当前位置:网站首页>Angr(七)——angr_ctf
Angr(七)——angr_ctf
2022-07-25 09:27:00 【c1rcl3】
通过angr_ctf熟悉angr的使用方法
参考链接:
10
1. 直接下载angr_ctf提供的ELF可执行文件10_angr_simprocedures
2. 用IDA静态分析
main函数调用scanf读取用户输入到buffer中,之后调用complex_function函数逐字符对buffer中的内容进行处理。最后将处理后的内容与password中的内容比较。
3. 编写脚本求解程序输出Good Job时对应的输入,为了避免字符串比较带来的路径爆炸,可以对字符串比较函数进行hook。与09中通过地址进行hook不同,由于10中多次调用了字符串比较函数,所以直接对符号(函数名)进行hook
import angr
import claripy
def isGood(state):
return b'Good Job.' in state.posix.dumps(1)
def isBad(state):
return b'Try again.' in state.posix.dumps(1)
p = angr.Project("./10")
init_state = p.factory.entry_state()
class mySimProcedure(angr.SimProcedure):
def run(self, buffer_addr, buffer_size):
bvt = self.state.memory.load(buffer_addr, buffer_size)
target = "ORSDDWXHZURJRBDH".encode()
return claripy.If(target == bvt, claripy.BVV(1, 32), claripy.BVV(0, 32))
check_symbol = "check_equals_ORSDDWXHZURJRBDH"
p.hook_symbol(check_symbol, mySimProcedure())
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
print("{}".format(found_state.posix.dumps(0)))4. 运行脚本查看结果
5. 检查结果的正确性
11
1. 直接下载angr_ctf提供的ELF可执行文件11_angr_sim_scanf
2. 用IDA静态分析
main函数中,调用complex_function函数对字符串s中的8个字符逐个处理,再读取两个无符号整数到buffer0和buffer1,分别比较buffer0与s的前四个字符,buffer1与s的后四个字符(32位)。
3. 编写脚本求解程序输出Good Job时对应的输入
import angr
import claripy
def isGood(state):
return b'Good Job.' in state.posix.dumps(1)
def isBad(state):
return b'Try again.' in state.posix.dumps(1)
p = angr.Project("./11")
init_state = p.factory.entry_state()
class mySimProcedure(angr.SimProcedure):
def run(self, format_addr, buffer0_addr, buffer1_addr):
buffer0 = claripy.BVS('buffer0', 32)
buffer1 = claripy.BVS('buffer1', 32)
self.state.memory.store(buffer0_addr, buffer0, endness=p.arch.memory_endness)
self.state.memory.store(buffer1_addr, buffer1, endness=p.arch.memory_endness)
self.state.globals['solutions0'] = buffer0
self.state.globals['solutions1'] = buffer1
scanf_symbol = "__isoc99_scanf"
p.hook_symbol(scanf_symbol, mySimProcedure())
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
store_solution0 = found_state.globals['solutions0']
store_solution1 = found_state.globals['solutions1']
res0 = found_state.solver.eval(store_solution0)
res1 = found_state.solver.eval(store_solution1)
print("{} {}".format(res0, res1))4. 运行脚本查看结果
5. 验证结果的正确性
边栏推荐
猜你喜欢
随机推荐
1、 Initial mysql, MySQL installation, environment configuration, initialization
Copy the old project into a web project
The first week of the fifth stage
字符串切片的用法
Nodejs initial experience
Swing组件
修改mysql的分组报错Expression #1 of SELECT list is not in GROUP
字符串最长公共前缀
Leetcode 560 前缀和+哈希表
JDBC操作数据库详解
VS Code 连接远程 Jupyter 服务器
message from server: “Host ‘xxx.xxx.xxx.xxx‘ is not allowed to connect to this MySQL server“
Duplicate SSL_ Anti spoofing, spoofing attacks and deep forgery detection using wav2vec 2.0 and data enhanced automatic speaker authentication
js数字千位分割的常用方法
一文学会,三款黑客必备的抓包工具教学
nodejs链接mysql报错:ER_NOT_SUPPORTED_AUTH_MODEError: ER_NOT_SUPPORTED_AUTH_MODE
conda 配置深度学习环境 pytorch transformers
NPM详解
mysql历史数据补充新数据
JS uses requestanimationframe to detect the FPS frame rate of the current animation in real time