目標(biāo)文件：http://whalectf.xin/files/3e8c3473ea4d6bfb6edc385131313dfa/r100

用angr模塊來尋找口令在內(nèi)存的地址，并且獲取口令的內(nèi)容，python2和python3的解決方案有不一樣的地方，值得我記錄下來。

解決方案：

首先我們使用radare2來獲取函數(shù)的反匯編代碼.

┌─[root@parrot]─[~/whalectf] └──? #r2 -Ad r100 Process with PID 5592 started... = attach 5592 5592 bin.baddr 0x00400000 Using 0x400000 asm.bits 64 [x] Analyze all flags starting with sym. and entry0 (aa) [Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for objc references [x] Check for vtables [TOFIX: aaft can't run in debugger mode.ions (aaft) [x] Type matching analysis for all functions (aaft) [x] Use -AA or aaaa to perform additional experimental analysis.-- I am Pentium of Borg. Division is futile. You will be approximated. [0x7f3f9ecaa090]> afll address size nbbs edges cc cost min bound range max bound calls locals args xref frame name ================== ==== ===== ===== ===== ==== ================== ===== ================== ===== ====== ==== ==== ===== ==== 0x0000000000400610 41 1 0 1 15 0x0000000000400610 41 0x0000000000400639 1 0 1 0 8 entry0 0x00000000004005d0 6 1 0 1 3 0x00000000004005d0 6 0x00000000004005d6 0 0 0 1 0 sym.imp.__libc_start_main 0x0000000000400590 6 1 0 1 3 0x0000000000400590 6 0x0000000000400596 0 0 0 1 0 sym.imp.getenv 0x00000000004005a0 6 1 0 1 3 0x00000000004005a0 6 0x00000000004005a6 0 0 0 2 0 sym.imp.puts 0x00000000004005b0 6 1 0 1 3 0x00000000004005b0 6 0x00000000004005b6 0 0 0 1 0 sym.imp.__stack_chk_fail 0x00000000004005c0 6 1 0 1 3 0x00000000004005c0 6 0x00000000004005c6 0 0 0 1 0 sym.imp.printf
0x00000000004005e0 6 1 0 1 3 0x00000000004005e0 6 0x00000000004005e6 0 0 0 1 0 sym.imp.fgets 0x0000000000400600 6 1 0 1 3 0x0000000000400600 6 0x0000000000400606 0 0 0 1 0 sym.imp.ptrace 0x00000000004007e8 153 8 9 5 56 0x00000000004007e8 153 0x0000000000400881 6 2 0 1 280 main 0x00000000004006d0 99 8 10 6 44 0x0000000000400670 141 0x00000000004006fd 0 0 0 0 8 entry.init0 0x00000000004007a8 64 5 6 3 30 0x00000000004007a8 64 0x00000000004007e8 2 0 0 0 8 entry.init1 0x00000000004006b0 28 3 3 2 14 0x00000000004006b0 28 0x00000000004006cc 1 0 0 0 0 entry.fini0 0x0000000000400640 41 4 4 4 20 0x0000000000400640 41 0x0000000000400669 0 0 0 1 8 fcn.00400640 [0x7f3f9ecaa090]> pdf @ main / (fcn) main 153 | int main (int argc, char **argv, char **envp); | ; var int32_t var_110h @ rbp-0x110 | ; var int32_t var_8h @ rbp-0x8 | ; DATA XREF from entry0 (0x40062d) | 0x004007e8 55 push rbp | 0x004007e9 4889e5 mov rbp, rsp | 0x004007ec 4881ec100100. sub rsp, 0x110 | 0x004007f3 64488b042528. mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40 | 0x004007fc 488945f8 mov qword [var_8h], rax | 0x00400800 31c0 xor eax, eax | 0x00400802 bf37094000 mov edi, str.Enter_the_password: ; 0x400937 ; "Enter the password: " | 0x00400807 b800000000 mov eax, 0 | 0x0040080c e8affdffff call sym.imp.printf ; int printf(const char *format) | 0x00400811 488b15500820. mov rdx, qword [obj.stdin]; MOV rdx = [0x601068] = 0x0 rbp; [0x601068:8]=0 | 0x00400818 488d85f0feff. lea rax, [var_110h] | 0x0040081f beff000000 mov esi, 0xff ; 255 | 0x00400824 4889c7 mov rdi, rax | 0x00400827 e8b4fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream) | 0x0040082c 4885c0 test rax, rax | ,=< 0x0040082f 7435 je 0x400866 | | 0x00400831 488d85f0feff. lea rax, [var_110h] | | 0x00400838 4889c7 mov rdi, rax | | 0x0040083b e8bdfeffff call 0x4006fd | | 0x00400840 85c0 test eax, eax | ,==< 0x00400842 7511 jne 0x400855 | || 0x00400844 bf4c094000 mov edi, str.Nice ; 0x40094c ; "Nice!" | || 0x00400849 e852fdffff call sym.imp.puts ; int puts(const char *s) | || 0x00400849 e852fdffff call sym.imp.puts ; int puts(const char *s) | || 0x0040084e b800000000 mov eax, 0 | ,===< 0x00400853 eb16 jmp 0x40086b | |`--> 0x00400855 bf52094000 mov edi, str.Incorrect_password ; 0x400952 ; "Incorrect password!" | | | 0x0040085a e841fdffff call sym.imp.puts ; int puts(const char *s) | | | 0x0040085f b801000000 mov eax, 1 | |,==< 0x00400864 eb05 jmp 0x40086b | ||`-> 0x00400866 b800000000 mov eax, 0 | || ; CODE XREFS from main (0x400853, 0x400864) | ``--> 0x0040086b 488b4df8 mov rcx, qword [var_8h] | 0x0040086f 6448330c2528. xor rcx, qword fs:[0x28] | ,=< 0x00400878 7405 je 0x40087f | | 0x0040087a e831fdffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void) | `-> 0x0040087f c9 leave \ 0x00400880 c3 ret

