当前位置:网站首页>Angr (II) -- angr_ ctf
Angr (II) -- angr_ ctf
2022-07-25 10:20:00 【c1rcl3】
adopt angr_ctf be familiar with angr How to use
Reference link :
bilibili - angr Symbol execution
00
1. take angr_ctf Provided 00_angr_find Translate it into Linux Under the ELF Executable file
2. use IDA Static analysis
see main function
main The function logic is : First read the input input, After use complex_function Function to process input character by character , If the processed string and "PASSWORD" equal , The output Good Job, Otherwise output Try again.
Check it again complex_function function
complex_function The function logic is : Check whether the current character is capitalized , If not, exit the program directly , Otherwise, transform it , Similar to the Virginia code .
3. Write a script to solve the program output Good Job Input corresponding to
import angr
p = angr.Project("./00")
init_state = p.factory.entry_state()
print(init_state)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=0x40091E)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
print(found_state.posix.dumps(i))4. About find value
① Output init_state The value of is 0x4006F0, stay IDA see start The entry address of the function is 0x0006F0
② stay IDA The address to output the correct statement in 0x00091E, Therefore, it should be specified in the program find The value is 0x40091E
5. Run the script to see the results
6. Correctness of test results
01
1. Direct download angr_ctf Provided ELF Executable file 01_angr_avoid
2. use IDA Static analysis
IDA It took a long time to decompile the file , and F5 Can't decompile main function . I saw a man named maybe_good Function of ,F5 View the function source code
3. Based on this, it can be determined that find value , Write a script to solve the program output Good Job Input corresponding to
import angr
p = angr.Project("./01")
init_state = p.factory.entry_state()
print(init_state)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=0x80485F7, avoid=0x80485BF)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
print(found_state.posix.dumps(i))4. About avoid value
Set up avoid Value can avoid detecting a certain path , Make the detection more accurate 、 Faster .
5. Run the script to see the results
6. Correctness of test results
边栏推荐
- 线程池的死锁事件
- Yiwen society, three necessary packet capturing tools for hackers
- shortest-unsorted-continuous-subarray
- CentOs安装redis
- Basic knapsack problem
- Salt FAQs
- Detailed explanation of MySQL database
- Multithreading - runnable interface, tortoise and rabbit race
- Multithreading deadlock and synchronized
- Attention is all you need 论文精读笔记 Transformer
猜你喜欢
随机推荐
oh-my-zsh和tmux配置(个人)
Swing组件
for循环:水仙花案例
Ansible部署指南
第五阶段第一周
多数相合问题总结
修改mysql的分组报错Expression #1 of SELECT list is not in GROUP
Common methods of JS digital thousand bit segmentation
文件的上传功能
二、unittest框架主要做什么
拷贝过来老的项目变成web项目
1、 Initial mysql, MySQL installation, environment configuration, initialization
PyTorch 代码模板 (CNN)
About the jar package of slf4j log4j log4j2 used together
Usage of string slicing
Oh my Zsh and TMUX configuration (personal)
Detailed explanation of JDBC operation database
Multithreading deadlock and synchronized
Filter filter details (listeners and their applications)
Small knowledge of common classes