mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 03:01:15 +07:00
some fix
This commit is contained in:
parent
e6dc1006ce
commit
cc9cff02a5
18
README.md
18
README.md
@ -23,16 +23,17 @@
|
||||
|
||||
- [二、工具篇](doc/2_tools.md)
|
||||
- [2.1 VM](doc/2.1_vm.md)
|
||||
- [2.2 gdb/peda](doc/2.2_gdb&peda.md)
|
||||
- [2.2 gdb/peda](doc/2.2_gdb.md)
|
||||
- [2.3 ollydbg](doc/2.3_ollydbg.md)
|
||||
- [2.4 windbg](doc/2.4_windbg.md)
|
||||
- [2.5 radare2](doc/2.5_radare2.md)
|
||||
- [2.6 IDA Pro](doc/2.6_idapro.md)
|
||||
- [2.7 pwntools](doc/2.7_pwntools.md)
|
||||
- [2.8 JEB](doc/2.8_jeb.md)
|
||||
- [2.9 metasploit](doc/2.9_metasploit.md)
|
||||
- [2.10 binwalk](doc/2.10_binwalk.md)
|
||||
- [2.11 Burp Suite](doc/2.11_burpsuite.md)
|
||||
- [2.8 zio](doc/2.8_zio.md)
|
||||
- [2.9 JEB](doc/2.9_jeb.md)
|
||||
- [2.10 metasploit](doc/2.10_metasploit.md)
|
||||
- [2.11 binwalk](doc/2.11_binwalk.md)
|
||||
- [2.12 Burp Suite](doc/2.12_burpsuite.md)
|
||||
|
||||
- [三、分类专题篇](doc/3_topics.md)
|
||||
- [3.1 Reverse](doc/3.1_reverse.md)
|
||||
@ -53,7 +54,6 @@
|
||||
- [4.3 GCC 编译参数解析](doc/4.3_gcc_arg.md)
|
||||
- [4.4 GCC 堆栈保护技术](doc/4.4_gcc_sec.md)
|
||||
- [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
||||
- [4.6 zio](doc/4.6_zio.md)
|
||||
- [4.7 通用 gadget](doc/4.7_common_gadget.md)
|
||||
- [4.8 使用 DynELF 泄露函数地址](doc/4.8_dynelf.md)
|
||||
- [4.9 给 ELF 文件打 patch](doc/4.9_patch_elf.md)
|
||||
@ -63,11 +63,12 @@
|
||||
- [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
||||
- [5.2 Pin 动态二进制插桩](doc/5.2_pin.md)
|
||||
- [5.3 angr 二进制自动化分析](doc/5.3_angr.md)
|
||||
- [5.4 反调试技术](doc/5.4_antidbg.md)
|
||||
- [5.5 符号执行](doc/5.5_symbolic.md)
|
||||
- [5.4 符号执行](doc/5.4_symbolic.md)
|
||||
- [5.5 Triton 动态二进制分析框架](doc/5.5_triton.md)
|
||||
- [5.6 LLVM](doc/5.6_llvm.md)
|
||||
- [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
||||
- [5.8 SAT/SMT](doc/5.8_sat-smt.md)
|
||||
- [5.9 反调试技术](doc/5.9_antidbg.md)
|
||||
|
||||
- [六、题解篇](doc/6_writeup.md)
|
||||
- pwn
|
||||
@ -81,6 +82,7 @@
|
||||
- re
|
||||
- [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
- [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
- [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md)
|
||||
|
||||
- [七、附录](doc/7_appendix.md)
|
||||
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||
|
18
SUMMARY.md
18
SUMMARY.md
@ -26,16 +26,17 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [1.7.4 Android 常用工具](doc/1.7.4_android_tools.md)
|
||||
* [二、工具篇](doc/2_tools.md)
|
||||
* [2.1 VM](doc/2.1_vm.md)
|
||||
* [2.2 gdb/peda](doc/2.2_gdb&peda.md)
|
||||
* [2.2 gdb/peda](doc/2.2_gdb.md)
|
||||
* [2.3 ollydbg](doc/2.3_ollydbg.md)
|
||||
* [2.4 windbg](doc/2.4_windbg.md)
|
||||
* [2.5 radare2](doc/2.5_radare2.md)
|
||||
* [2.6 IDA Pro](doc/2.6_idapro.md)
|
||||
* [2.7 pwntools](doc/2.7_pwntools.md)
|
||||
* [2.8 JEB](doc/2.8_jeb.md)
|
||||
* [2.9 metasploit](doc/2.9_metasploit.md)
|
||||
* [2.10 binwalk](doc/2.10_binwalk.md)
|
||||
* [2.11 Burp Suite](doc/2.11_burpsuite.md)
|
||||
* [2.8 zio](doc/2.8_zio.md)
|
||||
* [2.9 JEB](doc/2.9_jeb.md)
|
||||
* [2.10 metasploit](doc/2.10_metasploit.md)
|
||||
* [2.11 binwalk](doc/2.11_binwalk.md)
|
||||
* [2.12 Burp Suite](doc/2.12_burpsuite.md)
|
||||
* [三、分类专题篇](doc/3_topics.md)
|
