-
-
[原创]符号学习之 Angr(二)通过 angr CTF 学习 angr 基本操作
-
发表于: 2021-4-26 11:40 7899
-
本文通过 angr_CTF 学习 angr 的操作
首先,对所有文件执行 checksec
确定所有的可执行文件 pie
都已经关闭
00_angr_find
直接获取字符进行复杂计算后,判断是否相同
查找满足达到 Good Job
地址的输入
01_angr_avoid
拖入 IDA
执行反编译,弹窗函数太大
当二进制函数太大时,使用 avoid 反向查找也能达到很好的效果
02_angr_find_condition
拖入 IDA 就离谱
内部的 Good Job
和 Try again
也太多了
此时可以探索满足条件的状态,而非地址值
03_angr_symbolic_registers
拖入 IDA
输入函数是要求输入三个数字,分别存入 eax
ebx
edx
判断对这三个数字进行复杂计算后是否为零,而得到 Good job
所以我们的目的是获得满足需求的寄存器值,可以考虑设置寄存器符号值进行求解
将 get_user_input
下一行设置为起始地址,此时无需初始化,可以用 blank_state()
构建三个符号值,传入该状态相应寄存器,随后进行求解
04_angr_symbolic_stack
拖入 IDA
输入函数要求输入两个参数,进行复杂计算后同样进行判断,解决办法可以同上题一致
与上题不同的是,由于栈的存在,起始地址的选择需要注意
在 scanf
之后启动,我们跳过对应栈,手动构造所需栈
完整解答
05_angr_symbolic_memory
本题调用 scanf("%8s %8s %8s %8s")
直接对内存操作即可,注意最终输出结果需要转换为 bytes
06_angr_symbolic_dynamic_memory
上题是静态内存加载,如果是动态内存该如何解决呢
可以伪造一个未被使用的内存地址,并修改数据指针指向该地址
注: Angr 在内存中存储整数使用大端序,你可以使用参数 endness=proj.arch.memory_endness
,在 x86 平台上,是小端序
07_angr_symbolic_file
本题大致流程是使用 fread
函数从文件中读取 password
,命令行输入将被写入 ignore_me
函数的文件中
需要确定读取文件的 fread
函数并将其文件参数替换成我们手动模拟出的文件,最后解出符号输入
txt -> fopen() -> fread() -> fclose() -> unlink()
08_angr_constraints
本题主要流程是构造了一个判断函数 check_equals_xxxxxxx
,它会将经过复杂计算的输入与其引用的的字符串做比较
思路为在这个函数之前手动约束输入字符串与引用字符串相等
09_angr_hooks
与上题相比,在 check_equals_xxxxx
之后再输入字符串与经复杂计算的内置密码进行比较,采用 Hook
处理掉 check_equals_xxxx
10_angr_simprocedures
拖入 IDA,这种图又来了
类似与上题,但是调用次数太多,采用 hook 的方法就没有任何意义了,所以可以使用 SimProcedure
自己实现 check_equals_xxxx
并 Hook
check_equals_xxxx
符号
11_angr_sim_scanf
拖入 IDA,为何总是它
这次不再是 check_equals_xxxx
了,而是换成了 scanf
,构造自己的版本进行替换,因为 Angr
不支持用 scanf
请求多个参数
12_angr_veritesting
本题是对 veritesting
参数的尝试验证
13_angr_static_binary
本题与第一题相似,只不过是使用静态库编译,Angr 可以使用使用 SimProcedures
将标准库进行替换以加快运行速度
加上 veritesting
后依旧可以解出来
本来还想测试一下速度比,在看到未替换文件执行过程的艰难后,我只能说 Angr
真强
14_angr_shared_library
本题中检查函数由外部 so
文件加载,如何加载 so
文件呢?
