首页
社区
课程
招聘
[原创]符号学习之 Angr(二)通过 angr CTF 学习 angr 基本操作
发表于: 2021-4-26 11:40 7899

[原创]符号学习之 Angr(二)通过 angr CTF 学习 angr 基本操作

2021-4-26 11:40
7899

本文通过 angr_CTF 学习 angr 的操作

首先,对所有文件执行 checksec

确定所有的可执行文件 pie 都已经关闭

00_angr_find
直接获取字符进行复杂计算后,判断是否相同
查找满足达到 Good Job 地址的输入

01_angr_avoid
拖入 IDA
执行反编译,弹窗函数太大


当二进制函数太大时,使用 avoid 反向查找也能达到很好的效果

02_angr_find_condition
拖入 IDA 就离谱

内部的 Good JobTry again 也太多了
此时可以探索满足条件的状态,而非地址值

03_angr_symbolic_registers
拖入 IDA

输入函数是要求输入三个数字,分别存入 eax ebx edx
判断对这三个数字进行复杂计算后是否为零,而得到 Good job

所以我们的目的是获得满足需求的寄存器值,可以考虑设置寄存器符号值进行求解

get_user_input 下一行设置为起始地址,此时无需初始化,可以用 blank_state()

构建三个符号值,传入该状态相应寄存器,随后进行求解

04_angr_symbolic_stack
拖入 IDA

输入函数要求输入两个参数,进行复杂计算后同样进行判断,解决办法可以同上题一致
与上题不同的是,由于栈的存在,起始地址的选择需要注意

scanf 之后启动,我们跳过对应栈,手动构造所需栈

完整解答

05_angr_symbolic_memory
本题调用 scanf("%8s %8s %8s %8s")
直接对内存操作即可,注意最终输出结果需要转换为 bytes

06_angr_symbolic_dynamic_memory
上题是静态内存加载,如果是动态内存该如何解决呢
可以伪造一个未被使用的内存地址,并修改数据指针指向该地址
注: Angr 在内存中存储整数使用大端序,你可以使用参数 endness=proj.arch.memory_endness,在 x86 平台上,是小端序

07_angr_symbolic_file
本题大致流程是使用 fread 函数从文件中读取 password,命令行输入将被写入 ignore_me 函数的文件中

需要确定读取文件的 fread 函数并将其文件参数替换成我们手动模拟出的文件,最后解出符号输入

txt -> fopen() -> fread() -> fclose() -> unlink()

08_angr_constraints
本题主要流程是构造了一个判断函数 check_equals_xxxxxxx,它会将经过复杂计算的输入与其引用的的字符串做比较

思路为在这个函数之前手动约束输入字符串与引用字符串相等

09_angr_hooks
与上题相比,在 check_equals_xxxxx 之后再输入字符串与经复杂计算的内置密码进行比较,采用 Hook 处理掉 check_equals_xxxx

10_angr_simprocedures
拖入 IDA,这种图又来了

类似与上题,但是调用次数太多,采用 hook 的方法就没有任何意义了,所以可以使用 SimProcedure 自己实现 check_equals_xxxxHook check_equals_xxxx符号

11_angr_sim_scanf
拖入 IDA,为何总是它

这次不再是 check_equals_xxxx 了,而是换成了 scanf,构造自己的版本进行替换,因为 Angr 不支持用 scanf 请求多个参数

12_angr_veritesting
本题是对 veritesting 参数的尝试验证

13_angr_static_binary
本题与第一题相似,只不过是使用静态库编译,Angr 可以使用使用 SimProcedures 将标准库进行替换以加快运行速度

加上 veritesting 后依旧可以解出来

本来还想测试一下速度比,在看到未替换文件执行过程的艰难后,我只能说 Angr 真强

14_angr_shared_library
本题中检查函数由外部 so 文件加载,如何加载 so 文件呢?
共享库文件使用 PIC 即位置无关代码,在加载时,需要指定基址

15_angr_arbitrary_read

本题需要通过输入数字和字符串将程序溢出达到任意读的目的
所以考虑的步骤为:

