6.2.8 re DefcampCTF2015 entry_language

下载文件

题目解析

这是一题标准的密码验证题,输入一个字符串,程序验证对误。

  1. $ file entry_language
  2. defcamp_r100: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=0f464824cc8ee321ef9a80a799c70b1b6aec8168, stripped
  1. $ ./entry_language
  2. Enter the password: ABCD
  3. Incorrect password!

为了与 angr 的自动化做对比,我们先使用传统的方法,逆向算法求解,main 函数和验证函数 fcn.004006fd 如下:

  1. [0x00400610]> pdf @ main
  2. / (fcn) main 153
  3. | main ();
  4. | ; var int local_110h @ rbp-0x110
  5. | ; var int local_8h @ rbp-0x8
  6. | ; DATA XREF from 0x0040062d (entry0)
  7. | 0x004007e8 55 push rbp
  8. | 0x004007e9 4889e5 mov rbp, rsp
  9. | 0x004007ec 4881ec100100. sub rsp, 0x110
  10. | 0x004007f3 64488b042528. mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
  11. | 0x004007fc 488945f8 mov qword [local_8h], rax
  12. | 0x00400800 31c0 xor eax, eax
  13. | 0x00400802 bf37094000 mov edi, str.Enter_the_password: ; 0x400937 ; "Enter the password: "
  14. | 0x00400807 b800000000 mov eax, 0
  15. | 0x0040080c e8affdffff call sym.imp.printf ; int printf(const char *format)
  16. | 0x00400811 488b15500820. mov rdx, qword [obj.stdin] ; [0x601068:8]=0
  17. | 0x00400818 488d85f0feff. lea rax, [local_110h]
  18. | 0x0040081f beff000000 mov esi, 0xff ; 255
  19. | 0x00400824 4889c7 mov rdi, rax
  20. | 0x00400827 e8b4fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream)
  21. | 0x0040082c 4885c0 test rax, rax
  22. | ,=< 0x0040082f 7435 je 0x400866
  23. | | 0x00400831 488d85f0feff. lea rax, [local_110h]
  24. | | 0x00400838 4889c7 mov rdi, rax
  25. | | 0x0040083b e8bdfeffff call fcn.004006fd ; 调用验证函数
  26. | | 0x00400840 85c0 test eax, eax
  27. | ,==< 0x00400842 7511 jne 0x400855
  28. | || 0x00400844 bf4c094000 mov edi, str.Nice_ ; 0x40094c ; "Nice!"
  29. | || 0x00400849 e852fdffff call sym.imp.puts ; int puts(const char *s)
  30. | || 0x0040084e b800000000 mov eax, 0
  31. | ,===< 0x00400853 eb16 jmp 0x40086b
  32. | ||| ; JMP XREF from 0x00400842 (main)
  33. | |`--> 0x00400855 bf52094000 mov edi, str.Incorrect_password_ ; 0x400952 ; "Incorrect password!"
  34. | | | 0x0040085a e841fdffff call sym.imp.puts ; int puts(const char *s)
  35. | | | 0x0040085f b801000000 mov eax, 1
  36. | |,==< 0x00400864 eb05 jmp 0x40086b
  37. | ||| ; JMP XREF from 0x0040082f (main)
  38. | ||`-> 0x00400866 b800000000 mov eax, 0
  39. | || ; JMP XREF from 0x00400864 (main)
  40. | || ; JMP XREF from 0x00400853 (main)
  41. | ``--> 0x0040086b 488b4df8 mov rcx, qword [local_8h]
  42. | 0x0040086f 6448330c2528. xor rcx, qword fs:[0x28]
  43. | ,=< 0x00400878 7405 je 0x40087f
  44. | | 0x0040087a e831fdffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
  45. | | ; JMP XREF from 0x00400878 (main)
  46. | `-> 0x0040087f c9 leave
  47. \ 0x00400880 c3 ret
  48. [0x00400610]> pdf @ fcn.004006fd
  49. / (fcn) fcn.004006fd 171
  50. | fcn.004006fd (int arg_bh);
  51. | ; var int local_38h @ rbp-0x38
  52. | ; var int local_24h @ rbp-0x24
  53. | ; var int local_20h @ rbp-0x20
  54. | ; var int local_18h @ rbp-0x18
  55. | ; var int local_10h @ rbp-0x10
  56. | ; arg int arg_bh @ rbp+0xb
  57. | ; CALL XREF from 0x0040083b (main)
  58. | 0x004006fd 55 push rbp
  59. | 0x004006fe 4889e5 mov rbp, rsp
  60. | 0x00400701 48897dc8 mov qword [local_38h], rdi
  61. | 0x00400705 c745dc000000. mov dword [local_24h], 0
  62. | 0x0040070c 48c745e01409. mov qword [local_20h], str.Dufhbmf ; 0x400914 ; "Dufhbmf"
  63. | 0x00400714 48c745e81c09. mov qword [local_18h], str.pG_imos ; 0x40091c ; "pG`imos"
  64. | 0x0040071c 48c745f02409. mov qword [local_10h], str.ewUglpt ; 0x400924 ; "ewUglpt"
  65. | 0x00400724 c745dc000000. mov dword [local_24h], 0
  66. | ,=< 0x0040072b eb6e jmp 0x40079b
  67. | | ; JMP XREF from 0x0040079f (fcn.004006fd)
  68. | .--> 0x0040072d 8b4ddc mov ecx, dword [local_24h]
  69. | :| 0x00400730 ba56555555 mov edx, 0x55555556
  70. | :| 0x00400735 89c8 mov eax, ecx
  71. | :| 0x00400737 f7ea imul edx
  72. | :| 0x00400739 89c8 mov eax, ecx
  73. | :| 0x0040073b c1f81f sar eax, 0x1f
  74. | :| 0x0040073e 29c2 sub edx, eax
  75. | :| 0x00400740 89d0 mov eax, edx
  76. | :| 0x00400742 01c0 add eax, eax
  77. | :| 0x00400744 01d0 add eax, edx
  78. | :| 0x00400746 29c1 sub ecx, eax
  79. | :| 0x00400748 89ca mov edx, ecx
  80. | :| 0x0040074a 4863c2 movsxd rax, edx
  81. | :| 0x0040074d 488b74c5e0 mov rsi, qword [rbp + rax*8 - 0x20]
  82. | :| 0x00400752 8b4ddc mov ecx, dword [local_24h]
  83. | :| 0x00400755 ba56555555 mov edx, 0x55555556
  84. | :| 0x0040075a 89c8 mov eax, ecx
  85. | :| 0x0040075c f7ea imul edx
  86. | :| 0x0040075e 89c8 mov eax, ecx
  87. | :| 0x00400760 c1f81f sar eax, 0x1f
  88. | :| 0x00400763 29c2 sub edx, eax
  89. | :| 0x00400765 89d0 mov eax, edx
  90. | :| 0x00400767 01c0 add eax, eax
  91. | :| 0x00400769 4898 cdqe
  92. | :| 0x0040076b 4801f0 add rax, rsi ; '+'
  93. | :| 0x0040076e 0fb600 movzx eax, byte [rax]
  94. | :| 0x00400771 0fbed0 movsx edx, al
  95. | :| 0x00400774 8b45dc mov eax, dword [local_24h]
  96. | :| 0x00400777 4863c8 movsxd rcx, eax
  97. | :| 0x0040077a 488b45c8 mov rax, qword [local_38h]
  98. | :| 0x0040077e 4801c8 add rax, rcx ; '&'
  99. | :| 0x00400781 0fb600 movzx eax, byte [rax]
  100. | :| 0x00400784 0fbec0 movsx eax, al
  101. | :| 0x00400787 29c2 sub edx, eax
  102. | :| 0x00400789 89d0 mov eax, edx
  103. | :| 0x0040078b 83f801 cmp eax, 1 ; 1
  104. | ,===< 0x0040078e 7407 je 0x400797 ; = 1 时跳转,验证成功
  105. | |:| 0x00400790 b801000000 mov eax, 1 ; 返回 1,验证失败
  106. | ,====< 0x00400795 eb0f jmp 0x4007a6
  107. | ||:| ; JMP XREF from 0x0040078e (fcn.004006fd)
  108. | |`---> 0x00400797 8345dc01 add dword [local_24h], 1 ; i = i + 1
  109. | | :| ; JMP XREF from 0x0040072b (fcn.004006fd)
  110. | | :`-> 0x0040079b 837ddc0b cmp dword [local_24h], 0xb ; [0xb:4]=-1 ; 11
  111. | | `==< 0x0040079f 7e8c jle 0x40072d ; i <= 11 时跳转
  112. | | 0x004007a1 b800000000 mov eax, 0 ; 返回 0
  113. | | ; JMP XREF from 0x00400795 (fcn.004006fd)
  114. | `----> 0x004007a6 5d pop rbp
  115. \ 0x004007a7 c3 ret

