diff --git a/README.md b/README.md index f864e00..22c97d1 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ - [五、高级篇](doc/5_advanced.md) - [六、附录](doc/6_appendix.md) - - [6.1 更多工具](doc/6.1_moretools.md) - - [6.1.1 terminal commands](doc/6.1.1_commands.md) - - 书籍,博客和文章 + - [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md) + - [6.2 更多 Windows 工具](doc/6.2_wintools.md) + - [6.3 博客、文章和书籍](doc/6.3_books&blogs.md) + - [6.4 习题 write-up](doc/6.4_writeup.md) diff --git a/doc/6.1.1_commands.md b/doc/6.1.1_commands.md deleted file mode 100644 index 333c5e5..0000000 --- a/doc/6.1.1_commands.md +++ /dev/null @@ -1 +0,0 @@ -# 6.1 Terminal Commands diff --git a/doc/6.1_Linuxtools.md b/doc/6.1_Linuxtools.md new file mode 100644 index 0000000..b7a5027 --- /dev/null +++ b/doc/6.1_Linuxtools.md @@ -0,0 +1,53 @@ +# 6.1 更多 Linux 工具 + +- [strings](#strings) +- [xxd](#xxd) + +## strings +**strings**命令在对象文件或二进制文件中查找可打印的字符串。字符串是4个或更多可打印字符的任意序列,以换行符或空字符结束。strings命令对识别随机对象文件很有用。 + +#### 重要参数 +```text +-d --data Only scan the data sections in the file +-t --radix={o,d,x} Print the location of the string in base 8, 10 or 16 +-e --encoding={s,S,b,l,B,L} Select character size and endianness: + s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit +``` + +#### 常见用法 +组合使用 *strings* 和 *grep*。 + +在 **ret2lib** 攻击中,得到字符串的偏移: +```text +strings -t x /lib32/libc-2.24.so | grep /bin/sh +``` + +检查是否使用了 **UPX** 加壳 +```text +strings [executable] | grep -i upx +``` + +#### 练习 +[strings_crackme](../source/Reverse/strings_crackme) + +[flag_pwnablekr](../source/Reverse/flag_pwnablekr) + + +## xxd +**xxd**的作用就是将一个文件以十六进制的形式显示出来。 + +#### 重要参数: +```text +-g number of octets per group in normal output. Default 2 (-e: 4). +-i output in C include file style. +-l len stop after octets. +-u use upper case hex letters. +``` + +#### 常见用法 +```text +xxd -g1 +``` + +#### 练习 +[xxd_crackme](../source/Reverse/xxd_crackme) (使用 *strings* 再做一次) diff --git a/doc/6.1_moretools.md b/doc/6.1_moretools.md deleted file mode 100644 index e4664c1..0000000 --- a/doc/6.1_moretools.md +++ /dev/null @@ -1 +0,0 @@ -# 更多工具 diff --git a/doc/6.2_wintools.md b/doc/6.2_wintools.md new file mode 100644 index 0000000..45fe5b4 --- /dev/null +++ b/doc/6.2_wintools.md @@ -0,0 +1,5 @@ +# 6.1.2 更多 Windows 工具 + +- [wxHexEditor](#wxhexeditor) + +## wxHexEditor diff --git a/doc/6.3_books&blogs.md b/doc/6.3_books&blogs.md new file mode 100644 index 0000000..bc4156e --- /dev/null +++ b/doc/6.3_books&blogs.md @@ -0,0 +1,10 @@ +# 博客、文章和书籍 + +## 博客 + +## 文章 + +## 书籍 +- Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson +- The Shellcoder's Handbook: Discovering and Exploiting +Security Holes, 2nd Edition by Chris Anley et al diff --git a/doc/6.4_writeup.md b/doc/6.4_writeup.md new file mode 100644 index 0000000..9242971 --- /dev/null +++ b/doc/6.4_writeup.md @@ -0,0 +1,73 @@ +# 6.4 习题答案 + +- 一、基础知识篇 + - [1.1 ctf 介绍] + +- 二、工具篇 + - [2.1 gdb/peda] + - [2.2 ollydbg] + - [2.3 windbg] + - [2.4 radare2] + - [2.5 IDA Pro] + - [2.6 pwntools] + +- 三、分类专题篇 + - [3.1 Reverse] + - [3.2 Crypto] + - [3.3 Pwn] + - [3.4 Web] + - [3.5 Misc] + - [3.6 Mobile] + +- 四、技巧篇 + +- 五、高级篇 + +- 六、附录 + - [6.1 更多 Linux 工具] + - [6.2 更多 Windows 工具] + - [6.3 博客、文章和书籍] + - [6.4 习题 write-up] + +## 6.1 更多 Linux 工具 +#### Strings - strings_crackme +```text +[firmy@Reverse]$ strings -e L strings_crackme +w0wgreat +``` + +#### Strings - flag_pwnablekr +```text +[firmy@Reverse]$ ./flag_pwnablekr +I will malloc() and strcpy the flag there. take it. +[firmy@Reverse]$ strings flag_pwnablekr | grep UPX +UPX! +$Info: This file is packed with the UPX executable packer http://upx.sf.net $ +$Id: UPX 3.08 Copyright (C) 1996-2011 the UPX Team. All Rights Reserved. $ +UPX! +UPX! +[firmy@Reverse]$ upx -d flag_pwnablekr + Ultimate Packer for eXecutables + Copyright (C) 1996 - 2017 +UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017 + File size Ratio Format Name + -------------------- ------ ----------- ----------- + 883745 <- 335288 37.94% linux/amd64 flag_pwnablekr +Unpacked 1 file. +[firmy@Reverse]$ strings flag_pwnablekr | grep -i upx +UPX...? sounds like a delivery service :) +``` + +#### xxd - xxd_crackme +```text +[firmy@Reverse]$ xxd -g1 xxd_crackme +...... +00001020: 00 00 00 00 67 30 30 64 4a 30 42 21 00 00 00 00 ....g00dJ0B!.... +...... +``` +```text +[firmy@Reverse]$ strings -d xxd_crackme +...... +g00dJ0B! +...... +``` diff --git a/source/Reverse/flag_pwnablekr b/source/Reverse/flag_pwnablekr new file mode 100755 index 0000000..bfe60ff Binary files /dev/null and b/source/Reverse/flag_pwnablekr differ diff --git a/source/Reverse/strings_crackme b/source/Reverse/strings_crackme new file mode 100755 index 0000000..904868d Binary files /dev/null and b/source/Reverse/strings_crackme differ diff --git a/source/Reverse/xxd_crackme b/source/Reverse/xxd_crackme new file mode 100755 index 0000000..61917fa Binary files /dev/null and b/source/Reverse/xxd_crackme differ