||||
* [3.1 Reverse](doc/3.1_reverse.md)
|
||||
* [3.2 Crypto](doc/3.2_crypto.md)
|
||||
@ -54,7 +55,6 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [4.3 GCC 编译参数解析](doc/4.3_gcc_arg.md)
|
||||
* [4.4 GCC 堆栈保护技术](doc/4.4_gcc_sec.md)
|
||||
* [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
||||
* [4.6 zio](doc/4.6_zio.md)
|
||||
* [4.7 通用 gadget](doc/4.7_common_gadget.md)
|
||||
* [4.8 使用 DynELF 泄露函数地址](doc/4.8_dynelf.md)
|
||||
* [4.9 给 ELF 文件打 patch](doc/4.9_patch_elf.md)
|
||||
@ -63,11 +63,12 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
||||
* [5.2 Pin 动态二进制插桩](doc/5.2_pin.md)
|
||||
* [5.3 angr 二进制自动化分析](doc/5.3_angr.md)
|
||||
* [5.4 反调试技术](doc/5.4_antidbg.md)
|
||||
* [5.5 符号执行](doc/5.5_symbolic.md)
|
||||
* [5.4 符号执行](doc/5.4_symbolic.md)
|
||||
* [5.5 Triton 动态二进制分析框架](doc/5.5_triton.md)
|
||||
* [5.6 LLVM](doc/5.6_llvm.md)
|
||||
* [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
||||
* [5.8 SAT/SMT](doc/5.8_sat-smt.md)
|
||||
* [5.9 反调试技术](doc/5.9_antidbg.md)
|
||||
* [六、题解篇](doc/6_writeup.md)
|
||||
* pwn
|
||||
* [6.1.1 pwn HCTF2016 brop](doc/6.1.1_pwn_hctf2016_brop.md)
|
||||
@ -80,6 +81,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* re
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
* [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md)
|
||||
* [七、附录](doc/7_appendix.md)
|
||||
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||
* [7.2 更多 Windows 工具](doc/7.2_wintools.md)
|
||||
|
@ -1,72 +0,0 @@
|
||||
# 2.10 binwalk
|
||||
|
||||
<!-- MarkdownTOC -->
|
||||
|
||||
- Binwalk介绍
|
||||
- 安装
|
||||
- 快速入门
|
||||
- 实例
|
||||
|
||||
<!-- /MarkdownTOC -->
|
||||
|
||||
## Binwalk介绍
|
||||
|
||||
Binwalk是一个快速,易于使用的工具,用于分析,逆向工程和提取固件映像。 官方给出的用途是提取固件镜像,然而,我们在做一些隐写类的题目的时候,Binwalk这个工具非常方便。
|
||||
|
||||
以下是binwalk所支持的平台情况:
|
||||
|
||||
| 操作系统 | 核心功能的支持情况 | 可选功能的支持情况 | 安装的难易程度 |
|
||||
| ------- | --------- | --------- | ------- |
|
||||
| Linux | 完美 | 完美 | 非常容易 |
|
||||
| OSX | 完美 | 很好 | 非常容易 |
|
||||
| FreeBSD | 实验性 | 未知 | 非常容易 |
|
||||
| Windows | 实验性 | 很差 | 非常容易 |
|
||||
|
||||
从上面的支持情况来看,我们最好在*unix系统下使用,如果你的Windows版本是1703及以上,那么在[WSL](https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux)中安装binwalk是个不错的选择。
|
||||
|
||||
## 安装
|
||||
|
||||
如果你是在Ubuntu下,那么使用下面的命令安装:
|
||||
|
||||
```shell
|
||||
sudo apt install binwalk
|
||||
```
|
||||
|
||||
## 快速入门
|
||||
|
||||
### 扫描固件
|
||||
|
||||
Binwalk可以扫描许多嵌入式文件类型和文件系统的固件镜像,比如:
|
||||
|
||||
```shell
|
||||
$ binwalk firmware.bin
|
||||
|
||||
DECIMAL HEX DESCRIPTION
|
||||
-------------------------------------------------------------------------------------------------------------------
|
||||
0 0x0 DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
|
||||
112 0x70 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3797616 bytes
|
||||
1310832 0x140070 PackImg section delimiter tag, little endian size: 13644032 bytes; big endian size: 3264512 bytes
|
||||
1310864 0x140090 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3264162 bytes, 1866 inodes, blocksize: 65536 bytes, created: Tue Apr 3 04:12:22 2012
|
||||
```
|
||||
|
||||
### 文件提取
|
||||
|
||||
可以使用binwalk的`-e`参数来提取固件中的文件:
|
||||
|
||||
```shell
|
||||
$ binwalk -e firmware.bin
|
||||
```
|
||||
|
||||
如果你还指定了-M选项,Binwalk甚至会递归扫描文件,因为它会提取它们:
