目标文件:http://whalectf.xin/files/3e8c3473ea4d6bfb6edc385131313dfa/r100
用angr模块来寻找口令在内存的地址,并且获取口令的内容,python2和python3的解决方案有不一样的地方,值得我记录下来。
解决方案:
首先我们使用radare2来获取函数的反汇编代码.
┌─[root@parrot]─[~/whalectf]
└──╼ #r2 -Ad r100
Process with PID 5592 started... = attach 5592 5592 bin.baddr 0x00400000 Using 0x400000 asm.bits 64 [x] Analyze all flags starting with sym. and entry0 (aa) [Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for objc references [x] Check for vtables [TOFIX: aaft can't run in debugger mode.ions (aaft) [x] Type matching analysis for all functions (aaft) [x] Use -AA or aaaa to perform additional experimental analysis. -- I am Pentium of Borg. Division is futile. You will be approximated. [0x7f3f9ecaa090]> afll address size nbbs edges cc cost min bound range max bound calls locals args xref frame name ================== ==== ===== ===== ===== ==== ================== ===== ================== ===== ====== ==== ==== ===== ==== 0x0000000000400610 41 1 0 1 15 0x0000000000400610 41 0x0000000000400639 1 0 1 0 8 entry0 0x00000000004005d0 6 1 0 1 3 0x00000000004005d0 6 0x00000000004005d6 0 0 0 1 0 sym.imp.__libc_start_main 0x0000000000400590 6 1 0 1 3 0x0000000000400590 6 0x0000000000400596 0 0 0 1 0 sym.imp.getenv 0x00000000004005a0 6 1 0 1 3 0x00000000004005a0 6 0x00000000004005a6 0 0 0 2 0 sym.imp.puts 0x00000000004005b0 6 1 0 1 3 0x00000000004005b0 6 0x00000000004005b6 0 0 0 1 0 sym.imp.__stack_chk_fail 0x00000000004005c0 6 1 0 1 3 0x00000000004005c0 6 0x00000000004005c6 0 0 0 1 0 sym.imp.printf
0x00000000004005e0 6 1 0 1 3 0x00000000004005e0 6 0x00000000004005e6 0 0 0 1 0 sym.imp.fgets
0x0000000000400600 6 1 0 1 3 0x0000000000400600 6 0x0000000000400606 0 0 0 1 0 sym.imp.ptrace 0x00000000004007e8 153 8 9 5 56 0x00000000004007e8 153 0x0000000000400881 6 2 0 1 280 main 0x00000000004006d0 99 8 10 6 44 0x0000000000400670 141 0x00000000004006fd 0 0 0 0 8 entry.init0 0x00000000004007a8 64 5 6 3 30 0x00000000004007a8 64 0x00000000004007e8 2 0 0 0 8 entry.init1 0x00000000004006b0 28 3 3 2 14 0x00000000004006b0 28 0x00000000004006cc 1 0 0 0 0 entry.fini0 0x0000000000400640 41 4 4 4 20 0x0000000000400640 41 0x0000000000400669 0 0 0 1 8 fcn.00400640
[0x7f3f9ecaa090]> pdf @ main
/ (fcn) main 153 | int main (int argc, char **argv, char **envp); | ; var int32_t var_110h @ rbp-0x110 | ; var int32_t var_8h @ rbp-0x8 | ; DATA XREF from entry0 (0x40062d) | 0x004007e8 55 push rbp | 0x004007e9 4889e5 mov rbp, rsp | 0x004007ec 4881ec100100. sub rsp, 0x110 | 0x004007f3 64488b042528. mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40 | 0x004007fc 488945f8 mov qword [var_8h], rax | 0x00400800 31c0 xor eax, eax | 0x00400802 bf37094000 mov edi, str.Enter_the_password: ; 0x400937 ; "Enter the password: " | 0x00400807 b800000000 mov eax, 0 | 0x0040080c e8affdffff call sym.imp.printf ; int printf(const char *format) | 0x00400811 488b15500820. mov rdx, qword [obj.stdin]; MOV rdx = [0x601068] = 0x0 rbp ; [0x601068:8]=0 | 0x00400818 488d85f0feff. lea rax, [var_110h] | 0x0040081f beff000000 mov esi, 0xff ; 255 | 0x00400824 4889c7 mov rdi, rax | 0x00400827 e8b4fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream) | 0x0040082c 4885c0 test rax, rax | ,=< 0x0040082f 7435 je 0x400866 | | 0x00400831 488d85f0feff. lea rax, [var_110h] | | 0x00400838 4889c7 mov rdi, rax | | 0x0040083b e8bdfeffff call 0x4006fd | | 0x00400840 85c0 test eax, eax | ,==< 0x00400842 7511 jne 0x400855 | || 0x00400844 bf4c094000 mov edi, str.Nice ; 0x40094c ; "Nice!" | || 0x00400849 e852fdffff call sym.imp.puts ; int puts(const char *s)