共享库文件使用 PIC
即位置无关代码,在加载时,需要指定基址
15_angr_arbitrary_read
本题需要通过输入数字和字符串将程序溢出达到任意读的目的
所以考虑的步骤为:
16_angr_arbitrary_write
拖入 IDA
本题目的是通过控制 strncpy
的源数据和目的地址来实现向任意地址写入任意数据
约束为源数据为引用字符串,目的指针指向安全缓存
17_angr_arbitrary_jump
当一个指令有很多分支的可能性时,称之为不受约束的状态, 比如说当用户的输入决定下一条指令的位置
Angr
在遭遇不受约束状态时会将其抛出,本题将要关闭默认行为,转而利用此状态去进行任意跳转
处理步骤:
参考资料
angr_ctf 题目
https://github.com/jakespringer/angr_ctf
write_ups 参考
https://github.com/Hustcw/Angr_Tutorial_For_CTF
https://github.com/ZERO-A-ONE/AngrCTF_FITM
https://blog.csdn.net/u013648063/category_10403710.html?spm=1001.2014.3001.5482
import
angr
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/00_angr_find"
)
init_state
=
proj.factory.entry_state()
simulation
=
proj.factory.simgr(init_state)
print_good
=
0x0804867D
simulation.explore(find
=
print_good)
if
simulation.found:
solution
=
simulation.found[
0
]
print
(
'flag: '
, solution.posix.dumps(
0
))
else
:
print
(
'no solution'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/00_angr_find"
)
init_state
=
proj.factory.entry_state()
simulation
=
proj.factory.simgr(init_state)
print_good
=
0x0804867D
simulation.explore(find
=
print_good)
if
simulation.found:
solution
=
simulation.found[
0
]
print
(
'flag: '
, solution.posix.dumps(
0
))
else
:
print
(
'no solution'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/01_angr_avoid"
)
init_state
=
proj.factory.entry_state()
simulation
=
proj.factory.simgr(init_state)
print_good
=
0x080485E5
avoid_address
=
0x080485A8
simulation.explore(find
=
print_good, avoid
=
avoid_address)
if
simulation.found:
solution
=
simulation.found[
0
]
print
(
'flag: '
, solution.posix.dumps(
0
))
else
:
print
(
'no solution'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/01_angr_avoid"
)
init_state
=
proj.factory.entry_state()
simulation
=
proj.factory.simgr(init_state)
print_good
=
0x080485E5
avoid_address
=
0x080485A8
simulation.explore(find
=
print_good, avoid
=
avoid_address)
if
simulation.found:
solution
=
simulation.found[
0
]
print
(
'flag: '
, solution.posix.dumps(
0
))
else
:
print
(
'no solution'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
sys
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/02_angr_find_condition"
)
init_state
=
proj.factory.entry_state()
simulation
=
proj.factory.simgr(init_state)
def
is_successful(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
should_abort(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
simulation.explore(find
=
is_successful, avoid
=
should_abort)
if
simulation.found:
solution
=
simulation.found[
0
]
print
(
'flag: '
, solution.posix.dumps(sys.stdin.fileno()))
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
sys
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/02_angr_find_condition"
)
init_state
=
proj.factory.entry_state()
simulation
=
proj.factory.simgr(init_state)
def
is_successful(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
should_abort(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
simulation.explore(find
=
is_successful, avoid
=
should_abort)
if
simulation.found:
solution
=
simulation.found[
0
]
print
(
'flag: '
, solution.posix.dumps(sys.stdin.fileno()))
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
main():
def
is_successful(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
should_abort(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/03_angr_symbolic_registers"
)
start_address
=
0x08048980
init_state
=
proj.factory.blank_state(addr
=
start_address)
simulation
=
proj.factory.simgr(init_state)
password0
=
claripy.BVS(
'p0'
,
32
)
password1
=
claripy.BVS(
'p1'
,
32
)
password2
=
claripy.BVS(
'p2'
,
32
)
init_state.regs.eax
=
password0
init_state.regs.ebx
=
password1
init_state.regs.edx
=
password2
simulation.explore(find
=
is_successful, avoid
=
should_abort)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(password0)
solution1
=
solution.solver.
eval
(password1)
solution2
=
solution.solver.
eval
(password2)
print
(
'flag: '
,
hex
(solution0),
hex
(solution1),
hex
(solution2))
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
main():
def
is_successful(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
should_abort(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/03_angr_symbolic_registers"
)
start_address
=
0x08048980
init_state
=
proj.factory.blank_state(addr
=
start_address)
simulation
=
proj.factory.simgr(init_state)
password0
=
claripy.BVS(
'p0'
,
32
)
password1
=
claripy.BVS(
'p1'
,
32
)
password2
=
claripy.BVS(
'p2'
,
32
)
init_state.regs.eax
=
password0
init_state.regs.ebx
=
password1
init_state.regs.edx
=
password2
simulation.explore(find
=
is_successful, avoid
=
should_abort)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(password0)
solution1
=
solution.solver.
eval
(password1)
solution2
=
solution.solver.