|
||||
|
||||
```shell
|
||||
$ binwalk -Me firmware.bin
|
||||
```
|
||||
|
||||
如果指定了-r选项,则将自动删除无法提取的任何文件签名或导致大小为0的文件:
|
||||
|
||||
```shell
|
||||
$ binwalk -Mre firmware.bin
|
||||
```
|
||||
|
||||
|
1
doc/2.10_metasploit.md
Normal file
1
doc/2.10_metasploit.md
Normal file
@ -0,0 +1 @@
|
||||
# 2.10 MetaSploit
|
54
doc/2.11_binwalk.md
Normal file
54
doc/2.11_binwalk.md
Normal file
@ -0,0 +1,54 @@
|
||||
# 2.11 binwalk
|
||||
|
||||
- [Binwalk 介绍](#binwalk-介绍)
|
||||
- [安装](#安装)
|
||||
- [快速入门](#快速入门)
|
||||
- [实例](#实例)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## Binwalk 介绍
|
||||
Binwalk 是一个快速,易于使用的工具,用于分析,逆向工程和提取固件映像。 官方给出的用途是提取固件镜像,然而,我们在做一些隐写类的题目的时候,Binwalk 这个工具非常方便。
|
||||
|
||||
最好在 *nix 系统下使用,如果你的 Windows 版本是 1703 及以上,那么在 [WSL](https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux) 中安装 binwalk 是个不错的选择。
|
||||
|
||||
|
||||
## 安装
|
||||
如果你是在 Ubuntu 下,那么使用下面的命令安装:
|
||||
```shell
|
||||
$ sudo apt install binwalk
|
||||
```
|
||||
|
||||
|
||||
## 快速入门
|
||||
#### 扫描固件
|
||||
Binwalk 可以扫描许多嵌入式文件类型和文件系统的固件镜像,比如:
|
||||
```shell
|
||||
$ binwalk firmware.bin
|
||||
|
||||
DECIMAL HEX DESCRIPTION
|
||||
-------------------------------------------------------------------------------------------------------------------
|
||||
0 0x0 DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
|
||||
112 0x70 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3797616 bytes
|
||||
1310832 0x140070 PackImg section delimiter tag, little endian size: 13644032 bytes; big endian size: 3264512 bytes
|
||||
1310864 0x140090 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3264162 bytes, 1866 inodes, blocksize: 65536 bytes, created: Tue Apr 3 04:12:22 2012
|
||||
```
|
||||
|
||||
#### 文件提取
|
||||
可以使用 binwalk 的 `-e` 参数来提取固件中的文件:
|
||||
```shell
|
||||
$ binwalk -e firmware.bin
|
||||
```
|
||||
|
||||
如果你还指定了 `-M` 选项,binwalk 甚至会递归扫描文件,因为它会提取它们:
|
||||
```shell
|
||||
$ binwalk -Me firmware.bin
|
||||
```
|
||||
|
||||
如果指定了 `-r` 选项,则将自动删除无法提取的任何文件签名或导致大小为 0 的文件:
|
||||
```shell
|
||||
$ binwalk -Mre firmware.bin
|
||||
```
|
||||
|
||||
|
||||
## 参考资料
|
@ -1 +0,0 @@
|
||||
# 2.11 Burp Suite
|
1
doc/2.12_burpsuite.md
Normal file
1
doc/2.12_burpsuite.md
Normal file
@ -0,0 +1 @@
|
||||
# 2.12 Burp Suite
|
@ -1,4 +1,4 @@
|
||||
# 2.2 gdb 和 peda 调试器
|
||||
# 2.2 gdb/peda
|
||||
|
||||
- [gdb 的组成架构](#gdb-的组成架构)
|
||||
- [gdb 基本工作原理](#gdb-基本工作原理)
|
@ -1 +0,0 @@
|
||||
# 2.8 JEB
|
@ -1,4 +1,4 @@
|
||||
# 4.6 zio
|
||||
# 2.8 zio
|
||||
|
||||
- [zio 简介](#zio-简介)
|
||||
- [安装](#安装)
|
||||
@ -131,3 +131,4 @@ options:
|
||||
|
||||
|
||||
## zio 在 CTF 中的应用
|
||||
何不把使用 pwntools 的写的 exp 换成 zio 试试呢xD。
|
1
doc/2.9_jeb.md
Normal file
1
doc/2.9_jeb.md
Normal file
@ -0,0 +1 @@
|
||||
# 2.9 JEB
|
@ -1 +0,0 @@
|
||||
# 2.9 MetaSploit
|
@ -1,13 +1,14 @@
|
||||
# 第二章 工具篇
|
||||
|
||||
- [2.1 VM](2.1_vm.md)
|
||||
- [2.2 gdb/peda](2.2_gdb&peda.md)
|
||||
- [2.2 gdb/peda](2.2_gdb.md)
|
||||
- [2.3 ollydbg](2.3_ollydbg.md)
|
||||
- [2.4 windbg](2.4_windbg.md)
|
||||
- [2.5 radare2](2.5_radare2.md)
|
||||
- [2.6 IDA Pro](2.6_idapro.md)
|
||||
- [2.7 pwntools](2.7_pwntools.md)
|
||||
- [2.8 JEB](2.8_jeb.md)
|
||||
- [2.9 metasploit](2.9_metasploit.md)
|
||||
- [2.10 binwalk](2.10_binwalk.md)
|
||||
- [2.11 Burp Suite](2.11_burpsuite.md)
