Skip to content

5.1 Debug a Defcon mips challenge

nongiach edited this page Jun 8, 2018 · 3 revisions
$ wget https://github.com/JonathanSalwan/ROPgadget/blob/master/test-suite-binaries/elf-Mips-Defcon-20-pwn100?raw=true -O pwn10
$ file pwn100 
pwn100: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, for GNU/Linux 2.4.18, stripped
$ arm_now start mips32el --sync
press ctrl+] to kill qemu
Welcome to arm_now
buildroot login: root
# opkg list | grep binutils
binutils - 2.27-1 - The Binutils package contains a linker, an assembler, and other tools for handling object files
# opkg install binutils
Installing binutils (2.27-1) to root...
Downloading https://pkg.entware.net/binaries/mipsel/binutils_2.27-1_mipselsf.ipk
Installing ar (2.27-1) to root...
Downloading https://pkg.entware.net/binaries/mipsel/ar_2.27-1_mipselsf.ipk
Configuring ar.
Configuring binutils.
# readelf -l pwn100 | grep -i entry
Entry point 0x4001a0
# chmod +x pwn100
# gdb ./pwn100
(gdb) b *0x4001a0
Breakpoint 1 at 0x4001a0
(gdb) r
Starting program: /root/pwn100 
Breakpoint 1, 0x004001a0 in ?? ()
=> 0x4001a0:	move	zero,ra
   0x4001a4:	bal	0x4001ac
   0x4001a8:	nop
   0x4001ac:	lui	gp,0xfc1
(gdb) info registers 
          zero       at       v0       v1       a0       a1       a2       a3
 R0   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
            t0       t1       t2       t3       t4       t5       t6       t7
 R8   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
            s0       s1       s2       s3       s4       s5       s6       s7
 R16  004d254c 004d252c 004cc4a7 004b0000 004d2554 77fea5b8 004d250c 00000000 
            t8       t9       k0       k1       gp       sp       s8       ra
 R24  00000000 00000000 00000000 00000000 00000000 7fdc2cf0 00000000 00000000 
        status       lo       hi badvaddr    cause       pc
      0000a713 0003f19f 0000024d 77f0fc00 10800024 004001a0 
          fcsr      fir  restart
      00000000 00739300 00000000 

A full french writeup here: https://blog.frizn.fr/defcon-20/pwn-100