| || 0x00400849 e852fdffff call sym.imp.puts ; int puts(const char *s) | || 0x0040084e b800000000 mov eax, 0 | ,===< 0x00400853 eb16 jmp 0x40086b | |`--> 0x00400855 bf52094000 mov edi, str.Incorrect_password ; 0x400952 ; "Incorrect password!" | | | 0x0040085a e841fdffff call sym.imp.puts ; int puts(const char *s) | | | 0x0040085f b801000000 mov eax, 1 | |,==< 0x00400864 eb05 jmp 0x40086b | ||`-> 0x00400866 b800000000 mov eax, 0 | || ; CODE XREFS from main (0x400853, 0x400864) | ``--> 0x0040086b 488b4df8 mov rcx, qword [var_8h] | 0x0040086f 6448330c2528. xor rcx, qword fs:[0x28] | ,=< 0x00400878 7405 je 0x40087f | | 0x0040087a e831fdffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void) | `-> 0x0040087f c9 leave \ 0x00400880 c3 ret
找到angr需要使用的两个地址,分别为'Nice!'调用地址0x00400844和‘Incorrect password!‘调用地址0x00400855
python2脚本如下,和python3的略有不同,即dumps函数的索引不同。
#!/usr/bin/env python2 # -*- coding: utf-8 -*- from angr import * proj = Project('./r100',auto_load_libs = False) state = proj.factory.entry_state() simgr = proj.factory.simgr(state) simgr.explore(find = 0x400844 ,avoid = 0x40085a) print simgr.found[0].posix.dumps(3) //dumps(3)
执行结果如下:
┌─[root@parrot]─[~/whalectf]
└──╼ #python2 angr_py2_template.py
WARNING | 2019-06-12 09:26:41,097 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups.
WARNING | 2019-06-12 09:26:42,138 | angr.state_plugins.posix | Tried to look up a symbolic fd - constrained to 3 and opened /tmp/angr_implicit_0
Code_Talkers�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
python3脚本如下:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from angr import *
proj = Project('./r100',auto_load_libs = False)
state = proj.factory.entry_state()
simgr = proj.factory.simgr(state)
simgr.explore(find = 0x400844 ,avoid = 0x40085a)
print(simgr.found[0].posix.dumps(0)) //dumps(0)
执行结果如下:
┌─[root@parrot]─[~/whalectf]
└──╼ #python3 angr_py3_template.py
WARNING | 2019-06-12 09:27:26,251 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior.
WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state
WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2019-06-12 09:27:26,253 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages.
WARNING | 2019-06-12 09:27:26,255 | angr.state_plugins.symbolic_memory | Filling register r15 with 8 unconstrained bytes referenced from 0x400890 (PLT.ptrace+0x290 in r100 (0x400890))
WARNING | 2019-06-12 09:27:26,260 | angr.state_plugins.symbolic_memory | Filling register r14 with 8 unconstrained bytes referenced from 0x400895 (PLT.ptrace+0x295 in r100 (0x400895))
WARNING | 2019-06-12 09:27:26,263 | angr.state_plugins.symbolic_memory | Filling register r13 with 8 unconstrained bytes referenced from 0x40089a (PLT.ptrace+0x29a in r100 (0x40089a))
WARNING | 2019-06-12 09:27:26,267 | angr.state_plugins.symbolic_memory | Filling register r12 with 8 unconstrained bytes referenced from 0x40089f (PLT.ptrace+0x29f in r100 (0x40089f))
WARNING | 2019-06-12 09:27:26,276 | angr.state_plugins.symbolic_memory | Filling register rbx with 8 unconstrained bytes referenced from 0x4008b0 (PLT.ptrace+0x2b0 in r100 (0x4008b0))
WARNING | 2019-06-12 09:27:26,339 | angr.state_plugins.symbolic_memory | Filling register cc_ndep with 8 unconstrained bytes referenced from 0x400690 (PLT.ptrace+0x90 in r100 (0x400690))
b'Code_Talkers\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\x00'