|
||||
- [2.8 zio](2.8_zio.md)
|
||||
- [2.9 JEB](2.9_jeb.md)
|
||||
- [2.10 metasploit](2.10_metasploit.md)
|
||||
- [2.11 binwalk](2.11_binwalk.md)
|
||||
- [2.12 Burp Suite](2.12_burpsuite.md)
|
||||
|
@ -1 +1,24 @@
|
||||
# 4.3 GCC 编译参数解析
|
||||
|
||||
|
||||
#### 控制标准版本的编译选项
|
||||
- `-ansi`:告诉编译器遵守 C 语言的 ISO C90 标准。
|
||||
- `-std=`:通过使用一个参数来设置需要的标准。
|
||||
- `c89`:支持 C89 标准。
|
||||
- `iso9899:1999`:支持 ISO C90 标准。
|
||||
- `gnu89`:支持 C89 标准。
|
||||
|
||||
#### 控制标准版本的常量
|
||||
这些常量(#define)可以通过编译器的命令行选项来设置,或者通过源代码总的 `#define` 语句来定义。
|
||||
- `__STRICT_ANSI__`:强制使用 C 语言的 ISO 标准。这个常量通过命令行选项 `-ansi` 来定义。
|
||||
- `_POSIX_C_SOURCE=2`:启用由 IEEE Std1003.1 和 1003.2 标准定义的特性。
|
||||
- `_BSD_SOURCE`:启用 BSD 类型的特性。
|
||||
- `_GNU_SOURCE`:启用大量特性,其中包括 GNU 扩展。
|
||||
|
||||
#### 编译器的警告选项
|
||||
- `-pedantic`:除了启用用于检查代码是否遵守 C 语言标准的选项外,还关闭了一些不被标准允许的传统 C 语言结构,并且禁用所有的 GNU 扩展。
|
||||
- `-Wformat`:检查 printf 系列函数所使用的参数类型是否正确。
|
||||
- `Wparentheses`:检查是否总是提供了需要的圆括号。当想要检查一个复杂结构的初始化是否按照预期进行时,这个选项就很有用。
|
||||
- `Wswitch-default`:检查是否所有的 switch 语句都包含一个 default case。
|
||||
- `Wunused`:检查诸如声明静态函数但没有定义、未使用的参数和丢弃返回结果等情况。
|
||||
- `Wall`:启用绝大多数 gcc 的警告选项,包括所有以 -W 为前缀的选项。
|
||||
|
@ -5,7 +5,6 @@
|
||||
- [4.3 GCC 编译参数解析](4.3_gcc_arg.md)
|
||||
- [4.4 GCC 堆栈保护技术](4.4_gcc_sec.md)
|
||||
- [4.5 Z3 约束求解器](4.5_z3.md)
|
||||
- [4.6 zio](4.6_zio.md)
|
||||
- [4.7 通用 gadget](4.7_common_gadget.md)
|
||||
- [4.8 使用 DynELF 泄露函数地址](4.8_dynelf.md)
|
||||
- [4.9 给 ELF 文件打 patch](4.9_patch_elf.md)
|
||||
|
305
doc/5.3_angr.md
305
doc/5.3_angr.md
@ -1,21 +1,25 @@
|
||||
# 5.3 angr 二进制自动化分析
|
||||
|
||||
angr是一个多架构的二进制分析平台,具备对二进制文件的动态符号执行能力和多种静态分析能力。
|
||||
- [安装](#安装)
|
||||
- [使用 angr](#使用-angr)
|
||||
- [angr 在 CTF 中的运用](#angr-在-ctf-中的运用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[angr](https://github.com/angr/angr) 是一个多架构的二进制分析平台,具备对二进制文件的动态符号执行能力和多种静态分析能力。在近几年的 CTF 中也大有用途。
|
||||
|
||||
|
||||
## 安装
|
||||
|
||||
在Ubuntu上,首先我们应该安装所有的编译所需要的依赖环境:
|
||||
|
||||
在 Ubuntu 上,首先我们应该安装所有的编译所需要的依赖环境:
|
||||
```shell
|
||||
sudo apt install python-dev libffi-dev build-essential virtualenvwrapper
|
||||
$ sudo apt install python-dev libffi-dev build-essential virtualenvwrapper
|
||||
```
|
||||
|
||||
强烈建议在虚拟环境中安装angr,因为有几个angr的依赖(比如z3)是从他们的原始库中fork而来,如果你已经安装了z3,那么你肯定不希望angr的依赖覆盖掉官方的共享库。
|
||||
强烈建议在虚拟环境中安装 angr,因为有几个 angr 的依赖(比如z3)是从他们的原始库中 fork 而来,如果你已经安装了 z3,那么你肯定不希望 angr 的依赖覆盖掉官方的共享库。
|
||||
|
||||
对于大多数*unix系统,只需要`mkvirtualenv angr && pip install angr`安装angr就好了。
|
||||
对于大多数 *nix系统,只需要 `mkvirtualenv angr && pip install angr` 安装就好了。
|
||||
|
||||
如果这样安装失败的话,那么你可以按照这样的顺序:
|
||||
|
||||
```text
|
||||
1. claripy
|
||||
2. archinfo
|
||||
@ -23,23 +27,20 @@ sudo apt install python-dev libffi-dev build-essential virtualenvwrapper
|
||||
4. cle
|
||||
5. angr
|
||||
```
|
||||
|
||||
从angr的官方仓库安装。
|
||||
|
||||
附安装方法:
|
||||
|
||||
```shell
|
||||
git clone https://github.com/angr/claripy
|
||||
cd claripy
|
||||
sudo pip install -r requirements.txt
|
||||
sudo python setup.py build
|
||||
sudo python setup.py install
|
||||
$ git clone https://github.com/angr/claripy
|
||||
$ cd claripy
|
||||
$ sudo pip install -r requirements.txt
|
||||
$ sudo python setup.py build
|
||||
$ sudo python setup.py install
|
||||
```
|
||||
|
||||
