:
# curr_byte = [src_addr + i]
# [stack_base - curr_byte] += 1
# b = 0
# max_freq = 0
# max_freq_byte = 0
# for b <= 0xff:
# if [stack_base - b] > max_freq:
# max_freq = [stack_base - b]
# max_freq_byte = b
# return max_freq_byte
shellcode = """
push rbp
mov rbp, rsp
sub rsp, 0x100
mov rbx, -1
AAA:
add rbx, 1
cmp rbx, rsi
je BBB
mov cl, byte ptr [rdi+rbx]
add BYTE ptr [rsp+rcx], 1
jmp AAA
BBB:
mov rbx, -1
xor rcx, rcx
xor rdx, rdx
CCC:
add rbx, 1
cmp rbx, 0x100
je DDD
cmp BYTE ptr [rsp+rbx], CL
jle CCC
mov CL, BYTE ptr [rsp+rbx]
mov rdx, rbx
JMP CCC
DDD:
mov rax, rdx
mov rsp, rbp
pop rbp
ret
"""
# shellcode2="""
# mov rax, qword ptr [rdi]
# mov rbx, qword ptr [rdi+8]
# mov rcx, qword ptr [rdi+0x10]
# mov rdx, qword ptr [rdi+0x18]
# mov r8, qword ptr [rdi+0x20]
# mov r9, qword ptr [rdi+0x28]
# mov r10, qword ptr [rdi+0x30]
# """
payload = asm(shellcode, arch='amd64')
log.success(str(payload))
r.send(payload)
r.interactive()
Q.E.D.