16_angr_arbitrary_write
拖入 IDA

本题目的是通过控制 strncpy 的源数据和目的地址来实现向任意地址写入任意数据
约束为源数据为引用字符串,目的指针指向安全缓存

17_angr_arbitrary_jump
当一个指令有很多分支的可能性时,称之为不受约束的状态, 比如说当用户的输入决定下一条指令的位置

Angr 在遭遇不受约束状态时会将其抛出,本题将要关闭默认行为,转而利用此状态去进行任意跳转
处理步骤:

参考资料
angr_ctf 题目
https://github.com/jakespringer/angr_ctf

write_ups 参考
https://github.com/Hustcw/Angr_Tutorial_For_CTF
https://github.com/ZERO-A-ONE/AngrCTF_FITM
https://blog.csdn.net/u013648063/category_10403710.html?spm=1001.2014.3001.5482

 
import angr
 
def main():
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/00_angr_find")
 
    init_state = proj.factory.entry_state()
    simulation = proj.factory.simgr(init_state)
 
    print_good = 0x0804867D
 
    simulation.explore(find=print_good)
 
    if simulation.found:
        solution = simulation.found[0]
        print('flag: ', solution.posix.dumps(0))
    else:
        print('no solution')
 
if __name__ == '__main__':
    main()
import angr
 
def main():
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/00_angr_find")
 
    init_state = proj.factory.entry_state()
    simulation = proj.factory.simgr(init_state)
 
    print_good = 0x0804867D
 
    simulation.explore(find=print_good)
 
    if simulation.found:
        solution = simulation.found[0]
        print('flag: ', solution.posix.dumps(0))
    else:
        print('no solution')
 
if __name__ == '__main__':
    main()
import angr
 
def main():
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/01_angr_avoid")
 
    init_state = proj.factory.entry_state()
 
    simulation = proj.factory.simgr(init_state)
 
    print_good = 0x080485E5
 
    avoid_address = 0x080485A8
 
    simulation.explore(find=print_good, avoid=avoid_address)
 
    if simulation.found:
        solution = simulation.found[0]
        print('flag: ', solution.posix.dumps(0))
    else:
        print('no solution')
 
if __name__ == '__main__':
    main()
import angr
 
def main():
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/01_angr_avoid")
 
    init_state = proj.factory.entry_state()
 
    simulation = proj.factory.simgr(init_state)
 
    print_good = 0x080485E5
 
    avoid_address = 0x080485A8
 
    simulation.explore(find=print_good, avoid=avoid_address)
 
    if simulation.found:
        solution = simulation.found[0]
        print('flag: ', solution.posix.dumps(0))
    else:
        print('no solution')
 
if __name__ == '__main__':
    main()
import angr
import sys
 
def main():
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/02_angr_find_condition")
    init_state = proj.factory.entry_state()
    simulation = proj.factory.simgr(init_state)
 
    def is_successful(state):
        return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
    def should_abort(state):
        return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
    simulation.explore(find=is_successful, avoid=should_abort)
 
    if simulation.found:
        solution = simulation.found[0]
        print('flag: ', solution.posix.dumps(sys.stdin.fileno()))
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import sys
 
def main():
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/02_angr_find_condition")
    init_state = proj.factory.entry_state()
    simulation = proj.factory.simgr(init_state)
 
    def is_successful(state):
        return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
    def should_abort(state):
        return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
    simulation.explore(find=is_successful, avoid=should_abort)
 
    if simulation.found:
        solution = simulation.found[0]
        print('flag: ', solution.posix.dumps(sys.stdin.fileno()))
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
 
