Angr 初体验之探索flag

目标文件：http://whalectf.xin/files/5e74de939a30df859f443c08e5ec77d2/ais3_crackme

所需工具：radare2    angr  

解决方案：

使用radare2反汇编主函数内容如下：

 

┌─[root@parrot]─[~/whalectf]
└──╼ #r2 -Ad ais3_crackme
Process with PID 8458 started...
= attach 8458 8458
bin.baddr 0x00400000
Using 0x400000
asm.bits 64
[x] Analyze all flags starting with sym. and entry0 (aa)
[Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x
Warning: Invalid range. Use different search.in=? or anal.in=dbg.maps.x
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[TOFIX: aaft can't run in debugger mode.ions (aaft)
[x] Type matching analysis for all functions (aaft)
[x] Use -AA or aaaa to perform additional experimental analysis.
 -- -bash: r2: command not found
[0x7fb602a6c090]> pdf @ main
/ (fcn) main 90
|   int main (int argc, char **argv, char **envp);
|           ; var int32_t var_10h @ rbp-0x10
|           ; var int32_t var_4h @ rbp-0x4
|           ; arg int argc @ rdi
|           ; arg char **argv @ rsi
|           ; DATA XREF from entry0 (0x40042d)
|           0x004005c5      55             push rbp
|           0x004005c6      4889e5         mov rbp, rsp
|           0x004005c9      4883ec10       sub rsp, 0x10
|           0x004005cd      897dfc         mov dword [var_4h], edi     ; argc
|           0x004005d0      488975f0       mov qword [var_10h], rsi    ; argv
|           0x004005d4      837dfc02       cmp dword [var_4h], 2
|       ,=< 0x004005d8      7411           je 0x4005eb
|       |   0x004005da      bfc8064000     mov edi, str.You_need_to_enter_the_secret_key ; 0x4006c8 ; "You need to enter the secret key!"
|       |   0x004005df      e80cfeffff     call sym.imp.puts           ; int puts(const char *s)
|       |   0x004005e4      b8ffffffff     mov eax, 0xffffffff         ; -1
|      ,==< 0x004005e9      eb32           jmp 0x40061d
|      |`-> 0x004005eb      488b45f0       mov rax, qword [var_10h]
|      |    0x004005ef      4883c008       add rax, 8
|      |    0x004005f3      488b00         mov rax, qword [rax]
|      |    0x004005f6      4889c7         mov rdi, rax
|      |    0x004005f9      e822ffffff     call sym.verify
|      |    0x004005fe      85c0           test eax, eax
|      |,=< 0x00400600      740c           je 0x40060e
|      ||   0x00400602      bff0064000     mov edi, str.Correct__that_is_the_secret_key ; 0x4006f0 ; "Correct! that is the secret key!"
|      ||   0x00400607      e8e4fdffff     call sym.imp.puts           ; int puts(const char *s)
|     ,===< 0x0040060c      eb0a           jmp 0x400618
|     ||`-> 0x0040060e      bf18074000     mov edi, str.I_m_sorry__that_s_the_wrong_secret_key ; 0x400718 ; "I'm sorry, that's the wrong secret key!"
|     ||    0x00400613      e8d8fdffff     call sym.imp.puts           ; int puts(const char *s)
|     ||    ; CODE XREF from main (0x40060c)
|     `---> 0x00400618      b800000000     mov eax, 0
|      |    ; CODE XREF from main (0x4005e9)
|      `--> 0x0040061d      c9             leave
\           0x0040061e      c3             ret
[0x7fb602a6c090]> 

获取到两个地址为 find = 0x00400602  , avoid = 0x0040060e

编写exploit脚本如下：

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

from angr import *

proj = Project('ais3_crackme',auto_load_libs=False)

import claripy
argv1 = claripy.BVS('argv1',50*8)         # BVS stand for bits vector string,1 char = 8 bits, 1 int = 32 bits

state = proj.factory.entry_state(args = ['ais3_crackme',argv1])
s = proj.factory.simgr(state)
s.explore(find=0x00400602,avoid=0x0040060e)
print s.found[0].solver.eval(argv1,cast_to=str)