其他几个angr官方库的安装也是如此。
|
||||
|
||||
## 一些`import angr`可能出现的问题
|
||||
其他几个 angr 官方库的安装也是如此。
|
||||
|
||||
#### 一些`import angr`可能出现的问题
|
||||
如果你在安装angr之后,进入python环境,在import之后有这样的报错:
|
||||
|
||||
```python
|
||||
@ -62,97 +63,187 @@ Traceback (most recent call last):
|
||||
ImportError: cannot import name arm
|
||||
>>>
|
||||
```
|
||||
可以看到,是 capstone 出现了问题,解决方法是重新安装 angr:
|
||||
```shell
|
||||
$ sudo pip install -I --no-use-wheel capstone
|
||||
```
|
||||
|
||||
在ipython环境中也许会有这样的报错:
|
||||
若是问题依然存在,那么请先卸载所有的 capstone:
|
||||
```shell
|
||||
$ sudo pip3 uninstall capstone
|
||||
$ sudo pip uninstall capstone
|
||||
```
|
||||
然后再从 pypi 源中获取最新版本安装:
|
||||
```shell
|
||||
$ wget https://pypi.python.org/packages/fd/33/d1fc2d01b85572b88c9b4c359f36f88f8c32f2f0b9ffb2d21cd41bad2257/capstone-3.0.5rc2-py2-none-manylinux1_x86_64.whl#md5=ecd7e1e39ea6dacf027c0cfe7eb1bf94
|
||||
$ sudo pip2 install capstone-3.0.5rc2-py2-none-manylinux1_x86_64.whl
|
||||
```
|
||||
其他问题可以到官方文档中查看。
|
||||
|
||||
|
||||
## 使用 angr
|
||||
|
||||
|
||||
## angr 在 CTF 中的运用
|
||||
#### re DefcampCTF2015 entry_language
|
||||
这是一题标准的密码验证题,输入一个字符串,程序验证对误。
|
||||
```
|
||||
$ file entry_language
|
||||
defcamp_r100: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=0f464824cc8ee321ef9a80a799c70b1b6aec8168, stripped
|
||||
```
|
||||
```
|
||||
$ ./entry_language
|
||||
Enter the password: ABCD
|
||||
Incorrect password!
|
||||
```
|
||||
|
||||
为了与 angr 的自动化做对比,我们先使用传统的方法,逆向算法求解,`main` 函数和验证函数 `fcn.004006fd` 如下:
|
||||
```
|
||||
[0x00400610]> pdf @ main
|
||||
/ (fcn) main 153
|
||||
| main ();
|
||||
| ; var int local_110h @ rbp-0x110
|
||||
| ; var int local_8h @ rbp-0x8
|
||||
| ; DATA XREF from 0x0040062d (entry0)
|
||||
| 0x004007e8 55 push rbp
|
||||
| 0x004007e9 4889e5 mov rbp, rsp
|
||||
| 0x004007ec 4881ec100100. sub rsp, 0x110
|
||||
| 0x004007f3 64488b042528. mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
|
||||
| 0x004007fc 488945f8 mov qword [local_8h], rax
|
||||
| 0x00400800 31c0 xor eax, eax
|
||||
| 0x00400802 bf37094000 mov edi, str.Enter_the_password: ; 0x400937 ; "Enter the password: "
|
||||
| 0x00400807 b800000000 mov eax, 0
|
||||
| 0x0040080c e8affdffff call sym.imp.printf ; int printf(const char *format)
|
||||
| 0x00400811 488b15500820. mov rdx, qword [obj.stdin] ; [0x601068:8]=0
|
||||
| 0x00400818 488d85f0feff. lea rax, [local_110h]
|
||||
| 0x0040081f beff000000 mov esi, 0xff ; 255
|
||||
| 0x00400824 4889c7 mov rdi, rax
|
||||
| 0x00400827 e8b4fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream)
|
||||
| 0x0040082c 4885c0 test rax, rax
|
||||
| ,=< 0x0040082f 7435 je 0x400866
|
||||
| | 0x00400831 488d85f0feff. lea rax, [local_110h]
|
||||
| | 0x00400838 4889c7 mov rdi, rax
|
||||
| | 0x0040083b e8bdfeffff call fcn.004006fd ; 调用验证函数
|
||||
| | 0x00400840 85c0 test eax, eax
|
||||
| ,==< 0x00400842 7511 jne 0x400855
|
||||
| || 0x00400844 bf4c094000 mov edi, str.Nice_ ; 0x40094c ; "Nice!"
|
||||
| || 0x00400849 e852fdffff call sym.imp.puts ; int puts(const char *s)
|
||||
| || 0x0040084e b800000000 mov eax, 0
|
||||
| ,===< 0x00400853 eb16 jmp 0x40086b
|
||||
| ||| ; JMP XREF from 0x00400842 (main)
|
||||
| |`--> 0x00400855 bf52094000 mov edi, str.Incorrect_password_ ; 0x400952 ; "Incorrect password!"
