Angr 初体验之探索口令
目标文件:http://whalectf.xin/files/3e8c3473ea4d6bfb6edc385131313dfa/r100
用angr模块来寻找口令在内存的地址,并且获取口令的内容,python2和python3的解决方案有不一样的地方,值得我记录下来。
解决方案:
首先我们使用radare2来获取函数的反汇编代码.
┌─[root@parrot]─[~/whalectf] └──╼ #r2 -Ad r100
Process with PID 5592 started... = attach 5592 5592 bin.baddr 0x00400000 Using 0x400000 asm.bits 64 [x] Analyze all flags starting with sym. and entry0 (aa) [Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for objc references [x] Check for vtables [TOFIX: aaft can't run in debugger mode.ions (aaft) [x] Type matching analysis for all functions (aaft) [x] Use -AA or aaaa to perform additional experimental analysis.-- I am Pentium of Borg. Division is futile. You will be approximated. [0x7f3f9ecaa090]> afll address size nbbs edges cc cost min bound range max bound calls locals args xref frame name ================== ==== ===== ===== ===== ==== ================== ===== ================== ===== ====== ==== ==== ===== ==== 0x0000000000400610 41 1 0 1 15 0x0000000000400610 41 0x0000000000400639 1 0 1 0 8 entry0 0x00000000004005d0 6 1 0 1 3 0x00000000004005d0 6 0x00000000004005d6 0 0 0 1 0 sym.imp.__libc_start_main 0x0000000000400590 6 1 0 1 3 0x0000000000400590 6 0x0000000000400596 0 0 0 1 0 sym.imp.getenv 0x00000000004005a0 6 1 0 1 3 0x00000000004005a0 6 0x00000000004005a6 0 0 0 2 0 sym.imp.puts 0x00000000004005b0 6 1 0 1 3 0x00000000004005b0 6 0x00000000004005b6 0 0 0 1 0 sym.imp.__stack_chk_fail 0x00000000004005c0 6 1 0 1 3 0x00000000004005c0 6 0x00000000004005c6 0 0 0 1 0 sym.imp.printf0x00000000004005e0 6 1 0 1 3 0x00000000004005e0 6 0x00000000004005e6 0 0 0 1 0 sym.imp.fgets
0x0000000000400600 6 1 0 1 3 0x0000000000400600 6 0x0000000000400606 0 0 0 1 0 sym.imp.ptrace 0x00000000004007e8 153 8 9 5 56 0x00000000004007e8 153 0x0000000000400881 6 2 0 1 280 main 0x00000000004006d0 99 8 10 6 44 0x0000000000400670 141 0x00000000004006fd 0 0 0 0 8 entry.init0 0x00000000004007a8 64 5 6 3 30 0x00000000004007a8 64 0x00000000004007e8 2 0 0 0 8 entry.init1 0x00000000004006b0 28 3 3 2 14 0x00000000004006b0 28 0x00000000004006cc 1 0 0 0 0 entry.fini0 0x0000000000400640 41 4 4 4 20 0x0000000000400640 41 0x0000000000400669 0 0 0 1 8 fcn.00400640
[0x7f3f9ecaa090]> pdf @ main
/ (fcn) main 153 | int main (int argc, char **argv, char **envp); | ; var int32_t var_110h @ rbp-0x110 | ; var int32_t var_8h @ rbp-0x8 | ; DATA XREF from entry0 (0x40062d) | 0x004007e8 55 push rbp | 0x004007e9 4889e5 mov rbp, rsp | 0x004007ec 4881ec100100. sub rsp, 0x110 | 0x004007f3 64488b042528. mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40 | 0x004007fc 488945f8 mov qword [var_8h], rax | 0x00400800 31c0 xor eax, eax | 0x00400802 bf37094000 mov edi, str.Enter_the_password: ; 0x400937 ; "Enter the password: " | 0x00400807 b800000000 mov eax, 0 | 0x0040080c e8affdffff call sym.imp.printf ; int printf(const char *format) | 0x00400811 488b15500820. mov rdx, qword [obj.stdin]; MOV rdx = [0x601068] = 0x0 rbp; [0x601068:8]=0 | 0x00400818 488d85f0feff. lea rax, [var_110h] | 0x0040081f beff000000 mov esi, 0xff ; 255 | 0x00400824 4889c7 mov rdi, rax | 0x00400827 e8b4fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream) | 0x0040082c 4885c0 test rax, rax | ,=< 0x0040082f 7435 je 0x400866 | | 0x00400831 488d85f0feff. lea rax, [var_110h] | | 0x00400838 4889c7 mov rdi, rax | | 0x0040083b e8bdfeffff call 0x4006fd | | 0x00400840 85c0 test eax, eax | ,==< 0x00400842 7511 jne 0x400855 | || 0x00400844 bf4c094000 mov edi, str.Nice ; 0x40094c ; "Nice!" | || 0x00400849 e852fdffff call sym.imp.puts ; int puts(const char *s)
