Angr 初体验之探索口令

目标文件：http://whalectf.xin/files/3e8c3473ea4d6bfb6edc385131313dfa/r100

用angr模块来寻找口令在内存的地址，并且获取口令的内容，python2和python3的解决方案有不一样的地方，值得我记录下来。

解决方案：

首先我们使用radare2来获取函数的反汇编代码.

┌─[root@parrot]─[~/whalectf]
└──╼ #r2 -Ad r100

Process with PID 5592 started...
= attach 5592 5592
bin.baddr 0x00400000
Using 0x400000
asm.bits 64
[x] Analyze all flags starting with sym. and entry0 (aa)
[Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x
Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[TOFIX: aaft can't run in debugger mode.ions (aaft)
[x] Type matching analysis for all functions (aaft)
[x] Use -AA or aaaa to perform additional experimental analysis.
 -- I am Pentium of Borg. Division is futile. You will be approximated.
[0x7f3f9ecaa090]> afll
address            size  nbbs edges    cc cost          min bound range max bound          calls locals args xref frame name
================== ==== ===== ===== ===== ==== ================== ===== ================== ===== ====== ==== ==== ===== ====
0x0000000000400610   41     1     0     1   15 0x0000000000400610    41 0x0000000000400639     1    0      1    0     8 entry0
0x00000000004005d0    6     1     0     1    3 0x00000000004005d0     6 0x00000000004005d6     0    0      0    1     0 sym.imp.__libc_start_main
0x0000000000400590    6     1     0     1    3 0x0000000000400590     6 0x0000000000400596     0    0      0    1     0 sym.imp.getenv
0x00000000004005a0    6     1     0     1    3 0x00000000004005a0     6 0x00000000004005a6     0    0      0    2     0 sym.imp.puts
0x00000000004005b0    6     1     0     1    3 0x00000000004005b0     6 0x00000000004005b6     0    0      0    1     0 sym.imp.__stack_chk_fail
0x00000000004005c0    6     1     0     1    3 0x00000000004005c0     6 0x00000000004005c6     0    0      0    1     0 sym.imp.printf
0x00000000004005e0    6     1     0     1    3 0x00000000004005e0     6 0x00000000004005e6     0    0      0    1     0 sym.imp.fgets

0x0000000000400600    6     1     0     1    3 0x0000000000400600     6 0x0000000000400606     0    0      0    1     0 sym.imp.ptrace
0x00000000004007e8  153     8     9     5   56 0x00000000004007e8   153 0x0000000000400881     6    2      0    1   280 main
0x00000000004006d0   99     8    10     6   44 0x0000000000400670   141 0x00000000004006fd     0    0      0    0     8 entry.init0
0x00000000004007a8   64     5     6     3   30 0x00000000004007a8    64 0x00000000004007e8     2    0      0    0     8 entry.init1
0x00000000004006b0   28     3     3     2   14 0x00000000004006b0    28 0x00000000004006cc     1    0      0    0     0 entry.fini0
0x0000000000400640   41     4     4     4   20 0x0000000000400640    41 0x0000000000400669     0    0      0    1     8 fcn.00400640

[0x7f3f9ecaa090]> pdf @  main

/ (fcn) main 153
|   int main (int argc, char **argv, char **envp);
|           ; var int32_t var_110h @ rbp-0x110
|           ; var int32_t var_8h @ rbp-0x8
|           ; DATA XREF from entry0 (0x40062d)
|           0x004007e8      55             push rbp
|           0x004007e9      4889e5         mov rbp, rsp
|           0x004007ec      4881ec100100.  sub rsp, 0x110
|           0x004007f3      64488b042528.  mov rax, qword fs:[0x28]    ; [0x28:8]=-1 ; '(' ; 40
|           0x004007fc      488945f8       mov qword [var_8h], rax
|           0x00400800      31c0           xor eax, eax
|           0x00400802      bf37094000     mov edi, str.Enter_the_password: ; 0x400937 ; "Enter the password: "
|           0x00400807      b800000000     mov eax, 0
|           0x0040080c      e8affdffff     call sym.imp.printf         ; int printf(const char *format)
|           0x00400811      488b15500820.  mov rdx, qword [obj.stdin]; MOV rdx = [0x601068] = 0x0 rbp
 ; [0x601068:8]=0
|           0x00400818      488d85f0feff.  lea rax, [var_110h]
|           0x0040081f      beff000000     mov esi, 0xff               ; 255
|           0x00400824      4889c7         mov rdi, rax
|           0x00400827      e8b4fdffff     call sym.imp.fgets          ; char *fgets(char *s, int size, FILE *stream)
|           0x0040082c      4885c0         test rax, rax
|       ,=< 0x0040082f      7435           je 0x400866
|       |   0x00400831      488d85f0feff.  lea rax, [var_110h]
|       |   0x00400838      4889c7         mov rdi, rax
|       |   0x0040083b      e8bdfeffff     call 0x4006fd
|       |   0x00400840      85c0           test eax, eax
|      ,==< 0x00400842      7511           jne 0x400855
|      ||   0x00400844      bf4c094000     mov edi, str.Nice           ; 0x40094c ; "Nice!"
|      ||   0x00400849      e852fdffff     call sym.imp.puts           ; int puts(const char *s)