eval
(password2)
print
(
'flag: '
,
hex
(solution0),
hex
(solution1),
hex
(solution2))
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
push ebp
mov ebp, esp
sub esp,
18h
# 以上为正常加载时,栈帧处理
sub esp,
4
lea eax, [ebp
+
var_10]
push eax
lea eax, [ebp
+
var_C]
push eax
push offset aUU ;
"%u %u"
call ___isoc99_scanf
add esp,
10h
# 以上为执行 scanf 时的完整栈帧处理
mov eax, [ebp
+
var_C]
sub esp,
0Ch
...
push ebp
mov ebp, esp
sub esp,
18h
# 以上为正常加载时,栈帧处理
sub esp,
4
lea eax, [ebp
+
var_10]
push eax
lea eax, [ebp
+
var_C]
push eax
push offset aUU ;
"%u %u"
call ___isoc99_scanf
add esp,
10h
# 以上为执行 scanf 时的完整栈帧处理
mov eax, [ebp
+
var_C]
sub esp,
0Ch
...
1.
esp
-
> ebp
由于两个参数是从 [ebp
-
10h
] [ebp
-
0ch
] 处取得
2.
padding [ebp, ebp
-
8h
]
3.
push symbols to [ebp
-
10h
] [ebp
-
0ch
]
1.
esp
-
> ebp
由于两个参数是从 [ebp
-
10h
] [ebp
-
0ch
] 处取得
2.
padding [ebp, ebp
-
8h
]
3.
push symbols to [ebp
-
10h
] [ebp
-
0ch
]
import
angr
import
claripy
import
sys
def
is_successful(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
should_abort(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/04_angr_symbolic_stack"
)
start_address
=
0x8048697
init_state
=
proj.factory.blank_state(addr
=
start_address)
init_state.regs.ebp
=
init_state.regs.esp
password0
=
claripy.BVS(
'password0'
,
32
)
password1
=
claripy.BVS(
'password1'
,
32
)
padding_len
=
0x8
init_state.regs.esp
-
=
padding_len
init_state.stack_push(password0)
init_state.stack_push(password1)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
is_successful, avoid
=
should_abort)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(password0)
solution1
=
solution.solver.
eval
(password1)
print
(
'flag: '
, solution0, solution1)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
is_successful(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
should_abort(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/04_angr_symbolic_stack"
)
start_address
=
0x8048697
init_state
=
proj.factory.blank_state(addr
=
start_address)
init_state.regs.ebp
=
init_state.regs.esp
password0
=
claripy.BVS(
'password0'
,
32
)
password1
=
claripy.BVS(
'password1'
,
32
)
padding_len
=
0x8
init_state.regs.esp
-
=
padding_len
init_state.stack_push(password0)
init_state.stack_push(password1)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
is_successful, avoid
=
should_abort)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(password0)
solution1
=
solution.solver.
eval
(password1)
print
(
'flag: '
, solution0, solution1)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/05_angr_symbolic_memory"
)
start_address
=
0x08048601
init_state
=
proj.factory.blank_state(addr
=
start_address)
user_input
=
claripy.BVS(
"user_input"
,
64
)
password0
=
claripy.BVS(
"password0"
,
64
)
password1
=
claripy.BVS(
"password1"
,
64
)
password2
=
claripy.BVS(
"password2"
,
64
)
init_state.memory.store(
0x0A1BA1C0
, user_input)
init_state.memory.store(
0x0A1BA1C8
, password0)
init_state.memory.store(
0x0A1BA1D0
, password1)
init_state.memory.store(
0x0A1BA1D8
, password2)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
success, avoid
=
fail)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(user_input, cast_to
=
bytes)
solution1
=
solution.solver.
eval
(password0, cast_to
=
bytes)
solution2
=
solution.solver.
eval
(password1, cast_to
=
bytes)
solution3
=
solution.solver.
eval
(password2, cast_to
=
bytes)
print
(
'flag: '
, solution0, solution1, solution2, solution3)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/05_angr_symbolic_memory"
)
start_address
=
0x08048601
init_state
=
proj.factory.blank_state(addr
=
start_address)
user_input
=
claripy.BVS(
"user_input"
,
64
)
password0
=
claripy.BVS(
"password0"
,
64
)
password1
=
claripy.BVS(
"password1"
,
64
)
password2
=
claripy.BVS(
"password2"
,
64
)
init_state.memory.store(
0x0A1BA1C0
, user_input)
init_state.memory.store(
0x0A1BA1C8
, password0)
init_state.memory.store(
0x0A1BA1D0
, password1)
init_state.memory.store(
0x0A1BA1D8
, password2)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
success, avoid
=
fail)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(user_input, cast_to
=
bytes)
solution1
=
solution.solver.
