adopt angr_ctf be familiar with angr How to use

Reference link ：

bilibili - angr Symbol execution

GitHub - angr_ctf

14

1. Direct download angr_ctf Provided ELF Executable file 14_angr_shared_library

2. use IDA Static analysis

    The function logic is relatively simple , The difference from the previous examples is validate Function in dynamic link library （.so file ） in . The final loading address of shared objects in the dynamic link library is uncertain at the time of compilation , The loader needs to be free according to the current address space , Dynamically allocate a virtual address of sufficient size to be idle . All addresses in the shared library are base+offset.

3. Write a script to solve the program output Good Job Input corresponding to

import angr
import claripy

base = 0x4000000
p = angr.Project('./lib14_angr_shared_library.so', load_options={
        'main_opts': {
            # backend ——  Which background , It can be an object , It can also be a name ( character string )
			# custom_base_addr ——  Base address used 
			# custom_entry_point ——  The entry point used 
			# custom_arch ——  The name of the processor architecture used 
            'custom_base_addr': base
        }
    })
pass_addr = claripy.BVV(0x3000000, 32)
validate_addr = base + 0x6D7
init_state = p.factory.call_state(validate_addr, pass_addr, claripy.BVV(8, 32))
password = claripy.BVS('password',8*8)
init_state.memory.store(pass_addr, password)
sm = p.factory.simulation_manager(init_state)
sm.explore(find=base+0x783)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	found_state.add_constraints(found_state.regs.eax != 0)
	print(found_state.solver.eval(password,cast_to=bytes).decode())

4. Run the script to see the results

 5. Verify the correctness of the results

Error reporting about operation error while loading shared libraries: lib14_angr_shared_library.so: cannot open shared object file: No such file or directory Solutions for ：

1. edit /etc/ld.so.conf file , stay include /etc/ld.so.conf.d/*.conf Add a line below , add to xxx.so Directory of files

 2. Run command line /sbin/ldconfig -v