整理后可以得到下面的伪代码:

  1. int fcn_004006fd(int *passwd) {
  2. char *str_1 = "Dufhbmf";
  3. char *str_2 = "pG`imos";
  4. char *str_3 = "ewUglpt";
  5. for (int i = 0; i <= 11; i++) {
  6. if((&str_3)[i % 3][2 * (1 / 3)] - *(i + passwd) != 1) {
  7. return 1;
  8. }
  9. }
  10. return 0;
  11. }

然后写出逆向脚本:

  1. str_list = ["Dufhbmf", "pG`imos", "ewUglpt"]
  2. passwd = []
  3. for i in range(12):
  4. passwd.append(chr(ord(str_list[i % 3][2 * (i / 3)]) - 1))
  5. print ''.join(passwd)

逆向算法似乎也很简单,但如果连算法都不用逆的话,下面就是见证 angr 魔力的时刻,我们只需要指定让程序运行到 0x400844,即验证通过时的位置,而不用管验证的逻辑是怎么样的。

完整的脚本如下:

  1. import angr
  2. project = angr.Project("entry_language", auto_load_libs=False)
  3. @project.hook(0x400844)
  4. def print_flag(state):
  5. print "FLAG SHOULD BE:", state.posix.dump_fd(0)
  6. project.terminate_execution()
  7. project.execute()

Bingo!!!

  1. $ python2 solve_angr.py
  2. FLAG SHOULD BE: Code_Talkers
  3. $ ./entry_language
  4. Enter the password: Code_Talkers
  5. Nice!

参考资料