adopt angr_ctf be familiar with angr How to use

Reference link ：

bilibili - angr Symbol execution

GitHub - angr_ctf

04

1. Direct download angr_ctf Provided ELF Executable file 04_angr_symbolic_stack

2. use IDA Static analysis , It can be found that the key logic of the program is handle_user in

     Program call scanf Read two unsigned integers （unsigned int） Go to the stack , Then call complex_function0 and complex_function1 Process the two parameters separately , Finally, make logical judgment , Output Good Job or Try again.

3. Write a script to solve the program output Good Job Input corresponding to , You can specify symbols to execute from handle_user Function call scanf Method starts after reading the input , The stack needs to be deployed .

import angr
 
def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)
 
def isBad(state):
	return b'Try again.' in state.posix.dumps(1)
 
p = angr.Project("./04")
start_addr = 0x8048697
init_state = p.factory.blank_state(addr=start_addr)
padding_size = 8
init_state.stack_push(init_state.regs.ebp)
init_state.regs.ebp = init_state.regs.esp
init_state.regs.esp -= padding_size
pass1 = init_state.solver.BVS('pass1', 32)
pass2 = init_state.solver.BVS('pass2', 32)
init_state.stack_push(pass1)
init_state.stack_push(pass2)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	res1 = found_state.solver.eval(pass1)
	res2 = found_state.solver.eval(pass2)
    print("{} {}".format(res1, res2))

4. Run the script to see the results

5. Verify the correctness of the results

05

1. Direct download angr_ctf Provided ELF Executable file 05_angr_symbolic_memory

2. use IDA Static analysis

     Program call scanf Read 4 individual 8 Byte string into the specified memory , And then to 32 Bytes are processed one by one , Finally, judge by string comparison , Output Good Job or Try again.

3. Write a script to solve the program output Good Job Input corresponding to , You can specify the symbol to execute the slave call scanf Method starts after reading the input , Memory needs to be deployed .

import angr
import claripy

def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)
 
def isBad(state):
	return b'Try again.' in state.posix.dumps(1)
 
p = angr.Project("./05")
start_addr = 0x8048601
init_state = p.factory.blank_state(addr=start_addr)
p1 = claripy.BVS('p1', 64)
p2 = claripy.BVS('p2', 64)
p3 = claripy.BVS('p3', 64)
p4 = claripy.BVS('p4', 64)
p1_addr = 0xA1BA1C0
p2_addr = 0xA1BA1C8
p3_addr = 0xA1BA1D0
p4_addr = 0xA1BA1D8
init_state.memory.store(p1_addr, p1)
init_state.memory.store(p2_addr, p2)
init_state.memory.store(p3_addr, p3)
init_state.memory.store(p4_addr, p4)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	res1 = found_state.solver.eval(p1, cast_to=bytes).decode()
	res2 = found_state.solver.eval(p2, cast_to=bytes).decode()
	res3 = found_state.solver.eval(p3, cast_to=bytes).decode()
	res4 = found_state.solver.eval(p4, cast_to=bytes).decode()
	print(res1)
	print(res2)
	print(res3)
	print(res4)

4. Run the script to see the results

5. Verify the correctness of the results