| || 0x00400849 e852fdffff call sym.imp.puts ; int puts(const char *s) | || 0x0040084e b800000000 mov eax, 0 | ,===< 0x00400853 eb16 jmp 0x40086b | |`--> 0x00400855 bf52094000 mov edi, str.Incorrect_password ; 0x400952 ; "Incorrect password!" | | | 0x0040085a e841fdffff call sym.imp.puts ; int puts(const char *s) | | | 0x0040085f b801000000 mov eax, 1 | |,==< 0x00400864 eb05 jmp 0x40086b | ||`-> 0x00400866 b800000000 mov eax, 0 | || ; CODE XREFS from main (0x400853, 0x400864) | ``--> 0x0040086b 488b4df8 mov rcx, qword [var_8h] | 0x0040086f 6448330c2528. xor rcx, qword fs:[0x28] | ,=< 0x00400878 7405 je 0x40087f | | 0x0040087a e831fdffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void) | `-> 0x0040087f c9 leave \ 0x00400880 c3 ret
找到angr需要使用的两个地址,分别为'Nice!'调用地址0x00400844和‘Incorrect password!‘调用地址0x00400855
python2脚本如下,和python3的略有不同,即dumps函数的索引不同。
#!/usr/bin/env python2 # -*- coding: utf-8 -*-from angr import *proj = Project('./r100',auto_load_libs = False) state = proj.factory.entry_state() simgr = proj.factory.simgr(state) simgr.explore(find = 0x400844 ,avoid = 0x40085a) print simgr.found[0].posix.dumps(3) //dumps(3)
执行结果如下:
┌─[root@parrot]─[~/whalectf] └──╼ #python2 angr_py2_template.py WARNING | 2019-06-12 09:26:41,097 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups. WARNING | 2019-06-12 09:26:42,138 | angr.state_plugins.posix | Tried to look up a symbolic fd - constrained to 3 and opened /tmp/angr_implicit_0 Code_Talkers�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
python3脚本如下:
#!/usr/bin/env python3 # -*- coding: utf-8 -*-from angr import *proj = Project('./r100',auto_load_libs = False) state = proj.factory.entry_state() simgr = proj.factory.simgr(state) simgr.explore(find = 0x400844 ,avoid = 0x40085a) print(simgr.found[0].posix.dumps(0)) //dumps(0)
执行结果如下:
┌─[root@parrot]─[~/whalectf] └──╼ #python3 angr_py3_template.py WARNING | 2019-06-12 09:27:26,251 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior. WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by: WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null WARNING | 2019-06-12 09:27:26,253 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages. WARNING | 2019-06-12 09:27:26,255 | angr.state_plugins.symbolic_memory | Filling register r15 with 8 unconstrained bytes referenced from 0x400890 (PLT.ptrace+0x290 in r100 (0x400890)) WARNING | 2019-06-12 09:27:26,260 | angr.state_plugins.symbolic_memory | Filling register r14 with 8 unconstrained bytes referenced from 0x400895 (PLT.ptrace+0x295 in r100 (0x400895)) WARNING | 2019-06-12 09:27:26,263 | angr.state_plugins.symbolic_memory | Filling register r13 with 8 unconstrained bytes referenced from 0x40089a (PLT.ptrace+0x29a in r100 (0x40089a)) WARNING | 2019-06-12 09:27:26,267 | angr.state_plugins.symbolic_memory | Filling register r12 with 8 unconstrained bytes referenced from 0x40089f (PLT.ptrace+0x29f in r100 (0x40089f)) WARNING | 2019-06-12 09:27:26,276 | angr.state_plugins.symbolic_memory | Filling register rbx with 8 unconstrained bytes referenced from 0x4008b0 (PLT.ptrace+0x2b0 in r100 (0x4008b0)) WARNING | 2019-06-12 09:27:26,339 | angr.state_plugins.symbolic_memory | Filling register cc_ndep with 8 unconstrained bytes referenced from 0x400690 (PLT.ptrace+0x90 in r100 (0x400690)) b'Code_Talkers\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\x00'
转载于:https://www.cnblogs.com/heycomputer/articles/11010456.html
Angr 初体验之探索口令相关推荐
- 深度探索Hyperledger技术与应用之超级账本初体验(附部署代码)
2019独角兽企业重金招聘Python工程师标准>>> 本章零基础地介绍了如何快速体验超级账本搭建的区块链网络,我们先绕过了比较复杂的初始化配置,用官方提供的fabric-sampl ...
