diff --git a/Assignment 5 - Software Security - Teil 1/abgabe.tex b/Assignment 5 - Software Security - Teil 1/abgabe.tex index 5a6efbd..8b8462b 100644 --- a/Assignment 5 - Software Security - Teil 1/abgabe.tex +++ b/Assignment 5 - Software Security - Teil 1/abgabe.tex @@ -70,6 +70,182 @@ \sheetnr{5} % <-- Anpassen % \begin{document} + +\begin{exercise}[Analyse von Binärdaten]{1} + \begin{subexercises} + \item Der Output von \texttt{objdump} mit der \texttt{secret} Funktion extrahiert. + \begin{lstlisting}[language=bash] +user@intro:~$ objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ /' +0000120d : + 120d: f3 0f 1e fb endbr32 + 1211: 55 push %ebp + 1212: 89 e5 mov %esp,%ebp + 1214: 8b 45 08 mov 0x8(%ebp),%eax + 1217: 8d 50 ff lea -0x1(%eax),%edx + 121a: 89 d0 mov %edx,%eax + 121c: 01 c0 add %eax,%eax + 121e: 01 d0 add %edx,%eax + 1220: 83 c0 05 add $0x5,%eax + 1223: 5d pop %ebp + 1224: c3 ret + \end{lstlisting} + + \item Man kann durch den Command \lstinline[language=bash]{gdb -x commands} gdb mit der Datei \texttt{commands} ausgeben. + + \begin{figure}[H] + \begin{lstlisting}[] +# Lines starting with a '#' symbol are comments +# Do not remove this intial line; it will disable pagination +set pagination off + +file intro +break secret +# TODO: your commands go here +r 5 +i r eax +stepi 6 +# after 5. instruction +i r eax +stepi +# after 6. instruction +i r eax +stepi +# after 7. instruction +i r eax +stepi +# after 8. instruction +i r eax + +# continue program to end +continue +# END of your commands + +# Do not remove the final quit; it will exit GDB automatically +quit + \end{lstlisting} + \caption[short]{Inhalt der command Datei} + \end{figure} + + Dabei wird zuerst die Datei \texttt{intro} in gdb eingelesen. + Anschließend wird ein Breakpoint bei der Funktion secret gesetzt. + Dann wird das Programm mit dem Parameter gestartet und, wie in der Aufgabe gewollt, wird das Register eax an verschiedenen Stellen ausgelesen. + Der Ausgabewert der Funktion ist dann 17. + + \begin{lstlisting}[language=bash] +user@intro:~$ gdb -x commands +GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.1) 9.2 +Copyright (C) 2020 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +Type "show copying" and "show warranty" for details. +This GDB was configured as "x86_64-linux-gnu". +Type "show configuration" for configuration details. +For bug reporting instructions, please see: +. +Find the GDB manual and other documentation resources online at: + . + +For help, type "help". +Type "apropos word" to search for commands related to "word". +Breakpoint 1 at 0x120d: file intro.c, line 5. + +Breakpoint 1, secret (num=5) at intro.c:5 +5 intro.c: No such file or directory. +eax 0x5 5 +0x5655621c 6 in intro.c +eax 0x4 4 +0x5655621e 6 in intro.c +eax 0x8 8 +6 in intro.c +eax 0xc 12 +7 in intro.c +eax 0x11 17 +[Inferior 1 (process 630) exited normally] + \end{lstlisting} + + \item Für die Herleitung der Funktion werden zuerst ein paar Probewerte genommen. + + \begin{align*} + f(0) &= 2\\ + f(3) &= 11\\ + f(4) &= 14\\ + f(5) &= 17\\ + f(7) &= 23\\ + \end{align*} + + Die Funktion $f(n)$ muss eine konstante 2 haben, da $f(0) = 2$. + Anschließend gehe man davon aus, dass $f(n)$ linear sei. Dann müsste $f(n) = an + 2$ sein. + Das gilt genau dann, wenn der ggT aller Paare $(n, f(n) - 2)$ für jeden Wert gleich ist. Das gilt mit $\forall n \in \mathbb{N} : ggT(n, f(n) - 2) = 3$. + Also: + + + \begin{align*} + f(n) = 3n + 2 + \end{align*} + + \item Das Programm liefert den Output + \begin{lstlisting}[language=bash] +user@intro:~$ readelf -S intro +There are 36 section headers, starting at offset 0x413c: + +Section Headers: + [Nr] Name Type Addr Off Size ES Flg Lk Inf Al + [ 0] NULL 00000000 000000 000000 00 0 0 0 + [ 1] .interp PROGBITS 000001b4 0001b4 000013 00 A 0 0 1 + [ 2] .note.gnu.build-i NOTE 000001c8 0001c8 000024 