 
 
import angr
import claripy
import sys
 
def main():
    def is_successful(state):
        return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
    def should_abort(state):
        return b'Try again' in state.posix.dumps(sys.stdout.fileno())
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/03_angr_symbolic_registers")
 
    start_address = 0x08048980
 
    init_state = proj.factory.blank_state(addr=start_address)
    simulation = proj.factory.simgr(init_state)
 
    password0 = claripy.BVS('p0', 32)
    password1 = claripy.BVS('p1', 32)
    password2 = claripy.BVS('p2', 32)
 
    init_state.regs.eax = password0
    init_state.regs.ebx = password1
    init_state.regs.edx = password2
 
    simulation.explore(find=is_successful, avoid=should_abort)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(password0)
        solution1 = solution.solver.eval(password1)
        solution2 = solution.solver.eval(password2)
 
        print('flag: ', hex(solution0), hex(solution1), hex(solution2))
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def main():
    def is_successful(state):
        return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
    def should_abort(state):
        return b'Try again' in state.posix.dumps(sys.stdout.fileno())
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/03_angr_symbolic_registers")
 
    start_address = 0x08048980
 
    init_state = proj.factory.blank_state(addr=start_address)
    simulation = proj.factory.simgr(init_state)
 
    password0 = claripy.BVS('p0', 32)
    password1 = claripy.BVS('p1', 32)
    password2 = claripy.BVS('p2', 32)
 
    init_state.regs.eax = password0
    init_state.regs.ebx = password1
    init_state.regs.edx = password2
 
    simulation.explore(find=is_successful, avoid=should_abort)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(password0)
        solution1 = solution.solver.eval(password1)
        solution2 = solution.solver.eval(password2)
 
        print('flag: ', hex(solution0), hex(solution1), hex(solution2))
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
push    ebp
mov     ebp, esp
sub     esp, 18h
# 以上为正常加载时,栈帧处理
 
sub     esp, 4
lea     eax, [ebp+var_10]
push    eax
lea     eax, [ebp+var_C]
push    eax
push    offset aUU      ; "%u %u"
call    ___isoc99_scanf
add     esp, 10h
# 以上为执行 scanf 时的完整栈帧处理
 
mov     eax, [ebp+var_C]
sub     esp, 0Ch
...
push    ebp
mov     ebp, esp
sub     esp, 18h
# 以上为正常加载时,栈帧处理
 
sub     esp, 4
lea     eax, [ebp+var_10]
push    eax
lea     eax, [ebp+var_C]
push    eax
push    offset aUU      ; "%u %u"
call    ___isoc99_scanf
add     esp, 10h
# 以上为执行 scanf 时的完整栈帧处理
 
mov     eax, [ebp+var_C]
sub     esp, 0Ch
...
1. esp -> ebp
 
由于两个参数是从 [ebp - 10h] [ebp - 0ch] 处取得
2. padding [ebp, ebp-8h]
 
3. push symbols to [ebp - 10h] [ebp - 0ch]
1. esp -> ebp
 
由于两个参数是从 [ebp - 10h] [ebp - 0ch] 处取得
2. padding [ebp, ebp-8h]
 
3. push symbols to [ebp - 10h] [ebp - 0ch]
import angr
import claripy
import sys
 
def is_successful(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def should_abort(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/04_angr_symbolic_stack")
 
    start_address = 0x8048697
 
    init_state = proj.factory.blank_state(addr=start_address)
 
    init_state.regs.ebp = init_state.regs.esp
 
    password0 = claripy.BVS('password0', 32)
    password1 = claripy.BVS('password1', 32)
 
    padding_len = 0x8
    init_state.regs.esp -= padding_len
 
    init_state.stack_push(password0)
    init_state.stack_push(password1)
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=is_successful, avoid=should_abort)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(password0)
        solution1 = solution.solver.eval(password1)
 
        print('flag: ', solution0, solution1)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def is_successful(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def should_abort(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/04_angr_symbolic_stack")
 
    start_address = 0x8048697
 
    init_state = proj.factory.blank_state(addr=start_address)
 
    init_state.regs.ebp = init_state.regs.esp
 
    password0 = claripy.BVS('password0', 32)
    password1 = claripy.BVS('password1', 32)
 
    padding_len = 0x8
    init_state.regs.esp -= padding_len
 
    init_state.stack_push(password0)
    init_state.stack_push(password1)
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=is_successful, avoid=should_abort)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(password0)
        solution1 = solution.solver.eval(password1)
 
