逆向工程 - 无法使用radare2 执行程序：要继续 - 吾爱随笔录

无法使用radare2 执行程序：要继续

逆向工程二元分析反编译雷达2 断点

2021-07-10 15:36:51

我正在尝试破解破解版。我已经抓住了标志，因为我看到了代表标志的字符串变量。我想以另一种方式捕获标志，我想在比较字符串时设置断点。我想使用radare2。

当我使用dc命令运行应该停止到我设置的断点的程序时，我收到消息TO DO continue。我不知道为什么。我希望收到以下形式的消息：

string 1 : TheStringIEnter string 2 : TheFlagOfTheChallenge

这是我执行的命令：

radare 2 -d ch1.bin
s sym.main
aaa
pdf
VV
:
:> db 0x08048705
:> dc
TODO continue
:>

这是 pdf 命令的输出：

[0x0804869d]> pdf
/ (fcn) main 155
|   main (int argc, char **argv, char **envp);
|           ; var int local_ch @ ebp-0xc
|           ; var int local_8h @ ebp-0x8
|           ; var int local_4h @ esp+0x4
|           ; DATA XREF from entry0 (0x8048507)
|           0x0804869d      8d4c2404       lea ecx, [local_4h]         ; 4
|           0x080486a1      83e4f0         and esp, 0xfffffff0
|           0x080486a4      ff71fc         push dword [ecx - 4]
|           0x080486a7      55             push ebp
|           0x080486a8      89e5           mov ebp, esp
|           0x080486aa      51             push ecx
|           0x080486ab      83ec24         sub esp, 0x24               ; '$'
|           0x080486ae      c745f8418804.  mov dword [local_8h], str.123456789 ; 0x8048841 ; "123456789"
|           0x080486b5      c704244c8804.  mov dword [esp], str.       ; [0x804884c:4]=0x23232323 ; "############################################################"
|           0x080486bc      e807feffff     call sym.imp.puts           ; int puts(const char *s)
|           0x080486c1      c704248c8804.  mov dword [esp], str.welcome_to_challenge ; [0x804888c:4]=0x20202323 ; "##        Welcome to this challenge        ##"
|           0x080486c8      e8fbfdffff     call sym.imp.puts           ; int puts(const char *s)
|           0x080486cd      c70424cc8804.  mov dword [esp], str.       ; [0x80488cc:4]=0x23232323 ; "############################################################\n"
|           0x080486d4      e8effdffff     call sym.imp.puts           ; int puts(const char *s)
|           0x080486d9      c704240c8904.  mov dword [esp], str.please_enter_pass: ; [0x804890c:4]=0x69756556 ; "Please enter the password : "
|           0x080486e0      e8b3fdffff     call sym.imp.printf         ; int printf(const char *format)
|           0x080486e5      8b45f4         mov eax, dword [local_ch]
|           0x080486e8      890424         mov dword [esp], eax
|           0x080486eb      e80effffff     call sym.getString
|           0x080486f0      8945f4         mov dword [local_ch], eax
|           0x080486f3      8b45f8         mov eax, dword [local_8h]
|           0x080486f6      89442404       mov dword [local_4h], eax
|           0x080486fa      8b45f4         mov eax, dword [local_ch]
|           0x080486fd      890424         mov dword [esp], eax
|           0x08048700      e8d3fdffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)
|           0x08048705      85c0           test eax, eax
|       ,=< 0x08048707      7515           jne 0x804871e
|       |   0x08048709      8b45f8         mov eax, dword [local_8h]
|       |   0x0804870c      89442404       mov dword [local_4h], eax
|       |   0x08048710      c70424308904.  mov dword [esp], str.good_job:__s ; [0x8048930:4]=0x6e656942 ; "Good job ! You just pass the challenge with the pass : %s!\n"
|       |   0x08048717      e87cfdffff     call sym.imp.printf         ; int printf(const char *format)
|      ,==< 0x0804871c      eb0c           jmp 0x804872a
|      ||   ; CODE XREF from main (0x8048707)
|      |`-> 0x0804871e      c70424708904.  mov dword [esp], str.bad__password. ; [0x8048970:4]=0x6d6d6f44 ; "Bad password."
|      |    0x08048725      e89efdffff     call sym.imp.puts           ; int puts(const char *s)
|      |    ; CODE XREF from main (0x804871c)
|      `--> 0x0804872a      b800000000     mov eax, 0
|           0x0804872f      83c424         add esp, 0x24               ; '$'
|           0x08048732      59             pop ecx
|           0x08048733      5d             pop ebp
|           0x08048734      8d61fc         lea esp, [ecx - 4]
\           0x08048737      c3             ret
[0x0804869d]>

1个回答

以下是您如何通过调试进行操作。

$ r2 ch1.bin
[0x080484f0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[x] Type matching analysis for all functions (afta)
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x080484f0]> doo
Process with PID 18337 started...
File dbg:///tmp/ch1.bin  reopened in read-write mode
= attach 18337 18337
18337
[0xf7f6fc70]> pdf @ sym.main ~strcmp
│           0x08048700      e8d3fdffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)

在strcmp调用处设置断点并继续执行。

[0xf7f6fc70]> s 0x08048700
[0x08048700]> db 0x08048700
[0x08048700]> dc
############################################################
##        Bienvennue dans ce challenge de cracking        ##
############################################################