- 用鸿蒙跑了个 “hello world”!鸿蒙开发初体验
点击上方蓝色"方志朋",选择"设为星标" 回复"666"获取独家整理的学习资料! 来源 | https://my.oschina.net/u ...
- Swift与C++混编 OpenCV初体验 图片打码~
OpenCV初体验,给图片打码 提到OpenCV,相信大多数人都听说过,应用领域非常广泛,使用C++开发,天生具有跨平台的优势,我们学习一次,就可以在各个平台使用,这个还是很具有诱惑力的. 本文主要记 ...
- 从源码深处体验Spring核心技术--IOC容器初体验
开局经验之谈:可能从这一篇文章开始,小伙伴们都会有点晕车的感觉了,但是这个系列并不是只是介绍下spring表面的一些肤浅的东西,本系列的目的是为了让大家从源码层次深入理解Spring,这也是大家在未来 ...
- node.js 初体验
node.js 初体验 2011-10-31 22:56 by 聂微东, 174545 阅读, 118 评论, 收藏, 编辑 PS: ~ 此篇文章的进阶内容在为<Nodejs初阶之express ...
- deepin20自带c语言,deepin 20.1终于找到你-国产操作系统deepin之初体验
deepin 20.1终于找到你-国产操作系统deepin之初体验 前几天刚安装了国产操作系统deepin20.1,使用了几天体验非常好,推荐大家安装使用.这款操作系统确实做的很用心,很不错.日常使用 ...
- Kaggle初体验之泰坦尼特生存预测
Kaggle初体验之泰坦尼特生存预测 学习完了决策树的ID3.C4.5.CART算法,找一个试手的地方,Kaggle的练习赛泰坦尼特很不错,记录下 流程 首先注册一个账号,然后在顶部菜单栏Co ...
- Alfred Remote初体验
本文首发:Alfred Remote初体验,本cnblogs博客同步更新 Alfred更新到2.6版本之后,Remote的功能终于可以用了.于是第一时间尝试了一下,感觉还是很棒的BIG那是相当的高. ...
- 我的Go+语言初体验——Go+语言构建神经网络实战手写数字识别
"我的Go+语言初体验" | 征文活动进行中- 我的Go+语言初体验--Go+语言构建神经网络实战手写数字识别 0. 前言 1. 神经网络相关概念 2. 构建神经网络实战手写数字识 ...
最新文章
- jeecms 2012 源码分析(2) 前台栏目页静态化分析
- gulp关于scss的基础配置
- 每日一皮:一直认为写代码的自己有点小帅
- oracle存储过程详解--游标 实现增、删、改、查的
- Nginx+Supervisor安装部署.NET Core项目
- webservice 之 Java CXF实战效果 RS WS(二)
- BigDecimal总结
- tb项目管理实践_项目经理与项目管理整理
- json入门 PHP,PHP开发基础教程之JSON
- 对象与对象之间的赋值(别名现象)
- visio保存高清图片
- 易语言清空c盘指令,C盘清理命令
- php 监控网页更新提醒,web网站股票自动监控提醒实时变化
- win10没有wifi列表,显示不出可用WiFi
- 新版正方教务网模拟登录python实现
- 微信小程“古康日记“
- POJ 3585 Accumulation Degree 树形dp
- 【超详细图解】字符串匹配Boyer-Moore算法:文本编辑器中的查找功能是如何实现的?
- autojs之四史答题2.0(加ui)
- Codeforces Round#768(Div.2) B. Fun with Even Subarrays
热门文章
- Linux cp 命令的15个示例 - 创建文件和目录的副本
- 【乐畅】工作积累 ---- 调节音量大小 (滑动条调节音量大小并保存起来 )
- Hadoop运维记录系列(十七)
- MOSS 2007的备份与恢复
- 安装fastdfs出现/usr/local/lib/libfastcommon.so: undefined reference to `fcntl64@GLIBC_2.28‘
- 文章目录列表的字体颜色修改
- Micro-CMS v2(持续更新中)
- pynlpir(ICTCLAS)初步使用
- 计算机系统基础:数字的机器表示
- tcp ip socket