        print('flag: ', solution0, solution1)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/05_angr_symbolic_memory")
 
    start_address = 0x08048601
    init_state = proj.factory.blank_state(addr=start_address)
 
    user_input = claripy.BVS("user_input", 64)
    password0 = claripy.BVS("password0", 64)
    password1 = claripy.BVS("password1", 64)
    password2 = claripy.BVS("password2", 64)
 
    init_state.memory.store(0x0A1BA1C0, user_input)
    init_state.memory.store(0x0A1BA1C8, password0)
    init_state.memory.store(0x0A1BA1D0, password1)
    init_state.memory.store(0x0A1BA1D8, password2)
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=success, avoid=fail)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(user_input, cast_to=bytes)
        solution1 = solution.solver.eval(password0, cast_to=bytes)
        solution2 = solution.solver.eval(password1, cast_to=bytes)
        solution3 = solution.solver.eval(password2, cast_to=bytes)
 
        print('flag: ', solution0, solution1, solution2, solution3)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/05_angr_symbolic_memory")
 
    start_address = 0x08048601
    init_state = proj.factory.blank_state(addr=start_address)
 
    user_input = claripy.BVS("user_input", 64)
    password0 = claripy.BVS("password0", 64)
    password1 = claripy.BVS("password1", 64)
    password2 = claripy.BVS("password2", 64)
 
    init_state.memory.store(0x0A1BA1C0, user_input)
    init_state.memory.store(0x0A1BA1C8, password0)
    init_state.memory.store(0x0A1BA1D0, password1)
    init_state.memory.store(0x0A1BA1D8, password2)
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=success, avoid=fail)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(user_input, cast_to=bytes)
        solution1 = solution.solver.eval(password0, cast_to=bytes)
        solution2 = solution.solver.eval(password1, cast_to=bytes)
        solution3 = solution.solver.eval(password2, cast_to=bytes)
 
        print('flag: ', solution0, solution1, solution2, solution3)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/06_angr_symbolic_dynamic_memory")
 
    start_address = 0x08048699
    init_state = proj.factory.blank_state(addr=start_address)
 
    fake_heap_addr = 0x602000
    buffer0 = 0x0ABCC8A4
    buffer1 = 0x0ABCC8AC
    password0 = claripy.BVS("password0", 64)
    password1 = claripy.BVS("password1", 64)
 
    init_state.mem[buffer0].uint32_t = fake_heap_addr
    init_state.mem[buffer1].uint32_t = fake_heap_addr + 9
 
    init_state.memory.store(0x602000, password0)
    init_state.memory.store(0x602000 + 9, password1)
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=success, avoid=fail)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(password0, cast_to=bytes)
        solution1 = solution.solver.eval(password1, cast_to=bytes)
 
        print('flag: ', solution0 + solution1)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/06_angr_symbolic_dynamic_memory")
 
    start_address = 0x08048699
    init_state = proj.factory.blank_state(addr=start_address)
 
    fake_heap_addr = 0x602000
    buffer0 = 0x0ABCC8A4
    buffer1 = 0x0ABCC8AC
    password0 = claripy.BVS("password0", 64)
    password1 = claripy.BVS("password1", 64)
 
    init_state.mem[buffer0].uint32_t = fake_heap_addr
    init_state.mem[buffer1].uint32_t = fake_heap_addr + 9
 
    init_state.memory.store(0x602000, password0)
    init_state.memory.store(0x602000 + 9, password1)
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=success, avoid=fail)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(password0, cast_to=bytes)
        solution1 = solution.solver.eval(password1, cast_to=bytes)
 
        print('flag: ', solution0 + solution1)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
 