|
||||
| | | 0x0040085a e841fdffff call sym.imp.puts ; int puts(const char *s)
|
||||
| | | 0x0040085f b801000000 mov eax, 1
|
||||
| |,==< 0x00400864 eb05 jmp 0x40086b
|
||||
| ||| ; JMP XREF from 0x0040082f (main)
|
||||
| ||`-> 0x00400866 b800000000 mov eax, 0
|
||||
| || ; JMP XREF from 0x00400864 (main)
|
||||
| || ; JMP XREF from 0x00400853 (main)
|
||||
| ``--> 0x0040086b 488b4df8 mov rcx, qword [local_8h]
|
||||
| 0x0040086f 6448330c2528. xor rcx, qword fs:[0x28]
|
||||
| ,=< 0x00400878 7405 je 0x40087f
|
||||
| | 0x0040087a e831fdffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
||||
| | ; JMP XREF from 0x00400878 (main)
|
||||
| `-> 0x0040087f c9 leave
|
||||
\ 0x00400880 c3 ret
|
||||
[0x00400610]> pdf @ fcn.004006fd
|
||||
/ (fcn) fcn.004006fd 171
|
||||
| fcn.004006fd (int arg_bh);
|
||||
| ; var int local_38h @ rbp-0x38
|
||||
| ; var int local_24h @ rbp-0x24
|
||||
| ; var int local_20h @ rbp-0x20
|
||||
| ; var int local_18h @ rbp-0x18
|
||||
| ; var int local_10h @ rbp-0x10
|
||||
| ; arg int arg_bh @ rbp+0xb
|
||||
| ; CALL XREF from 0x0040083b (main)
|
||||
| 0x004006fd 55 push rbp
|
||||
| 0x004006fe 4889e5 mov rbp, rsp
|
||||
| 0x00400701 48897dc8 mov qword [local_38h], rdi
|
||||
| 0x00400705 c745dc000000. mov dword [local_24h], 0
|
||||
| 0x0040070c 48c745e01409. mov qword [local_20h], str.Dufhbmf ; 0x400914 ; "Dufhbmf"
|
||||
| 0x00400714 48c745e81c09. mov qword [local_18h], str.pG_imos ; 0x40091c ; "pG`imos"
|
||||
| 0x0040071c 48c745f02409. mov qword [local_10h], str.ewUglpt ; 0x400924 ; "ewUglpt"
|
||||
| 0x00400724 c745dc000000. mov dword [local_24h], 0
|
||||
| ,=< 0x0040072b eb6e jmp 0x40079b
|
||||
| | ; JMP XREF from 0x0040079f (fcn.004006fd)
|
||||
| .--> 0x0040072d 8b4ddc mov ecx, dword [local_24h]
|
||||
| :| 0x00400730 ba56555555 mov edx, 0x55555556
|
||||
| :| 0x00400735 89c8 mov eax, ecx
|
||||
| :| 0x00400737 f7ea imul edx
|
||||
| :| 0x00400739 89c8 mov eax, ecx
|
||||
| :| 0x0040073b c1f81f sar eax, 0x1f
|
||||
| :| 0x0040073e 29c2 sub edx, eax
|
||||
| :| 0x00400740 89d0 mov eax, edx
|
||||
| :| 0x00400742 01c0 add eax, eax
|
||||
| :| 0x00400744 01d0 add eax, edx
|
||||
| :| 0x00400746 29c1 sub ecx, eax
|
||||
| :| 0x00400748 89ca mov edx, ecx
|
||||
| :| 0x0040074a 4863c2 movsxd rax, edx
|
||||
| :| 0x0040074d 488b74c5e0 mov rsi, qword [rbp + rax*8 - 0x20]
|
||||
| :| 0x00400752 8b4ddc mov ecx, dword [local_24h]
|
||||
| :| 0x00400755 ba56555555 mov edx, 0x55555556
|
||||
| :| 0x0040075a 89c8 mov eax, ecx
|
||||
| :| 0x0040075c f7ea imul edx
|
||||
| :| 0x0040075e 89c8 mov eax, ecx
|
||||
| :| 0x00400760 c1f81f sar eax, 0x1f
|
||||
| :| 0x00400763 29c2 sub edx, eax
|
||||
| :| 0x00400765 89d0 mov eax, edx
|
||||
| :| 0x00400767 01c0 add eax, eax
|
||||
| :| 0x00400769 4898 cdqe
|
||||
| :| 0x0040076b 4801f0 add rax, rsi ; '+'
|
||||
| :| 0x0040076e 0fb600 movzx eax, byte [rax]
|
||||
| :| 0x00400771 0fbed0 movsx edx, al
|
||||
| :| 0x00400774 8b45dc mov eax, dword [local_24h]
|
||||
| :| 0x00400777 4863c8 movsxd rcx, eax
|
||||
| :| 0x0040077a 488b45c8 mov rax, qword [local_38h]
|
||||
| :| 0x0040077e 4801c8 add rax, rcx ; '&'
|
||||
| :| 0x00400781 0fb600 movzx eax, byte [rax]
|
||||
| :| 0x00400784 0fbec0 movsx eax, al
|
||||
| :| 0x00400787 29c2 sub edx, eax
|
||||
| :| 0x00400789 89d0 mov eax, edx
|
||||
| :| 0x0040078b 83f801 cmp eax, 1 ; 1
|
||||
| ,===< 0x0040078e 7407 je 0x400797 ; = 1 时跳转,验证成功
|
||||
| |:| 0x00400790 b801000000 mov eax, 1 ; 返回 1,验证失败
|
||||
| ,====< 0x00400795 eb0f jmp 0x4007a6
|
||||
| ||:| ; JMP XREF from 0x0040078e (fcn.004006fd)
|
||||
| |`---> 0x00400797 8345dc01 add dword [local_24h], 1 ; i = i + 1
|
||||
| | :| ; JMP XREF from 0x0040072b (fcn.004006fd)
|
||||
| | :`-> 0x0040079b 837ddc0b cmp dword [local_24h], 0xb ; [0xb:4]=-1 ; 11
|
||||
| | `==< 0x0040079f 7e8c jle 0x40072d ; i <= 11 时跳转
|
||||
| | 0x004007a1 b800000000 mov eax, 0 ; 返回 0
|
||||
| | ; JMP XREF from 0x00400795 (fcn.004006fd)
|
||||
| `----> 0x004007a6 5d pop rbp
|
||||
\ 0x004007a7 c3 ret
|
||||
```
|
||||
|
||||
整理后可以得到下面的伪代码:
|
||||
```C
|
||||
int fcn_004006fd(int *passwd) {
|
||||
char *str_1 = "Dufhbmf";
|
||||
char *str_2 = "pG`imos";
|
||||
char *str_3 = "ewUglpt";
|
||||
for (int i = 0; i <= 11; i++) {
|
||||
if((&str_3)[i % 3][2 * (1 / 3)] - *(i + passwd) != 1) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
```
|
||||
然后写出逆向脚本:
|
||||
```python
|
||||
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
|
||||
Type "copyright", "credits" or "license" for more information.
