我正在尝试通过此处的 angr_ctf 示例来学习 angr:https ://github.com/jakespringer/angr_ctf 。这是一个很棒的资源!但我一直试图理解 14_angr_shared_library 解决方案的一部分。我希望这里有人可以启发我。
该示例展示了在共享库的函数中使用 angr,展示了 call_start() 状态预设。这是解决方案脚本的一部分,来自https://github.com/jakespringer/angr_ctf/blob/master/solutions/14_angr_shared_library/solve14.py:
# Initialize any needed values here; you will need at least one to pass to
# the validate function.
buffer_pointer = claripy.BVV(0x3000000, 32)
# Begin the state at the beginning of the validate function, as if it was
# called by the program. Determine the parameters needed to call validate and
# replace 'parameters...' with bitvectors holding the values you wish to pass.
# Recall that 'claripy.BVV(value, size_in_bits)' constructs a bitvector
# initialized to a single value.
# Remember to add the base value you specified at the beginning to the
# function address!
# Hint: int validate(char* buffer, int length) { ...
# Another hint: the password is 8 bytes long.
validate_function_address = base + 0x6d7
initial_state = project.factory.call_state(validate_function_address, buffer_pointer, claripy.BVV(8, 32))
然后创建一个 BVS 并将其加载到 buffer_pointer 地址中:
password = claripy.BVS('password', 8*8)
initial_state.memory.store(buffer_pointer, password)
让我困惑的部分是初始 BVV 创建步骤中的 0x3000000 值。比如,这个价值从何而来?我在网上找到了其他使用 0x4000000 的解决方案,这也有效。如果我查看进程内存映射,我看不到可以包含这些地址的范围。我原以为这需要一个有效的可写地址,例如主二进制文件的数据段地址。为什么这些无效(我认为)地址有效?!?