00 A 0 0 4 + [ 3] .note.gnu.propert NOTE 000001ec 0001ec 00001c 00 A 0 0 4 + [ 4] .note.ABI-tag NOTE 00000208 000208 000020 00 A 0 0 4 + [ 5] .gnu.hash GNU_HASH 00000228 000228 000020 04 A 6 0 4 + [ 6] .dynsym DYNSYM 00000248 000248 0000a0 10 A 7 1 4 + [ 7] .dynstr STRTAB 000002e8 0002e8 0000a7 00 A 0 0 1 + [ 8] .gnu.version VERSYM 00000390 000390 000014 02 A 6 0 2 + [ 9] .gnu.version_r VERNEED 000003a4 0003a4 000030 00 A 7 1 4 + [10] .rel.dyn REL 000003d4 0003d4 000060 08 A 6 0 4 + [11] .rel.plt REL 00000434 000434 000020 08 AI 6 24 4 + [12] .init PROGBITS 00001000 001000 000024 00 AX 0 0 4 + [13] .plt PROGBITS 00001030 001030 000050 04 AX 0 0 16 + [14] .plt.got PROGBITS 00001080 001080 000010 10 AX 0 0 16 + [15] .plt.sec PROGBITS 00001090 001090 000040 10 AX 0 0 16 + [16] .text PROGBITS 000010d0 0010d0 000249 00 AX 0 0 16 + [17] .fini PROGBITS 0000131c 00131c 000018 00 AX 0 0 4 + [18] .rodata PROGBITS 00002000 002000 00001c 00 A 0 0 4 + [19] .eh_frame_hdr PROGBITS 0000201c 00201c 000054 00 A 0 0 4 + [20] .eh_frame PROGBITS 00002070 002070 00013c 00 A 0 0 4 + [21] .init_array INIT_ARRAY 00003ec8 002ec8 000004 04 WA 0 0 4 + [22] .fini_array FINI_ARRAY 00003ecc 002ecc 000004 04 WA 0 0 4 + [23] .dynamic DYNAMIC 00003ed0 002ed0 000100 08 WA 7 0 4 + [24] .got PROGBITS 00003fd0 002fd0 000030 04 WA 0 0 4 + [25] .data PROGBITS 00004000 003000 000008 00 WA 0 0 4 + [26] .bss NOBITS 00004008 003008 000004 00 WA 0 0 1 + [27] .comment PROGBITS 00000000 003008 00002b 01 MS 0 0 1 + [28] .debug_aranges PROGBITS 00000000 003033 000020 00 0 0 1 + [29] .debug_info PROGBITS 00000000 003053 000369 00 0 0 1 + [30] .debug_abbrev PROGBITS 00000000 0033bc 00011f 00 0 0 1 + [31] .debug_line PROGBITS 00000000 0034db 00010a 00 0 0 1 + [32] .debug_str PROGBITS 00000000 0035e5 0002b9 01 MS 0 0 1 + [33] .symtab SYMTAB 00000000 0038a0 0004d0 10 34 51 4 + [34] .strtab STRTAB 00000000 003d70 000271 00 0 0 1 + [35] .shstrtab STRTAB 00000000 003fe1 000158 00 0 0 1 +Key to Flags: + W (write), A (alloc), X (execute), M (merge), S (strings), I (info), + L (link order), O (extra OS processing required), G (group), T (TLS), + C (compressed), x (unknown), o (OS specific), E (exclude), + p (processor specific) + \end{lstlisting} + + \item Die in dem Code angegebenen labels können wie folgt eingeteilt werden: + \begin{enumerate}[:] + \item .bss + \item .data + \item Stack + \item Stack + \item Stack + \end{enumerate} + + \end{subexercises} +\end{exercise} + \begin{exercise}[Crackme]{2} Die Funkion \lstinline{verify_key} leitet das Passwort aus einem geheimen Schlüssel ab, indem der ASCII-Wert jedes Zeichens, abhängig von dessen Position, verändert wird. Dem ASCII-Wert jedes Zeichens wird der doppelte Positionswert, bei 0 startend, abgezogen. diff --git a/Assignment 5 - Software Security - Teil 1/analyse/.bash_history b/Assignment 5 - Software Security - Teil 1/analyse/.bash_history new file mode 100644 index 0000000..f57f853 --- /dev/null +++ b/Assignment 5 - Software Security - Teil 1/analyse/.bash_history @@ -0,0 +1,272 @@ +#1717414602 +ls +#1717414605 +cat commands +#1717415348 +clear +#1717415350 +ls +#1717415351 +ls intro +#1717415354 +./intro +#1717415361 +objdump +#1717415381 +objdump intro +#1717415420 +objdump -d intro +#1717415434 +man objdump +#1717415443 +objdump -d=secret intro +#1717415453 +objdump -d intro +#1717415900 +man objdump +#1717415917 +objdump -d -j=secret intro +#1717415921 +man objdump +#1717415972 +objdump -d -j=secret intro awk -v RS= '/^[[:xdigit:]]+ /' +#1717415994 +objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ /' +#1717939441 +ls +#1717939451 +cat commands +#1717939475 +cat intro +#1717939479 +clear +#1717939481 +ls +#1717939483 +ll +#1717939485 +l +#1717939490 +ls -la +#1717939492 +ls -lh +#1717939514 +cat .bash_history +#1717939524 +objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ /' +#1717939721 +task help +#1717939731 +task info +#1717939739 +task id +#1717939745 +task check +#1717939826 +man gdb +#1717939894 +gdb intro +#1717940125 +clear +#1717940125 +ls +#1717940129 +gdb intro +#1717942144 +ls +#1717942149 +nano commands +#1717942239 +task check +#1717942298 +cat commands +#1717942311 +clear +#1717942321 +man gdb +#1717942339 +nano commands +#1717942350 +man gdb +#1717942403 +gdb -x commands intro +#1717942416 +nano commands +#1717942422 +gdb -x commands intro +#1717942426 +task check +#1717942451 +gdb +#1717942499 +nano commands +#1717942514 +gdb -x commands intro +#1717942520 +task check +#1717942557 +nano commands +#1717942567 +gdb -x commands intro +#1717942582 +nano commands +#1717942590 +gdb -x commands intro +#1717942602 +task check +#1717942691 +nano commands +#1717942711 +gdb +#1717942722 +ls +#1717942726 +gdb intro +#1717942741 +gdb +#1717942836 +nano commands +#1717942847 +gdb +#1717942850 +nano commands +#1717942862 +gdb -x commands +#1717942872 +task check +#1717942885 +nano commands +#1717943082 +gdb intro +#1717943152 +nano commands +#1717943162 +gdb -x commands +#1717943164 +nano commands +#1717943179 +gdb -x commands +#1717943183 +clear +#1717943183 +ls +#1717943186 +task check +#1717943204 +nano commands +#1717943214 +task check +#1717943219 +nano commands +#1717943238 +task check +#1717943241 +task submit +#1717943604 +gdb intro +#1717943679 +objdump intro +#1717943687 +objdump -D intro +#1717943691 +objdump -d intro +#1717943870 +objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ /' +#1717943884 +gdb intro +#1717944098 +gdb intro +#1717944117 +ls +#1717944130 +cp commands find_func +#1717944132 +nano find_func +#1717944188 +gdb -x find_func +#1717944202 +./intro +#1717944204 +./intro 5 +#1717944207 +./intro 6 +#1717944208 +7 +#1717944210 +./intro 7 +#1717944212 +./intro 8 +#1717944219 +clear +#1717944231 +nano find_func +#1717944240 +gdb -x find_func +#1717944295 +nano find_func +#1717944344 +gdb -x find_func +#1717944382 +nano find_func +#1717944388 +gdb -x find_func +#1717944397 +nano find_func +#1717944402 +gdb -x find_func +#1717944430 +nano find_func +#1717944440 +gdb -x find_func +#1717944470 +gdb intro +#1717944479 +readelf +#1717944487 +readelf intro +#1717944516 +readelf ßS intro +#1717944519 +readelf -S intro +#1717945558 +objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ /' +#1717947140 +ls +#1717947141 +clear +#1717947141 +ls +#1717947166 +readelf -S intro +#1717948566 +ls +#1717948569 +clear +#1717948572 +readelf -S intro +#1717948913 +man 5 elf +#1717949114 +elf +#1717949128 +man 5 elf +#1717949898 +task check +#1717949902 +task info +#1717949906 +task help +#1717949922 +ls +#1717949924 +rm find_func +#1717949925 +clear +#1717949926 +ls +#1717949929 +task check +#1717950826 +ls +#1717950831 +cat commands diff --git a/Assignment 5 - Software Security - Teil 1/analyse/commands b/Assignment 5 - Software Security - Teil 1/analyse/commands new file mode 100644 index 0000000..21efafd --- /dev/null +++ b/Assignment 5 - Software Security - Teil 1/analyse/commands @@ -0,0 +1,28 @@ +# Lines starting with a '#' symbol are comments +# Do not remove this intial line; it will disable pagination +set pagination off + +file intro +break secret +# TODO: your commands go here +r 5 +i r eax +stepi 6 +# after 5. instruction +i r eax +stepi +# after 6. instruction +i r eax +stepi +# after 7. instruction +i r eax +stepi +# after 8. instruction +i r eax + +# continue program to end +continue +# END of your commands + +# Do not remove the final quit; it will exit GDB automatically +quit diff --git a/Assignment 5 - Software Security - Teil 1/analyse/intro b/Assignment 5 - Software Security - Teil 1/analyse/intro new file mode 100755 index 0000000..349ba7c Binary files /dev/null and b/Assignment 5 - Software Security - Teil 1/analyse/intro differ