// compiled with : gcc -o memcpy memcpy.c -m32 -lm

 #include <stdio.h>

 #include <string.h>

 #include <stdlib.h>

 #include <signal.h>

 #include <unistd.h>

 #include <sys/mman.h>

 #include <math.h>

 unsigned long long rdtsc(){

         asm("rdtsc");

 }

 char* slow_memcpy(char* dest, const char* src, size_t len){

     int i;

     for (i=; i<len; i++) {

         dest[i] = src[i];

     }

     return dest;

 }

 char* fast_memcpy(char* dest, const char* src, size_t len){

     size_t i;

     // 64-byte block fast copy

     if(len >= ){

         i = len / ;

         len &= (-);

         while(i-- > ){

             __asm__ __volatile__ (

             "movdqa (%0), %%xmm0\n"

             "movdqa 16(%0), %%xmm1\n"

             "movdqa 32(%0), %%xmm2\n"

             "movdqa 48(%0), %%xmm3\n"

             "movntps %%xmm0, (%1)\n"

             "movntps %%xmm1, 16(%1)\n"

             "movntps %%xmm2, 32(%1)\n"

             "movntps %%xmm3, 48(%1)\n"

             ::"r"(src),"r"(dest):"memory");

             dest += ;

             src += ;

         }

     }

     // byte-to-byte slow copy

     if(len) slow_memcpy(dest, src, len);

     return dest;

 }

 int main(void){

     setvbuf(stdout, , _IONBF, );

     setvbuf(stdin, , _IOLBF, );

     printf("Hey, I have a boring assignment for CS class.. :(\n");

     printf("The assignment is simple.\n");

     printf("-----------------------------------------------------\n");

     printf("- What is the best implementation of memcpy?        -\n");

     printf("- 1. implement your own slow/fast version of memcpy -\n");

     printf("- 2. compare them with various size of data         -\n");

     printf("- 3. conclude your experiment and submit report     -\n");

     printf("-----------------------------------------------------\n");

     printf("This time, just help me out with my experiment and get flag\n");

     printf("No fancy hacking, I promise :D\n");

     unsigned long long t1, t2;

     int e;

     char* src;

     char* dest;

     unsigned int low, high;

     unsigned int size;

     // allocate memory

     char* cache1 = mmap(, 0x4000, , MAP_PRIVATE|MAP_ANONYMOUS, -, );

     char* cache2 = mmap(, 0x4000, , MAP_PRIVATE|MAP_ANONYMOUS, -, );

     src = mmap(, 0x2000, , MAP_PRIVATE|MAP_ANONYMOUS, -, );

     size_t sizes[];

     int i=;

     // setup experiment parameters

     for(e=; e<; e++){    // 2^13 = 8K

         low = pow(,e-);

         high = pow(,e);

         printf("specify the memcpy amount between %d ~ %d : ", low, high);

         scanf("%d", &size);

         if( size < low || size > high ){

             printf("don't mess with the experiment.\n");

             exit();

         }

         sizes[i++] = size;

     }

     sleep();

     printf("ok, lets run the experiment with your configuration\n");

     sleep();

     // run experiment

     for(i=; i<; i++){

         size = sizes[i];

         printf("experiment %d : memcpy with buffer size %d\n", i+, size);

         dest = malloc( size );

         memcpy(cache1, cache2, 0x4000);        // to eliminate cache effect

         t1 = rdtsc();

         slow_memcpy(dest, src, size);        // byte-to-byte memcpy

         t2 = rdtsc();

         printf("ellapsed CPU cycles for slow_memcpy : %llu\n", t2-t1);

         memcpy(cache1, cache2, 0x4000);        // to eliminate cache effect

         t1 = rdtsc();

         fast_memcpy(dest, src, size);        // block-to-block memcpy

         t2 = rdtsc();

         printf("ellapsed CPU cycles for fast_memcpy : %llu\n", t2-t1);

         printf("\n");

     }

     printf("thanks for helping my experiment!\n");

     printf("flag : ----- erased in this source code -----\n");

     return ;

 }

分析源码:

    size_t sizes[];

    int i=;

    // setup experiment parameters

    for(e=; e<; e++){    // 2^13 = 8K

        low = pow(,e-);

        high = pow(,e);

        printf("specify the memcpy amount between %d ~ %d : ", low, high);

        scanf("%d", &size);

        if( size < low || size > high ){

            printf("don't mess with the experiment.\n");

            exit();

        }

        sizes[i++] = size;

    }

从上代码中分析得到,需要输入2的n次幂和2的n+1次幂之间

// run experiment

    for(i=; i<; i++){

        size = sizes[i];

        printf("experiment %d : memcpy with buffer size %d\n", i+, size);

        dest = malloc( size );

