当前位置:网站首页>Angr (II) -- angr_ ctf
Angr (II) -- angr_ ctf
2022-07-25 10:20:00 【c1rcl3】
adopt angr_ctf be familiar with angr How to use
Reference link :
bilibili - angr Symbol execution
00
1. take angr_ctf Provided 00_angr_find Translate it into Linux Under the ELF Executable file
2. use IDA Static analysis
see main function
main The function logic is : First read the input input, After use complex_function Function to process input character by character , If the processed string and "PASSWORD" equal , The output Good Job, Otherwise output Try again.
Check it again complex_function function
complex_function The function logic is : Check whether the current character is capitalized , If not, exit the program directly , Otherwise, transform it , Similar to the Virginia code .
3. Write a script to solve the program output Good Job Input corresponding to
import angr
p = angr.Project("./00")
init_state = p.factory.entry_state()
print(init_state)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=0x40091E)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
print(found_state.posix.dumps(i))4. About find value
① Output init_state The value of is 0x4006F0, stay IDA see start The entry address of the function is 0x0006F0
② stay IDA The address to output the correct statement in 0x00091E, Therefore, it should be specified in the program find The value is 0x40091E
5. Run the script to see the results
6. Correctness of test results
01
1. Direct download angr_ctf Provided ELF Executable file 01_angr_avoid
2. use IDA Static analysis
IDA It took a long time to decompile the file , and F5 Can't decompile main function . I saw a man named maybe_good Function of ,F5 View the function source code
3. Based on this, it can be determined that find value , Write a script to solve the program output Good Job Input corresponding to
import angr
p = angr.Project("./01")
init_state = p.factory.entry_state()
print(init_state)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=0x80485F7, avoid=0x80485BF)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
print(found_state.posix.dumps(i))4. About avoid value
Set up avoid Value can avoid detecting a certain path , Make the detection more accurate 、 Faster .
5. Run the script to see the results
6. Correctness of test results
边栏推荐
- Snake games
- Filter filter details (listeners and their applications)
- Angr(二)——angr_ctf
- 多线程——死锁和synchronized
- 鼠标监听,画笔
- Ubuntu20.04系统下安装MySQL数据库5.7.29版本
- Small knowledge of common classes
- Bug分类和定级
- message from server: “Host ‘xxx.xxx.xxx.xxx‘ is not allowed to connect to this MySQL server“
- Summary of most consistency problems
猜你喜欢
mysql 解决不支持中文的问题
About the jar package of slf4j log4j log4j2 used together
Ansible部署指南
PyTorch 代码模板 (CNN)
数论--负进制转换
力扣刷题组合问题总结(回溯)
VSCode Latex Workshop 设置 XeLatex 编译
@Import, conditional and @importresource annotations
Use and principle of rest
message from server: “Host ‘xxx.xxx.xxx.xxx‘ is not allowed to connect to this MySQL server“
随机推荐
Filter filter details (listeners and their applications)
升级 GLIBC 2.29 checking LD_LIBRARY_PATH variable... contains current directory error 解决方案
oh-my-zsh和tmux配置(个人)
静态路由的配置(以华为eNSP为例)
几个常用的网络诊断命令
IO流中的输入流
Detailed explanation of JDBC operation database
Summary of most consistency problems
mongoDB的使用
JSP details
多线程——Callable接口,lambda
Copy the old project into a web project
CentOS install redis
Round to the nearest
链表相关(设计链表及环链表问题)
Output stream in io stream
鼠标监听,画笔
VoxCeleb1 数据集下载
DHCP的配置(以华为eNSP为例)
Multithreading - runnable interface, tortoise and rabbit race