adopt angr_ctf be familiar with angr How to use

Reference link ：

bilibili - angr Symbol execution

GitHub - angr_ctf

08

1. Direct download angr_ctf Provided ELF Executable file 08_angr_constraints

2. use IDA Static analysis

     main Function call scanf Read 16 Byte string input to buffer buffer, And then call complex_function The function processes the input . Last call check_equals_AUPDNNPROEZRJWKB Complete character by character string comparison , And output according to the results .

3. Write a script to solve the program output Good Job Input corresponding to , To avoid path explosion caused by string comparison function , You can avoid being right check Part of the logic performs symbolic execution

import angr
import claripy
 
p = angr.Project("./08")
start_addr = 0x8048625
check_addr = 0x8048565
init_state = p.factory.blank_state(addr=start_addr)
pass_addr = 0x804A050
pass = claripy.BVS('pass', 16 * 8)
init_state.memory.store(pass_addr, pass)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=check_addr)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
    target = "AUPDNNPROEZRJWKB".encode()
    param1 = pass_addr
    param2 = 16
    bvt = found_state.memory.load(param1, param2)
    found_state.add_constraints(bvt == target)
	res = found_state.solver.eval(pass, cast_to=bytes).decode()
	print(res)

4. Run the script to see the results

 5. Check the correctness of the results

09

1. Direct download angr_ctf Provided ELF Executable file 09_angr_hooks

2. use IDA Static analysis

    main Functional logic can be divided into two parts ：

    The first part ： First read a 16 Character string to buffer buffer in , Then call complex_function Function pair buffer The content in is processed character by character , Finally, the processed buffer Content and content in password Compare strings in the buffer .

    The second part ： Read one again 16 Character string to buffer buffer in , Then call complex_function Function pair password The content in is processed character by character , Finally, the processed password Content and content in buffer Compare strings in .

 3. Write a script to solve the program output Good Job Input corresponding to , To avoid path explosion caused by string comparison function , It can be done to check Function hook, No symbolic execution

import angr
import claripy

def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)
 
def isBad(state):
	return b'Try again.' in state.posix.dumps(1)

p = angr.Project("./09")
check_addr = 0x80486B3
skip_size = 5
init_state = p.factory.entry_state()
@p.hook(check_addr, length=skip_size)
def check_hook(state):
	pass_addr = 0x804A054
	pass_size = 0x10
	bvt = state.memory.load(pass_addr, pass_size)
	target = "XYMKBKUHNIQYNQXE".encode()
	state.regs.eax = claripy.If(target == bvt, claripy.BVV(1, 32), claripy.BVV(0, 32))
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	print("{}".format(found_state.posix.dumps(0)))

4. Run the script to see the results

 5. Verify the correctness of the results