当前位置:网站首页>Angr (IV) -- angr_ ctf
Angr (IV) -- angr_ ctf
2022-07-25 10:20:00 【c1rcl3】
adopt angr_ctf be familiar with angr How to use
Reference link :
bilibili - angr Symbol execution
04
1. Direct download angr_ctf Provided ELF Executable file 04_angr_symbolic_stack
2. use IDA Static analysis , It can be found that the key logic of the program is handle_user in
Program call scanf Read two unsigned integers (unsigned int) Go to the stack , Then call complex_function0 and complex_function1 Process the two parameters separately , Finally, make logical judgment , Output Good Job or Try again.
3. Write a script to solve the program output Good Job Input corresponding to , You can specify symbols to execute from handle_user Function call scanf Method starts after reading the input , The stack needs to be deployed .
import angr
def isGood(state):
return b'Good Job.' in state.posix.dumps(1)
def isBad(state):
return b'Try again.' in state.posix.dumps(1)
p = angr.Project("./04")
start_addr = 0x8048697
init_state = p.factory.blank_state(addr=start_addr)
padding_size = 8
init_state.stack_push(init_state.regs.ebp)
init_state.regs.ebp = init_state.regs.esp
init_state.regs.esp -= padding_size
pass1 = init_state.solver.BVS('pass1', 32)
pass2 = init_state.solver.BVS('pass2', 32)
init_state.stack_push(pass1)
init_state.stack_push(pass2)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
res1 = found_state.solver.eval(pass1)
res2 = found_state.solver.eval(pass2)
print("{} {}".format(res1, res2))4. Run the script to see the results
5. Verify the correctness of the results
05
1. Direct download angr_ctf Provided ELF Executable file 05_angr_symbolic_memory
2. use IDA Static analysis
Program call scanf Read 4 individual 8 Byte string into the specified memory , And then to 32 Bytes are processed one by one , Finally, judge by string comparison , Output Good Job or Try again.
3. Write a script to solve the program output Good Job Input corresponding to , You can specify the symbol to execute the slave call scanf Method starts after reading the input , Memory needs to be deployed .
import angr
import claripy
def isGood(state):
return b'Good Job.' in state.posix.dumps(1)
def isBad(state):
return b'Try again.' in state.posix.dumps(1)
p = angr.Project("./05")
start_addr = 0x8048601
init_state = p.factory.blank_state(addr=start_addr)
p1 = claripy.BVS('p1', 64)
p2 = claripy.BVS('p2', 64)
p3 = claripy.BVS('p3', 64)
p4 = claripy.BVS('p4', 64)
p1_addr = 0xA1BA1C0
p2_addr = 0xA1BA1C8
p3_addr = 0xA1BA1D0
p4_addr = 0xA1BA1D8
init_state.memory.store(p1_addr, p1)
init_state.memory.store(p2_addr, p2)
init_state.memory.store(p3_addr, p3)
init_state.memory.store(p4_addr, p4)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
res1 = found_state.solver.eval(p1, cast_to=bytes).decode()
res2 = found_state.solver.eval(p2, cast_to=bytes).decode()
res3 = found_state.solver.eval(p3, cast_to=bytes).decode()
res4 = found_state.solver.eval(p4, cast_to=bytes).decode()
print(res1)
print(res2)
print(res3)
print(res4)4. Run the script to see the results
5. Verify the correctness of the results
边栏推荐
猜你喜欢
随机推荐
Erlang (offline deployment)
Output stream in io stream
Pow(x,n)
Pytorch 通过 Tensor 某一维的值将 Tensor 分开的方法(简易)
几个常用的网络诊断命令
MySQL solves the problem of not supporting Chinese
Redis使用场景
strut2 表单标签
Nodejs initial experience
数论--约数研究
OSPF协议的配置(以华为eNSP为例)
Swing组件之单选与多选按钮
Open virtual private line network load balancing
MVC three-tier architecture understanding
数论---最大公约数最小公倍数
鼠标监听,画笔
Pow(x,n)
复现 ASVspoof 2021 baseline RawNet2
Number theory --- the greatest common divisor and the least common multiple
VSCode Latex Workshop 设置 XeLatex 编译