这段代码分析得到,输入size后malloc分配空间,分配的空间大小就是我们输入的size大小。

memcpy(cache1, cache2, 0x4000);        // to eliminate cache effect

        t1 = rdtsc();

        slow_memcpy(dest, src, size);        // byte-to-byte memcpy

        t2 = rdtsc();

        printf("ellapsed CPU cycles for slow_memcpy : %llu\n", t2-t1);

        memcpy(cache1, cache2, 0x4000);        // to eliminate cache effect

        t1 = rdtsc();

        fast_memcpy(dest, src, size);        // block-to-block memcpy

        t2 = rdtsc();

        printf("ellapsed CPU cycles for fast_memcpy : %llu\n", t2-t1);

        printf("\n");

    }

分配空间后,分别用slow_memcpy和fast_memcpy两种方式,对堆块内的数据向另外一个内存地址拷贝,并比较二者时间。那么分析一下slow_memcpy和fast_memcpy:

char* slow_memcpy(char* dest, const char* src, size_t len){

    int i;

    for (i=; i<len; i++) {

        dest[i] = src[i];

    }

    return dest;

}
char* fast_memcpy(char* dest, const char* src, size_t len){

    size_t i;

    // 64-byte block fast copy

    if(len >= 64){

        i = len / 64;

        len &= (64-1);

        while(i-- > 0){

            __asm__ __volatile__ (

            "movdqa (%0), %%xmm0\n"

            "movdqa 16(%0), %%xmm1\n"

            "movdqa 32(%0), %%xmm2\n"

            "movdqa 48(%0), %%xmm3\n"

            "movntps %%xmm0, (%1)\n"

            "movntps %%xmm1, 16(%1)\n"

            "movntps %%xmm2, 32(%1)\n"

            "movntps %%xmm3, 48(%1)\n"

            ::"r"(src),"r"(dest):"memory");

            dest += 64;

            src += 64;

        }

    }
 

slow_memcpy是循环赋值,fast_memcpy是用asm汇编指令movdqa进行拷贝。拷贝结束后输入flag。

根据提示生成可执行程序,然后执行程序看一下:

那么我们运行程序来看一下:

随便输入发现出错了:

我们用gdb来看,发现了出错的位置:

出错的位置,也就是movntps的执行出了问题,百度了一下movntps的用法:

movntps m128,XMM
m128 <== XMM 直接把XMM中的值送入m128,不经过cache,必须对齐16字节。再参考别人的wp:
malloc分配的堆块大小是以8字节对其的。

假设用户申请的堆块大小是a的话,malloc(a)分配的堆块大小为 8*(int((a+4)/8)+1)。

因此假设第一个malloc分配地址是16字节对齐的,则每次请求大小为16字节对齐的数据块即可成功运行结束。可以用脚本来算一下:

# coidng  = utf-8

while(1):

    a = raw_input()

    a = int(a)

    if ((a+4)%16>=9) or ((a+4)%16==0):

        print a," is true"

    else:

        print a," is false"

根据脚本算出来的数,我们输入得到flag:

memcpy@ubuntu:~$ ls

memcpy.c  readme

memcpy@ubuntu:~$ cat readme

the compiled binary of "memcpy.c" source code (with real flag) will be executed under memcpy_pwn privilege if you connect to port 9022.

execute the binary by connecting to daemon(nc 0 9022).

memcpy@ubuntu:~$ nc o 9022

nc: getaddrinfo: Name or service not known

memcpy@ubuntu:~$ nc 0 9022

Hey, I have a boring assignment for CS class.. :(

The assignment is simple.

