adopt angr_ctf be familiar with angr How to use

Reference link ：

bilibili - angr Symbol execution

GitHub - angr_ctf

02

1. Direct download angr_ctf Provided ELF Executable file 02_angr_find_condition

2. use IDA Static analysis ,F5 see main function

     main The function logic is ： First read the input input, After use complex_function Function to process input character by character , If the processed string and target String equality , The output Good Job, Otherwise output Try again.

3. Write a script to solve the program output Good Job Input corresponding to , Avoid detection output Try again The path of time

import angr

def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)

def isBad(state):
	return b'Try again.' in state.posix.dumps(1)

p = angr.Project("./02")
init_state = p.factory.entry_state()
print(init_state)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	print(found_state.posix.dumps(i))

4. Run the script to see the results

5. Correctness of test results

 03

1. Direct download angr_ctf Provided ELF Executable file 03_angr_symbolic_registers

2. use IDA Static analysis assembly code

    stay main Called in the function get_user_input Method to read user input , Then call complex_function_1、complex_function_2 as well as complex_function_3 Processing input , And output according to the results Good Job or Try again.

    see get_user_input Assembly code for method

     You can see get_user_input Method call scanf The function reads three hexadecimal parameters . According to the parameter transmission mechanism , The three parameters are stored in registers in turn eax、ebx and edx in .

3. Write a script to solve the program output Good Job Input corresponding to , You can specify symbols to execute from main Function call get_user_input Method starts after reading the input , Registers need to be deployed .

import angr
import claripy

def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)

def isBad(state):
	return b'Try again.' in state.posix.dumps(1)

p = angr.Project("./03")
start_addr = 08048980
init_state = p.factory.blank_state(addr=start_addr)
pass1 = claripy.BVS('pass1', 32)
pass2 = claripy.BVS('pass2', 32)
pass3 = claripy.BVS('pass3', 32)
init_state.regs.eax = pass1
init_state.regs.ebx = pass2
init_state.regs.edx = pass3
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	res1 = found_state.solver.eval(pass1)
	res2 = found_state.solver.eval(pass2)
	res3 = found_state.solver.eval(pass3)
    print("{:x} {:x} {:x}".format(res1, res2, res3))

4. Run the script to see the results

 5. Check the correctness of the results