adopt angr_ctf be familiar with angr How to use

Reference link ：

bilibili - angr Symbol execution

GitHub - angr_ctf

10

1. Direct download angr_ctf Provided ELF Executable file 10_angr_simprocedures

2. use IDA Static analysis

     main Function call scanf Read user input to buffer in , Then call complex_function Function character by character pair buffer Process the contents of . Finally, the processed content is compared with password The content in is more .

3. Write a script to solve the program output Good Job Input corresponding to , To avoid path explosion caused by string comparison , String comparison functions can be hook. And 09 By address hook Different , because 10 String comparison function is called many times in , So directly to the symbol （ Function name ） Conduct hook

import angr
import claripy
 
 
def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)
 
def isBad(state):
	return b'Try again.' in state.posix.dumps(1)
 
p = angr.Project("./10")
init_state = p.factory.entry_state()
class mySimProcedure(angr.SimProcedure):
	def run(self, buffer_addr, buffer_size):
		bvt = self.state.memory.load(buffer_addr, buffer_size)
		target = "ORSDDWXHZURJRBDH".encode()
		return claripy.If(target == bvt, claripy.BVV(1, 32), claripy.BVV(0, 32))
check_symbol = "check_equals_ORSDDWXHZURJRBDH"
p.hook_symbol(check_symbol, mySimProcedure())
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	print("{}".format(found_state.posix.dumps(0)))

4. Run the script to see the results

 5. Check the correctness of the results

 11

1. Direct download angr_ctf Provided ELF Executable file 11_angr_sim_scanf

2. use IDA Static analysis

    main Function , call complex_function Function on string s Medium 8 Characters are processed one by one , Read two more unsigned integers to buffer0 and buffer1, Compare separately buffer0 And s The first four characters of ,buffer1 And s The last four characters of （32 position ）.

3. Write a script to solve the program output Good Job Input corresponding to

import angr
import claripy

def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)
 
def isBad(state):
	return b'Try again.' in state.posix.dumps(1)
 
p = angr.Project("./11")
init_state = p.factory.entry_state()
class mySimProcedure(angr.SimProcedure):
	def run(self, format_addr, buffer0_addr, buffer1_addr):
		buffer0 = claripy.BVS('buffer0', 32)
		buffer1 = claripy.BVS('buffer1', 32)
		self.state.memory.store(buffer0_addr, buffer0, endness=p.arch.memory_endness)
		self.state.memory.store(buffer1_addr, buffer1, endness=p.arch.memory_endness)
		self.state.globals['solutions0'] = buffer0
		self.state.globals['solutions1'] = buffer1
scanf_symbol = "__isoc99_scanf"
p.hook_symbol(scanf_symbol, mySimProcedure())
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	store_solution0 = found_state.globals['solutions0']
	store_solution1 = found_state.globals['solutions1']
	res0 = found_state.solver.eval(store_solution0)
	res1 = found_state.solver.eval(store_solution1)
	print("{} {}".format(res0, res1))

4. Run the script to see the results

5. Verify the correctness of the results