|      ||   0x00400849      e852fdffff     call sym.imp.puts           ; int puts(const char *s)
|      ||   0x0040084e      b800000000     mov eax, 0
|     ,===< 0x00400853      eb16           jmp 0x40086b
|     |`--> 0x00400855      bf52094000     mov edi, str.Incorrect_password ; 0x400952 ; "Incorrect password!"
|     | |   0x0040085a      e841fdffff     call sym.imp.puts           ; int puts(const char *s)
|     | |   0x0040085f      b801000000     mov eax, 1
|     |,==< 0x00400864      eb05           jmp 0x40086b
|     ||`-> 0x00400866      b800000000     mov eax, 0
|     ||    ; CODE XREFS from main (0x400853, 0x400864)
|     ``--> 0x0040086b      488b4df8       mov rcx, qword [var_8h]
|           0x0040086f      6448330c2528.  xor rcx, qword fs:[0x28]
|       ,=< 0x00400878      7405           je 0x40087f
|       |   0x0040087a      e831fdffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|       `-> 0x0040087f      c9             leave
\           0x00400880      c3             ret

找到angr需要使用的两个地址，分别为'Nice!'调用地址0x00400844和‘Incorrect password!‘调用地址0x00400855

python2脚本如下,和python3的略有不同，即dumps函数的索引不同。

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

from angr import *

proj = Project('./r100',auto_load_libs = False)
state = proj.factory.entry_state()
simgr = proj.factory.simgr(state)
simgr.explore(find = 0x400844 ,avoid = 0x40085a)
print  simgr.found[0].posix.dumps(3)                    //dumps(3)

 执行结果如下：

┌─[root@parrot]─[~/whalectf]
└──╼ #python2 angr_py2_template.py 
WARNING | 2019-06-12 09:26:41,097 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups.
WARNING | 2019-06-12 09:26:42,138 | angr.state_plugins.posix | Tried to look up a symbolic fd - constrained to 3 and opened /tmp/angr_implicit_0
Code_Talkers�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

 

python3脚本如下：

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from angr import *

proj = Project('./r100',auto_load_libs = False)
state = proj.factory.entry_state()
simgr = proj.factory.simgr(state)
simgr.explore(find = 0x400844 ,avoid = 0x40085a)
print（simgr.found[0].posix.dumps(0)）                   //dumps(0)

 执行结果如下：

┌─[root@parrot]─[~/whalectf]
└──╼ #python3 angr_py3_template.py 
WARNING | 2019-06-12 09:27:26,251 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior.
WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state
WARNING | 2019-06-12 09:27:26,252 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2019-06-12 09:27:26,253 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages.
WARNING | 2019-06-12 09:27:26,255 | angr.state_plugins.symbolic_memory | Filling register r15 with 8 unconstrained bytes referenced from 0x400890 (PLT.ptrace+0x290 in r100 (0x400890))
WARNING | 2019-06-12 09:27:26,260 | angr.state_plugins.symbolic_memory | Filling register r14 with 8 unconstrained bytes referenced from 0x400895 (PLT.ptrace+0x295 in r100 (0x400895))
WARNING | 2019-06-12 09:27:26,263 | angr.state_plugins.symbolic_memory | Filling register r13 with 8 unconstrained bytes referenced from 0x40089a (PLT.ptrace+0x29a in r100 (0x40089a))
WARNING | 2019-06-12 09:27:26,267 | angr.state_plugins.symbolic_memory | Filling register r12 with 8 unconstrained bytes referenced from 0x40089f (PLT.ptrace+0x29f in r100 (0x40089f))
WARNING | 2019-06-12 09:27:26,276 | angr.state_plugins.symbolic_memory | Filling register rbx with 8 unconstrained bytes referenced from 0x4008b0 (PLT.ptrace+0x2b0 in r100 (0x4008b0))
WARNING | 2019-06-12 09:27:26,339 | angr.state_plugins.symbolic_memory | Filling register cc_ndep with 8 unconstrained bytes referenced from 0x400690 (PLT.ptrace+0x90 in r100 (0x400690))
b'Code_Talkers\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\x00'