找到angr需要使用的兩個(gè)地址，分別為'Nice!'調(diào)用地址0x00400844和‘Incorrect password!‘調(diào)用地址0x00400855

python2腳本如下,和python3的略有不同，即dumps函數(shù)的索引不同。

#!/usr/bin/env python2 # -*- coding: utf-8 -*-from angr import *proj = Project('./r100',auto_load_libs = False) state = proj.factory.entry_state() simgr = proj.factory.simgr(state) simgr.explore(find = 0x400844 ,avoid = 0x40085a) print simgr.found[0].posix.dumps(3) //dumps(3)

?執(zhí)行結(jié)果如下：

┌─[root@parrot]─[~/whalectf] └──? #python2 angr_py2_template.py WARNING | 2019-06-12 09:26:41,097 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups. WARNING | 2019-06-12 09:26:42,138 | angr.state_plugins.posix | Tried to look up a symbolic fd - constrained to 3 and opened /tmp/angr_implicit_0 Code_Talkers�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

?

python3腳本如下：

#!/usr/bin/env python3 # -*- coding: utf-8 -*-from angr import *proj = Project('./r100',auto_load_libs = False) state = proj.factory.entry_state() simgr = proj.factory.simgr(state) simgr.explore(find = 0x400844 ,avoid = 0x40085a) print（simgr.found[0].posix.dumps(0)） //dumps(0)

?執(zhí)行結(jié)果如下：

┌─[root@parrot]─[~/whalectf] └──? #python3 angr_py3_template.py WARNING | 2019-06-12 09:27:26,251 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior. WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by: WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null WARNING | 2019-06-12 09:27:26,253 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages. WARNING | 2019-06-12 09:27:26,255 | angr.state_plugins.symbolic_memory | Filling register r15 with 8 unconstrained bytes referenced from 0x400890 (PLT.ptrace+0x290 in r100 (0x400890)) WARNING | 2019-06-12 09:27:26,260 | angr.state_plugins.symbolic_memory | Filling register r14 with 8 unconstrained bytes referenced from 0x400895 (PLT.ptrace+0x295 in r100 (0x400895)) WARNING | 2019-06-12 09:27:26,263 | angr.state_plugins.symbolic_memory | Filling register r13 with 8 unconstrained bytes referenced from 0x40089a (PLT.ptrace+0x29a in r100 (0x40089a)) WARNING | 2019-06-12 09:27:26,267 | angr.state_plugins.symbolic_memory | Filling register r12 with 8 unconstrained bytes referenced from 0x40089f (PLT.ptrace+0x29f in r100 (0x40089f)) WARNING | 2019-06-12 09:27:26,276 | angr.state_plugins.symbolic_memory | Filling register rbx with 8 unconstrained bytes referenced from 0x4008b0 (PLT.ptrace+0x2b0 in r100 (0x4008b0)) WARNING | 2019-06-12 09:27:26,339 | angr.state_plugins.symbolic_memory | Filling register cc_ndep with 8 unconstrained bytes referenced from 0x400690 (PLT.ptrace+0x90 in r100 (0x400690)) b'Code_Talkers\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\x00'

?

轉(zhuǎn)載于:https://www.cnblogs.com/heycomputer/articles/11010456.html

總結(jié)

以上是生活随笔為你收集整理的Angr 初体验之探索口令的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。