|
||||
|
||||
IPython 2.4.1 -- An enhanced Interactive Python.
|
||||
? -> Introduction and overview of IPython's features.
|
||||
%quickref -> Quick reference.
|
||||
help -> Python's own help system.
|
||||
object? -> Details about 'object', use 'object??' for extra details.
|
||||
|
||||
In [1]: import angr
|
||||
---------------------------------------------------------------------------
|
||||
ImportError Traceback (most recent call last)
|
||||
<ipython-input-1-bcea9b74a356> in <module>()
|
||||
----> 1 import angr
|
||||
|
||||
/root/angr/angr/__init__.pyc in <module>()
|
||||
23 from .state_plugins.inspect import BP
|
||||
24
|
||||
---> 25 from .project import *
|
||||
26 from .errors import *
|
||||
27 #from . import surveyors
|
||||
|
||||
/root/angr/angr/project.py in <module>()
|
||||
590 from .factory import AngrObjectFactory
|
||||
591 from .simos import SimOS, os_mapping
|
||||
--> 592 from .analyses.analysis import Analyses
|
||||
593 from .surveyors import Surveyors
|
||||
594 from .knowledge_base import KnowledgeBase
|
||||
|
||||
/root/angr/angr/analyses/__init__.py in <module>()
|
||||
20 from .congruency_check import CongruencyCheck
|
||||
21 from .static_hooker import StaticHooker
|
||||
---> 22 from .reassembler import Reassembler
|
||||
23 from .binary_optimizer import BinaryOptimizer
|
||||
24 from .disassembly import Disassembly
|
||||
|
||||
/root/angr/angr/analyses/reassembler.py in <module>()
|
||||
7 from itertools import count
|
||||
8
|
||||
----> 9 import capstone
|
||||
10 import cffi
|
||||
11 import cle
|
||||
|
||||
/usr/local/lib/python2.7/dist-packages/capstone/__init__.py in <module>()
|
||||
4 if _python2:
|
||||
5 range = xrange
|
||||
----> 6 from . import arm, arm64, mips, ppc, sparc, systemz, x86, xcore
|
||||
7
|
||||
8 __all__ = [
|
||||
|
||||
ImportError: cannot import name arm
|
||||
str_list = ["Dufhbmf", "pG`imos", "ewUglpt"]
|
||||
passwd = []
|
||||
for i in range(12):
|
||||
passwd.append(chr(ord(str_list[i % 3][2 * (i / 3)]) - 1))
|
||||
print ''.join(passwd)
|
||||
```
|
||||
|
||||
可以看到,是capstone出现了问题。
|
||||
|
||||
解决这个问题的方法是重新安装angr:
|
||||
|
||||
```shell
|
||||
sudo pip install -I --no-use-wheel capstone
|
||||
```
|
||||
|
||||
这样就能解决问题。
|
||||
|
||||
若是问题依然存在,那么请先卸载所有的capstone:
|
||||
|
||||
```shell
|
||||
sudo pip3 uninstall capstone
|
||||
sudo pip uninstall capstone
|
||||
```
|
||||
|
||||
然后从pypi源中获取最新版本安装:
|
||||
|
||||
```shell
|
||||
wget https://pypi.python.org/packages/fd/33/d1fc2d01b85572b88c9b4c359f36f88f8c32f2f0b9ffb2d21cd41bad2257/capstone-3.0.5rc2-py2-none-manylinux1_x86_64.whl#md5=ecd7e1e39ea6dacf027c0cfe7eb1bf94
|
||||
sudo pip2 install capstone-3.0.5rc2-py2-none-manylinux1_x86_64.whl
|
||||
```
|
||||
|
||||
(如果wget这个安装包失败的话,你可以在[https://pypi.python.org/pypi/capstone/](https://pypi.python.org/pypi/capstone/)找到capstone最新的版本)
|
||||
|
||||
## 一个例子
|
||||
|
||||
这里是一个简单的使用符号执行去获取一道CTF赛题的flag:
|
||||
|
||||
逆向算法似乎也很简单,但如果连算法都不用逆的话,下面就是见证 angr 魔力的时刻,我们只需要指定让程序运行到 `0x400844`,即验证通过时的位置,而不用管验证的逻辑是怎么样的。完整的 exp 如下,其他文件在 [github](../src/Others/5.3_angr) 相应文件夹中。
|
||||
```python
|
||||
import angr
|
||||
|
||||
project = angr.Project("CTF-All-In-One/src/Reverse/defcamp_r100", auto_load_libs=False)
|
||||
project = angr.Project("entry_language", auto_load_libs=False)
|
||||
|
||||
@project.hook(0x400844)
|
||||
def print_flag(state):
|
||||
@ -161,3 +252,15 @@ def print_flag(state):
|
||||
|
||||
project.execute()
|
||||
```
|
||||
|
||||
Bingo!!!
