radare2- 无法使用 wopO 命令

逆向工程 雷达2
2021-06-22 06:32:02

我是radare2的新手。我正在通过Protostar stack0 的练习尝试radare2
我使用以下命令生成原始 De Bruijn 模式

$ ragg2 -P 500 -r
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmABnABoABpABqABrABsABtABuABvABwABxAByABzAB1AB2AB3AB4AB5AB6AB7AB8AB9AB0ACBACCACDACEACFACGACHACIACJACKACLACMACNACOACPACQACRACSACTACUACVACWACXACYACZACaACbACcACdACeACfACgAChACiACjACkAClACmACnACoACpACqACrACsA

在调试模式下运行程序并执行它 

$ r2 -d -A stack0
Process with PID 31611 started...
= attach 31611 31611
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
= attach 31611 31611
31611
 -- Buy a mac

[0xf7f72a20]> dc
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmABnABoABpABqABrABsABtABuABvABwABxAByABzAB1AB2AB3AB4AB5AB6AB7AB8AB9AB0ACBACCACDACEACFACGACHACIACJACKACLACMACNACOACPACQACRACSACTACUACVACWACXACYACZACaACbACcACdACeACfACgAChACiACjACkAClACmACnACoACpACqACrACsA
You have changed the modified variable
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x4141583d code=1 ret=0

[0x080484d0]> dr
eax = 0x00000000
ebx = 0x5a414159
ecx = 0x41415841
edx = 0xf7f48870
esi = 0x00000001
edi = 0xf7f47000
esp = 0x4141583d
ebp = 0x41614141
eip = 0x080484d0
eflags = 0x00010282
oeax = 0xffffffff

[0x080484d0]> wopO ebp
Need hex value with `0x' prefix e.g. 0x41414142
[0x080484d0]> wopO esp
Need hex value with `0x' prefix e.g. 0x41414142
[0x080484d0]> wopO eip
Need hex value with `0x' prefix e.g. 0x41414142

下面是我正在处理的 C 代码 

  1 #include<stdio.h>
  2 #include<stdlib.h>
  3 #include<unistd.h>
  4
  5 int main(int argc, char **argv){
  6
  7     volatile int modified;
  8     char buffer[64];
  9
 10     modified = 0;
 11     scanf("%s",buffer);
 12
 13     if(modified !=0){
 14         printf("You have changed the modified variable\n");
 15     }else{
 16         printf("Try again\n");
 17     }
 18     return 0;
 19 }

Q1) eip 没有被 De Bruijn 模式覆盖的任何原因?

Q2)为什么我会收到消息 Need hex value with '0x' prefix e.g. 0x41414142

请让我知道。谢谢你。

1个回答

您是否注意到您确实更改了所需的变量?

您已更改修改后的变量

无论如何,关于第二个问题,这是以下拉取请求合并到radare2预期行为

现在要求您0x为传递的值添加前缀,因此您可以执行以下操作:

wopO `dr ebp`

或类似的东西:

wopO `?v ebp`

反引号用于执行radare2命令,因此您基本上使用内部命令的结果并将其传递给 wopO

关于第一个问题,在输入一定数量的字符(即长输入)之后,您会得到一个段错误,这意味着您的输入导致了损坏,并且您确实对 eip 造成了“损害”。如果你想覆盖eip你应该绕过安全缓解——ASLR:

要暂时禁用它,请执行:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

要再次启用它,请执行:

echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

如果您想永久更改该值,假设它是一个漏洞利用专用机器,请将以下设置添加到/etc/sysctl.conf,例如:

echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf

并运行sysctl -p命令。

其它你可能感兴趣的问题
上一篇是否可以相对于 x64dbg 或类似调试器中的内存块设置断点? 下一篇如何强制 IDA pro 将某些字节列为指定指令?