Sydney
题目类似,还是看关键函数check_password
;
448a <check_password> 448a: bf90 4560 0000 cmp #0x6045, 0x0(r15) 4490: 0d20 jnz $+0x1c 4492: bf90 706c 0200 cmp #0x6c70, 0x2(r15) 4498: 0920 jnz $+0x14 449a: bf90 6528 0400 cmp #0x2865, 0x4(r15) 44a0: 0520 jne #0x44ac <check_password+0x22> 44a2: 1e43 mov #0x1, r14 44a4: bf90 6269 0600 cmp #0x6962, 0x6(r15) 44aa: 0124 jeq #0x44ae <check_password+0x24> 44ac: 0e43 clr r14 44ae: 0f4e mov r14, r15 44b0: 3041 ret
|
这里可以看到比较了r15寄存器中是否存放了0x6045,0x6c70,0x2865,0x6962
,如果不是则会跳转到0x44ac的位置。
由于小端序的原因,需要将顺序调整,即r15寄存器中的内容应当为:4560706c65286269
,在输入密码时选择以binary的形式输入即可;
> r r15 439c: 4560 706c 6528 6269 E`ple(bi 43a4: 0000 0000 0000 0000 ........ 43ac: 0000 0000 0000 0000 ........ 43b4: 0000 0000 0000 0000 ........
|
最后跳转到0x44ae,即绕过了对r14寄存器清零再赋值给r15的操作,保证r15的值不为零,从而通过后面的验证;
4450: 0f93 tst r15 4452: 0520 jnz #0x445e <main+0x26> 4454: 3f40 d444 mov #0x44d4 "Invalid password; try again.", r15 4458: b012 6645 call #0x4566 <puts> 445c: 093c jmp #0x4470 <main+0x38> 445e: 3f40 f144 mov #0x44f1 "Access Granted!", r15 4462: b012 6645 call #0x4566 <puts>
|