|
||||
```
|
||||
$ python2 exp_angr.py
|
||||
FLAG SHOULD BE: Code_Talkers
|
||||
```
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [docs.angr.io](https://docs.angr.io/)
|
||||
- [angr API documentation](http://angr.io/api-doc/)
|
||||
- [The Art of War:Offensive Techniques in Binary Analysis](https://www.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf)
|
||||
|
@ -1 +0,0 @@
|
||||
# 5.4 反调试技术
|
@ -1,4 +1,4 @@
|
||||
# 5.5 符号执行
|
||||
# 5.4 符号执行
|
||||
|
||||
- [符号执行的历史](#符号执行的历史)
|
||||
- [什么是符号执行](#什么是符号执行)
|
1
doc/5.5_triton.md
Normal file
1
doc/5.5_triton.md
Normal file
@ -0,0 +1 @@
|
||||
# 5.5 Triton 动态二进制分析框架
|
1
doc/5.9_antidbg.md
Normal file
1
doc/5.9_antidbg.md
Normal file
@ -0,0 +1 @@
|
||||
# 5.9 反调试技术
|
@ -3,8 +3,9 @@
|
||||
- [5.1 Fuzz 测试](5.1_fuzz.md)
|
||||
- [5.2 Pin 动态二进制插桩](5.2_pin.md)
|
||||
- [5.3 angr 二进制自动化分析](5.3_angr.md)
|
||||
- [5.4 反调试技术](5.4_antidbg.md)
|
||||
- [5.5 Symbolic Execution 符号执行技术](5.5_symbolic.md)
|
||||
- [5.4 Symbolic Execution 符号执行技术](5.4_symbolic.md)
|
||||
- [5.5 Triton 动态二进制分析框架](5.5_triton.md)
|
||||
- [5.6 LLVM](5.6_llvm.md)
|
||||
- [5.7 Capstone/Keystone](5.7_cap-keystone.md)
|
||||
- [5.8 SAT/SMT](5.8_sat-smt.md)
|
||||
- [5.9 反调试技术](5.9_antidbg.md)
|
||||
|
@ -212,7 +212,7 @@ gdb-peda$ x/37x 0x7fffffffe460
|
||||
| `-`---> 0x004008a2 8345fc01 add dword [local_4h], 1 ; i = i + 1
|
||||
| :| ; JMP XREF from 0x004007cb (sym.giff_flag)
|
||||
| :`-> 0x004008a6 837dfc24 cmp dword [local_4h], 0x24 ; [0x24:4]=-1 ; '$' ; 36
|
||||
| `==< 0x004008aa 0f8e20ffffff jle 0x4007d0 ; k <= 36 时跳转
|
||||
| `==< 0x004008aa 0f8e20ffffff jle 0x4007d0 ; i <= 36 时跳转
|
||||
| 0x004008b0 8b05ce172000 mov eax, dword [obj.num2] ; [0x602084:4]=0
|
||||
| 0x004008b6 83c001 add eax, 1
|
||||
| 0x004008b9 8905c5172000 mov dword [obj.num2], eax ; [0x602084:4]=0
|
||||
|
13
doc/6.2.3_re_codegate2017_angrybird.md
Normal file
13
doc/6.2.3_re_codegate2017_angrybird.md
Normal file
@ -0,0 +1,13 @@
|
||||
# 6.2.3 re Codegate2017 angrybird
|
||||
|
||||
- [题目解析](#题目解析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 题目解析
|
||||
```
|
||||
$ file angrybird
|
||||
angrybird: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=089c3a14bcd7ffb08e94645cea46f1162b171445, stripped
|
||||
```
|
||||
|
||||
## 参考资料
|
@ -11,3 +11,4 @@
|
||||
- re
|
||||
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||
- [6.2.3 re Codegate2017 angrybird](6.2.3_re_codegate2017_angrybird.md)
|
||||
|
0
src/Reverse/defcamp_r100 → src/Others/5.3_angr/entry_language
Normal file → Executable file
0
src/Reverse/defcamp_r100 → src/Others/5.3_angr/entry_language
Normal file → Executable file
10
src/Others/5.3_angr/exp_angr.py
Normal file
10
src/Others/5.3_angr/exp_angr.py
Normal file
@ -0,0 +1,10 @@
|
||||
import angr
|
||||
|
||||
project = angr.Project("entry_language", auto_load_libs=False)
|
||||
|
||||
@project.hook(0x400844)
|
||||
def print_flag(state):
|
||||
print "FLAG SHOULD BE:", state.posix.dump_fd(0)
|
||||
project.terminate_execution()
|
||||
|
||||
project.execute()
|
5
src/Others/5.3_angr/exp_re.py
Normal file
5
src/Others/5.3_angr/exp_re.py
Normal file
@ -0,0 +1,5 @@
|
||||
str_list = ["Dufhbmf", "pG`imos", "ewUglpt"]
|
||||
passwd = []
|
||||
for i in range(12):
|
||||
passwd.append(chr(ord(str_list[i % 3][2 * (i / 3)]) - 1))
|
||||
print ''.join(passwd)
|
BIN
src/writeup/6.2.3_re_codegate2017_angrybird/angrybird
Normal file
BIN
src/writeup/6.2.3_re_codegate2017_angrybird/angrybird
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user