Angr 初体验之探索flag
目标文件:http://whalectf.xin/files/5e74de939a30df859f443c08e5ec77d2/ais3_crackme
所需工具:radare2 angr
解决方案:
使用radare2反汇编主函数内容如下:
┌─[root@parrot]─[~/whalectf]
└──╼ #r2 -Ad ais3_crackme
Process with PID 8458 started...
= attach 8458 8458
bin.baddr 0x00400000
Using 0x400000
asm.bits 64
[x] Analyze all flags starting with sym. and entry0 (aa)
[Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x
Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[TOFIX: aaft can't run in debugger mode.ions (aaft)
[x] Type matching analysis for all functions (aaft)
[x] Use -AA or aaaa to perform additional experimental analysis.
-- -bash: r2: command not found
[0x7fb602a6c090]> pdf @ main
/ (fcn) main 90
| int main (int argc, char **argv, char **envp);
| ; var int32_t var_10h @ rbp-0x10
| ; var int32_t var_4h @ rbp-0x4
| ; arg int argc @ rdi
| ; arg char **argv @ rsi
| ; DATA XREF from entry0 (0x40042d)
| 0x004005c5 55 push rbp
| 0x004005c6 4889e5 mov rbp, rsp
| 0x004005c9 4883ec10 sub rsp, 0x10
| 0x004005cd 897dfc mov dword [var_4h], edi ; argc
| 0x004005d0 488975f0 mov qword [var_10h], rsi ; argv
| 0x004005d4 837dfc02 cmp dword [var_4h], 2
| ,=< 0x004005d8 7411 je 0x4005eb
| | 0x004005da bfc8064000 mov edi, str.You_need_to_enter_the_secret_key ; 0x4006c8 ; "You need to enter the secret key!"
| | 0x004005df e80cfeffff call sym.imp.puts ; int puts(const char *s)
| | 0x004005e4 b8ffffffff mov eax, 0xffffffff ; -1
| ,==< 0x004005e9 eb32 jmp 0x40061d
| |`-> 0x004005eb 488b45f0 mov rax, qword [var_10h]
| | 0x004005ef 4883c008 add rax, 8
| | 0x004005f3 488b00 mov rax, qword [rax]
| | 0x004005f6 4889c7 mov rdi, rax
| | 0x004005f9 e822ffffff call sym.verify
| | 0x004005fe 85c0 test eax, eax
| |,=< 0x00400600 740c je 0x40060e
| || 0x00400602 bff0064000 mov edi, str.Correct__that_is_the_secret_key ; 0x4006f0 ; "Correct! that is the secret key!"
| || 0x00400607 e8e4fdffff call sym.imp.puts ; int puts(const char *s)
| ,===< 0x0040060c eb0a jmp 0x400618
| ||`-> 0x0040060e bf18074000 mov edi, str.I_m_sorry__that_s_the_wrong_secret_key ; 0x400718 ; "I'm sorry, that's the wrong secret key!"
| || 0x00400613 e8d8fdffff call sym.imp.puts ; int puts(const char *s)
| || ; CODE XREF from main (0x40060c)
| `---> 0x00400618 b800000000 mov eax, 0
| | ; CODE XREF from main (0x4005e9)
| `--> 0x0040061d c9 leave
\ 0x0040061e c3 ret
[0x7fb602a6c090]>
获取到两个地址为 find = 0x00400602 , avoid = 0x0040060e
编写exploit脚本如下:
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from angr import *
proj = Project('ais3_crackme',auto_load_libs=False)
import claripy
argv1 = claripy.BVS('argv1',50*8) # BVS stand for bits vector string,1 char = 8 bits, 1 int = 32 bits
state = proj.factory.entry_state(args = ['ais3_crackme',argv1])
s = proj.factory.simgr(state)
s.explore(find=0x00400602,avoid=0x0040060e)
print s.found[0].solver.eval(argv1,cast_to=str)