 
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/07_angr_symbolic_file")
 
    start_address = 0x080488E7
    init_state = proj.factory.blank_state(addr=start_address)
 
    filename = 'OJKSQYDP.txt'
    symbolic_file_size_bytes = 64
 
    password = claripy.BVS('password', symbolic_file_size_bytes * 8)
    password_file = angr.storage.SimFile(filename, content=password, size=symbolic_file_size_bytes)
    init_state.fs.insert(filename, password_file)
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=success, avoid=fail)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(password, cast_to=bytes)
 
        print('flag: ', solution0)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/07_angr_symbolic_file")
 
    start_address = 0x080488E7
    init_state = proj.factory.blank_state(addr=start_address)
 
    filename = 'OJKSQYDP.txt'
    symbolic_file_size_bytes = 64
 
    password = claripy.BVS('password', symbolic_file_size_bytes * 8)
    password_file = angr.storage.SimFile(filename, content=password, size=symbolic_file_size_bytes)
    init_state.fs.insert(filename, password_file)
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=success, avoid=fail)
 
    if simulation.found:
        solution = simulation.found[0]
        solution0 = solution.solver.eval(password, cast_to=bytes)
 
        print('flag: ', solution0)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
 
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/08_angr_constraints")
 
    start_address = 0x08048625
    init_state = proj.factory.blank_state(addr=start_address)
 
    password = claripy.BVS('passwd', 16*8)
    init_state.memory.store(0x804A050, password)
 
    checkpoints_addr = 0x0804866C
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=checkpoints_addr)
 
    if simulation.found:
        solution = simulation.found[0]
        load_symbol = solution.memory.load(0x804A050, 16)
        solution.add_constraints(load_symbol == 'AUPDNNPROEZRJWKB')
        flag = solution.solver.eval(password, cast_to=bytes)
 
        print('flag: ', flag)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/08_angr_constraints")
 
    start_address = 0x08048625
    init_state = proj.factory.blank_state(addr=start_address)
 
    password = claripy.BVS('passwd', 16*8)
    init_state.memory.store(0x804A050, password)
 
    checkpoints_addr = 0x0804866C
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=checkpoints_addr)
 
    if simulation.found:
        solution = simulation.found[0]
        load_symbol = solution.memory.load(0x804A050, 16)
        solution.add_constraints(load_symbol == 'AUPDNNPROEZRJWKB')
        flag = solution.solver.eval(password, cast_to=bytes)
 
        print('flag: ', flag)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/09_angr_hooks")
 
    init_state = proj.factory.entry_state()
 
    checkpoints_addr = 0x080486B3
    skip_len = 5
 
    @proj.hook(checkpoints_addr, length=skip_len)
    def skip_check(state):
        buffer_addr = 0x0804A054
        load_buffer_symbol = state.memory.load(buffer_addr, 16)
        check_str = 'XYMKBKUHNIQYNQXE'
        state.regs.eax = claripy.If(
            load_buffer_symbol == check_str,
            claripy.BVV(1, 32),
            claripy.BVV(0, 32)
        )
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=success, avoid=fail)
 
    if simulation.found:
        solution = simulation.found[0]
        flag = solution.posix.dumps(sys.stdin.fileno())
 
        print('flag: ', flag)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()
import angr
import claripy
import sys
 
def success(state):
    return b'Good Job' in state.posix.dumps(sys.stdout.fileno())
 
def fail(state):
    return b'Try again' in state.posix.dumps(sys.stdout.fileno())
 
def main():
 
    proj = angr.Project("/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/09_angr_hooks")
 
    init_state = proj.factory.entry_state()
 
    checkpoints_addr = 0x080486B3
    skip_len = 5
 
    @proj.hook(checkpoints_addr, length=skip_len)
    def skip_check(state):
        buffer_addr = 0x0804A054
        load_buffer_symbol = state.memory.load(buffer_addr, 16)
        check_str = 'XYMKBKUHNIQYNQXE'
        state.regs.eax = claripy.If(
            load_buffer_symbol == check_str,
            claripy.BVV(1, 32),
            claripy.BVV(0, 32)
        )
 
    simulation = proj.factory.simgr(init_state)
    simulation.explore(find=success, avoid=fail)
 
    if simulation.found:
        solution = simulation.found[0]
        flag = solution.posix.dumps(sys.stdin.fileno())
 
        print('flag: ', flag)
    else:
        print('no flag')
 
if __name__ == '__main__':
    main()

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//