-----------------------------------------------------

- What is the best implementation of memcpy?        -

- 1. implement your own slow/fast version of memcpy -

- 2. compare them with various size of data         -

- 3. conclude your experiment and submit report     -

-----------------------------------------------------

This time, just help me out with my experiment and get flag

No fancy hacking, I promise :D

specify the memcpy amount between 8 ~ 16 : 9

specify the memcpy amount between 16 ~ 32 : 21

specify the memcpy amount between 32 ~ 64 : 40

specify the memcpy amount between 64 ~ 128 : 70

specify the memcpy amount between 128 ~ 256 : 135

specify the memcpy amount between 256 ~ 512 : 265

specify the memcpy amount between 512 ~ 1024 : 520

specify the memcpy amount between 1024 ~ 2048 : 1030

specify the memcpy amount between 2048 ~ 4096 : 2055

specify the memcpy amount between 4096 ~ 8192 : 5210

ok, lets run the experiment with your configuration

experiment 1 : memcpy with buffer size 9

ellapsed CPU cycles for slow_memcpy : 1497

ellapsed CPU cycles for fast_memcpy : 438

experiment 2 : memcpy with buffer size 21

ellapsed CPU cycles for slow_memcpy : 384

ellapsed CPU cycles for fast_memcpy : 411

experiment 3 : memcpy with buffer size 40

ellapsed CPU cycles for slow_memcpy : 636

ellapsed CPU cycles for fast_memcpy : 672

experiment 4 : memcpy with buffer size 70

ellapsed CPU cycles for slow_memcpy : 1134

ellapsed CPU cycles for fast_memcpy : 288

experiment 5 : memcpy with buffer size 135

ellapsed CPU cycles for slow_memcpy : 1938

ellapsed CPU cycles for fast_memcpy : 237

experiment 6 : memcpy with buffer size 265

ellapsed CPU cycles for slow_memcpy : 3633

ellapsed CPU cycles for fast_memcpy : 291

experiment 7 : memcpy with buffer size 520

ellapsed CPU cycles for slow_memcpy : 7287

ellapsed CPU cycles for fast_memcpy : 342

experiment 8 : memcpy with buffer size 1030

ellapsed CPU cycles for slow_memcpy : 13860

ellapsed CPU cycles for fast_memcpy : 441

experiment 9 : memcpy with buffer size 2055

ellapsed CPU cycles for slow_memcpy : 27561

ellapsed CPU cycles for fast_memcpy : 984

experiment 10 : memcpy with buffer size 5210

ellapsed CPU cycles for slow_memcpy : 72930

ellapsed CPU cycles for fast_memcpy : 2628

thanks for helping my experiment!

flag : 1_w4nn4_br34K_th3_m3m0ry_4lignm3nt

pwnable.kr memcpy之write up的更多相关文章

  1. 【pwnable.kr】 memcpy

    pwnable的新一题,和堆分配相关. http://pwnable.kr/bin/memcpy.c ssh memcpy@pwnable.kr -p2222 (pw:guest) 我觉得主要考察的是 ...

  2. pwnable.kr simple login writeup

    这道题是pwnable.kr Rookiss部分的simple login,需要我们去覆盖程序的ebp,eip,esp去改变程序的执行流程   主要逻辑是输入一个字符串,base64解码后看是否与题目 ...

  3. 【pwnable.kr】 asm

    一道写shellcode的题目, #include <stdio.h> #include <string.h> #include <stdlib.h> #inclu ...

  4. pwnable.kr之simple Login

    pwnable.kr之simple Login 懒了几天,一边看malloc.c的源码,一边看华庭的PDF.今天佛系做题,到pwnable.kr上打开了simple Login这道题,但是这道题个人觉 ...

  5. pwnable.kr的passcode

    前段时间找到一个练习pwn的网站,pwnable.kr 这里记录其中的passcode的做题过程,给自己加深印象. 废话不多说了,看一下题目, 看到题目,就ssh连接进去,就看到三个文件如下 看了一下 ...

  6. pwnable.kr bof之write up

    这一题与前两题不同,用到了静态调试工具ida 首先题中给出了源码: #include <stdio.h> #include <string.h> #include <st ...

  7. pwnable.kr col之write up

    Daddy told me about cool MD5 hash collision today. I wanna do something like that too! ssh col@pwnab ...

  8. pwnable.kr brainfuck之write up

    I made a simple brain-fuck language emulation program written in C. The [ ] commands are not impleme ...

  9. pwnable.kr login之write up

    main函数如下: auth函数如下: 程序的流程如下: 输入Authenticate值,并base64解码,将解码的值代入md5_auth函数中 mad5_auth()生成其MD5值并与f87cd6 ...

随机推荐

  1. ASP.NET WEB API 自定义模型校验过滤器

    对外公开WEB接口时,对模型校验是常见的安全常识,常见的写法是在controller中判断ModelState.IsValid,以注册用户API为例. Model: public class Regi ...

  2. Ionic 2+ 安卓环境搭建

    安装 安卓studio https://developer.android.com/studio/index.html 设置一个环境变量 _JAVA_OPTIONS:-Xmx512M 添加androi ...

  3. Ionic2+ 环境搭建

    ionic2+官方guide 基础环境安装 nodejs安装 ionic,cordova安装 npm install -g ionic cordova 项目创建 ionic start MyIonic ...

  4. javaweb利用filter拦截请求

    项目上有个小需求,要限制访问者的IP,屏蔽未授权的登录请求.该场景使用过滤器来做再合适不过了. SecurityFilter.java: package com.lichmama.webdemo.fi ...

  5. English - 被动语态的翻译原则

    被动语态翻译原则 1. Passive ----> Active The bag is stolen by him. One the whole, such a conclusion can b ...

  6. 谈谈tableView的重要属性内边距

    全屏穿透效果需要做到两点 tableView的可视范围占据整个父控件(或者屏幕)--设置contentsize滚动范围. 所有的cell都可以被看到,也就是说tableView中的cell不会被导航栏 ...

  7. JS事件响应的学习总结

    点击事件:ocnlick 鼠标经过事件:onmouseover 鼠标移开事件:onmouseout 获得焦点事件:onfocus 失去焦点事件:onblur 内容选中事件:onselect 文本框内容 ...

  8. springmvc 前端 发ajax请求的几种方式

    一.传json单值或对象 1.前端 var data = {'id':id,'name':name}; $.ajax({ type:"POST", url:"user/s ...

  9. socket 异步通信的一些问题

    socket通信在使用时被封装很简单,像操作文件一样简单,正是因为简单里面好多细节需要深入研究一下. windows下通信有select和iocp方式,select是传统方式,在socket里使用re ...

  10. Mongoose基础入门

    前面的话 Mongoose是在node.js异步环境下对mongodb进行便捷操作的对象模型工具.本文将详细介绍如何使用Mongoose来操作MongoDB NodeJS驱动 在介绍Mongoose之 ...