Veuillez entrer le mot de passe : test
hit breakpoint at: 8048700

使用pxr转储esp与标志和有关地址的信息。

[0x08048700]> pxr@esp~:0..5
0xfff45270  0x09075570  pU.. @esp eax (test)
0xfff45274  0x08048841  A... (.rodata) (/tmp/ch1.bin) str.123456789 program R X 'xor dword [edx], esi' 'ch1.bin' (123456789)
0xfff45278  0xfff452a8  .R.. stack R W 0x0 -->  edi
0xfff4527c  0x08048769  i... (.text) (/tmp/ch1.bin) sym.__libc_csu_init program R X 'lea eax, [ebx - 0xe8]' 'ch1.bin'
0xfff45280  0x00000000  .... edi
[0x08048700]>

Stack top 指向我们test作为第一个参数传递给的输入strcmp。nextdword指向0x08048841字符串 123456789处的第二个参数。

因为strcmp是一个库函数，你可以用ltrace它来做同样的事情。

$ ltrace ./ch1.bin
__libc_start_main(0x804869d, 1, 0xffbe8304, 0x8048750 <unfinished ...>
puts("################################"...############################################################
)                                               = 61
puts("##        Bienvennue dans ce cha"...##        Bienvennue dans ce challenge de cracking        ##
)                                               = 61
puts("################################"...############################################################

)                                               = 62
printf("Veuillez entrer le mot de passe "...)                                             = 34
malloc(2)                                                                                 = 0x9352570
getchar(2, 0, 0xffbe8258, 0xf7d792f6Veuillez entrer le mot de passe : test
)                                                     = 116
realloc(0x9352570, 2)                                                                     = 0x9352570
getchar(0x9352570, 2, 0xffbe8258, 0xf7d792f6)                                             = 101
realloc(0x9352570, 3)                                                                     = 0x9352570
getchar(0x9352570, 3, 0xffbe8258, 0xf7d792f6)                                             = 115
realloc(0x9352570, 4)                                                                     = 0x9352570
getchar(0x9352570, 4, 0xffbe8258, 0xf7d792f6)                                             = 116
realloc(0x9352570, 5)                                                                     = 0x9352570
getchar(0x9352570, 5, 0xffbe8258, 0xf7d792f6)                                             = 10
strcmp("test", "123456789")                                                               = 1
puts("Dommage, essaye encore une fois."...Dommage, essaye encore une fois.
)                                               = 33
+++ exited (status 0) +++

TBF 您根本不需要调试它，只需静态分析即可。

[0x080484f0]> pdf @ sym.main~strcmp
│           0x08048700      e8d3fdffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)
[0x080484f0]> s 0x08048700
[0x08048700]> pd-10
│           0x080486d9      c704240c8904.  mov dword [esp], str.Veuillez_entrer_le_mot_de_passe_: ; [0x804890c:4]=0x69756556 ; "Veuillez entrer le mot de passe : " ; const char *format
│           0x080486e0      e8b3fdffff     call sym.imp.printf         ; int printf(const char *format)
│           0x080486e5      8b45f4         mov eax, dword [s1]
│           0x080486e8      890424         mov dword [esp], eax
│           0x080486eb      e80effffff     call sym.getString
│           0x080486f0      8945f4         mov dword [s1], eax
│           0x080486f3      8b45f8         mov eax, dword [local_8h]
│           0x080486f6      89442404       mov dword [s2], eax         ; const char *s2
│           0x080486fa      8b45f4         mov eax, dword [s1]
│           0x080486fd      890424         mov dword [esp], eax        ; const char *s1
[0x08048700]>

现在我们知道了strcmp:s1和的参数local_8h。s1填充了对的调用sym.getString，所以这可能是我们的输入，因此local_8h是我们需要找到匹配的字符串。

我们将看到它在函数中的使用/修改（读/写）。使用 afv(R/W)

[0x08048700]> afv?
Usage: afv  [rbs]
| afvr[?]                       manipulate register based arguments
| afvb[?]                       manipulate bp based arguments/locals
| afvs[?]                       manipulate sp based arguments/locals
| afv*                          output r2 command to add args/locals to flagspace
| afvR [varname]                list addresses where vars are accessed (READ)
| afvW [varname]                list addresses where vars are accessed (WRITE)
| afva                          analyze function arguments/locals
| afvd name                     output r2 command for displaying the value of args/locals in the debugger
| afvn [new_name] ([old_name])  rename argument/local
| afvt [name] [new_type]        change type for given argument/local
| afv-([name])                  remove all or given var

使用这个 local_8h

[0x08048700]> afvR local_8h
  local_8h  0x80486f3,0x8048709
[0x08048700]> afvW local_8h
  local_8h  0x80486ae

在 0x80486ae 它被写入或初始化。

[0x08048700]> pd3 @ 0x80486ae 
│           0x080486ae      c745f8418804.  mov dword [local_8h], str.123456789 ; 0x8048841 ; "123456789"
│           0x080486b5      c704244c8804.  mov dword [esp], str.       ; [0x804884c:4]=0x23232323 ; "############################################################" ; const char *s
│           0x080486bc      e807feffff     call sym.imp.puts           ; int puts(const char *s)
[0x08048700]>

这里 r2 将地址 0x8048841 解析为字符串 123456789

其它你可能感兴趣的问题

上一篇在 IDA PRO 菜单中找不到调试器下一篇MOVZX EAX,AX 在 MOVZX EAX, WORD PTR [RBP+ADDR.SA_DATA] 之后的用途是什么？