adopt angr_ctf be familiar with angr How to use

Reference link ：

bilibili - angr Symbol execution

GitHub - angr_ctf

06

1. Direct download angr_ctf Provided ELF Executable file 06_angr_symbolic_dynamic_memory

2. use IDA Static analysis

     main The function is called first malloc Function dynamically applied for two on the heap 9 Byte space buffer0 and buffer1, Then call scanf Function reads two 8 Byte string . adopt complex_function The function performs character by character processing on two inputs respectively , Finally, judge whether the two new strings obtained by transformation are UODXLZBI and UAORRAYF. If it is , The output Good Job, Otherwise output Try again.

3. Write a script to solve the program output Good Job Input corresponding to , You can specify the symbol to execute the slave call scanf Method starts after reading the input , Memory needs to be deployed .

import angr
import claripy

 
def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)
 
def isBad(state):
	return b'Try again.' in state.posix.dumps(1)
 
p = angr.Project("./06")
start_addr = 0x8048699
init_state = p.factory.blank_state(addr=start_addr)
p1 = claripy.BVS('p1', 64)
p2 = claripy.BVS('p2', 64)
fake_heap_addr1 = 0x4444444
fake_heap_addr2 = 0x4444454
pointer1 = 0xABCC8A4
pointer2 = 0xABCC8AC
init_state.memory.store(pointer1, fake_heap_addr1, endness=p.arch.memory_endness, size=4)
init_state.memory.store(pointer2, fake_heap_addr2, endness=p.arch.memory_endness, size=4)
init_state.memory.store(fake_heap_addr1, p1)
init_state.memory.store(fake_heap_addr2, p2)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	res1 = found_state.solver.eval(p1, cast_to=bytes).decode()
	res2 = found_state.solver.eval(p2, cast_to=bytes).decode()
	print(res1)
	print(res2)

4. Run the script to see the results

 5. Verify the correctness of the results

07

1. Direct download angr_ctf Provided ELF Executable file 07_angr_symbolic_file

2. use IDA Static analysis

    main Function first passes scanf Parameter reads a string to buffer, And then call ignore_me function , take buffer Content in write to file OJKSQYDP.txt in . After then OJKSQYDP.txt Read in the contents of the file buffer, adopt complex_function Function to process . Finally, match the processed string with AQWLCTXB Compare , If the same, output Good Job, Otherwise output Try again.

 3. Write a script to solve the program output Good Job Input corresponding to , You can specify the symbol to execute the slave call fopen Method starts before opening the file , The file content needs to be deployed .

import angr
import claripy

 
def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)
 
def isBad(state):
	return b'Try again.' in state.posix.dumps(1)
 
p = angr.Project("./07")
start_addr = 0x80488D6
init_state = p.factory.blank_state(addr=start_addr)
password = claripy.BVS('password', 64)
filename = 'OJKSQYDP.txt'
file = angr.storage.SimFile(filename, content=password)
init_state.fs.insert(filename, file)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	res = found_state.solver.eval(password, cast_to=bytes).decode()
	print(res)

4. Run the script to see the results

 5. Verify the correctness of the results