1. 程式人生 > >CTF挑戰賽-合天網安實驗室-Reverse逆向300writeup

CTF挑戰賽-合天網安實驗室-Reverse逆向300writeup

這個題目可以直接用angr來做  連分析都不用

找到如下圖所示兩個地址即可

In [1]: import angr
WARNING | 2018-10-06 05:04:30,383 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups.

In [2]: import claripy

In [3]: proj = angr.Project("./Desktop/rev300")
---------------------------------------------------------------------------
Exception                                 Traceback (most recent call last)
<ipython-input-3-e2682d5cb563> in <module>()
----> 1 proj = angr.Project("./Desktop/rev300")

/home/iqiqiya/.virtualenvs/angr/lib/python2.7/site-packages/angr/project.pyc in __init__(self, thing, default_analysis_mode, ignore_functions, use_sim_procedures, exclude_sim_procedures_func, exclude_sim_procedures_list, arch, simos, load_options, translation_cache, support_selfmodifying_code, store_function, load_function, analyses_preset, engines_preset, **kwargs)
    120             self.loader = cle.Loader(thing, **load_options)
    121         elif not isinstance(thing, (unicode, str)) or not os.path.exists(thing) or not os.path.isfile(thing):
--> 122             raise Exception("Not a valid binary file: %s" % repr(thing))
    123         else:
    124             # use angr's loader, provided by cle

Exception: Not a valid binary file: './Desktop/rev300'

In [4]: proj = angr.Project("./rev300")#上邊報錯是因為路徑  把檔案放在/就好

In [5]: argv1 = claripy.BVS('argv1',50*8)#猜測最大輸入不超過50個位元組

In [6]: state = proj.factory.entry_state(args=['./rev300',argv1])

In [7]: simgr = proj.factory.simgr(state)

In [8]: simgr.explore(find=0x080485E0,avoid=0x080485FE)#輸入正確以及錯誤的地址  
Out[8]: <SimulationManager with 1 found, 8 avoid>

In [9]: print simgr.found[0].solver.eval(argv1)
1063672768972179131287516445481467842776405221819183762775333007016231566631042703334175149294977912186305477505166868480

In [10]: print simgr.found[0].solver.eval(argv1,cast_to=str)#以字串形式輸出結果
Isengard  #得到的結果

驗證得flag

常規解法可以看這個