eval
(password0, cast_to
=
bytes)
solution2
=
solution.solver.
eval
(password1, cast_to
=
bytes)
solution3
=
solution.solver.
eval
(password2, cast_to
=
bytes)
print
(
'flag: '
, solution0, solution1, solution2, solution3)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/06_angr_symbolic_dynamic_memory"
)
start_address
=
0x08048699
init_state
=
proj.factory.blank_state(addr
=
start_address)
fake_heap_addr
=
0x602000
buffer0
=
0x0ABCC8A4
buffer1
=
0x0ABCC8AC
password0
=
claripy.BVS(
"password0"
,
64
)
password1
=
claripy.BVS(
"password1"
,
64
)
init_state.mem[buffer0].uint32_t
=
fake_heap_addr
init_state.mem[buffer1].uint32_t
=
fake_heap_addr
+
9
init_state.memory.store(
0x602000
, password0)
init_state.memory.store(
0x602000
+
9
, password1)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
success, avoid
=
fail)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(password0, cast_to
=
bytes)
solution1
=
solution.solver.
eval
(password1, cast_to
=
bytes)
print
(
'flag: '
, solution0
+
solution1)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/06_angr_symbolic_dynamic_memory"
)
start_address
=
0x08048699
init_state
=
proj.factory.blank_state(addr
=
start_address)
fake_heap_addr
=
0x602000
buffer0
=
0x0ABCC8A4
buffer1
=
0x0ABCC8AC
password0
=
claripy.BVS(
"password0"
,
64
)
password1
=
claripy.BVS(
"password1"
,
64
)
init_state.mem[buffer0].uint32_t
=
fake_heap_addr
init_state.mem[buffer1].uint32_t
=
fake_heap_addr
+
9
init_state.memory.store(
0x602000
, password0)
init_state.memory.store(
0x602000
+
9
, password1)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
success, avoid
=
fail)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(password0, cast_to
=
bytes)
solution1
=
solution.solver.
eval
(password1, cast_to
=
bytes)
print
(
'flag: '
, solution0
+
solution1)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/07_angr_symbolic_file"
)
start_address
=
0x080488E7
init_state
=
proj.factory.blank_state(addr
=
start_address)
filename
=
'OJKSQYDP.txt'
symbolic_file_size_bytes
=
64
password
=
claripy.BVS(
'password'
, symbolic_file_size_bytes
*
8
)
password_file
=
angr.storage.SimFile(filename, content
=
password, size
=
symbolic_file_size_bytes)
init_state.fs.insert(filename, password_file)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
success, avoid
=
fail)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(password, cast_to
=
bytes)
print
(
'flag: '
, solution0)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/07_angr_symbolic_file"
)
start_address
=
0x080488E7
init_state
=
proj.factory.blank_state(addr
=
start_address)
filename
=
'OJKSQYDP.txt'
symbolic_file_size_bytes
=
64
password
=
claripy.BVS(
'password'
, symbolic_file_size_bytes
*
8
)
password_file
=
angr.storage.SimFile(filename, content
=
password, size
=
symbolic_file_size_bytes)
init_state.fs.insert(filename, password_file)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
success, avoid
=
fail)
if
simulation.found:
solution
=
simulation.found[
0
]
solution0
=
solution.solver.
eval
(password, cast_to
=
bytes)
print
(
'flag: '
, solution0)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/08_angr_constraints"
)
start_address
=
0x08048625
init_state
=
proj.factory.blank_state(addr
=
start_address)
password
=
claripy.BVS(
'passwd'
,
16
*
8
)
init_state.memory.store(
0x804A050
, password)
checkpoints_addr
=
0x0804866C
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
checkpoints_addr)
if
simulation.found:
solution
=
simulation.found[
0
]
load_symbol
=
solution.memory.load(
0x804A050
,
16
)
solution.add_constraints(load_symbol
=
=
'AUPDNNPROEZRJWKB'
)
flag
=
solution.solver.
eval
(password, cast_to
=
bytes)
print
(
'flag: '
, flag)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/08_angr_constraints"
)
start_address
=
0x08048625
init_state
=
proj.factory.blank_state(addr
=
start_address)
password
=
claripy.BVS(
'passwd'
,
16
*
8
)
init_state.memory.store(
0x804A050
, password)
checkpoints_addr
=
0x0804866C
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
checkpoints_addr)
if
simulation.found:
solution
=
simulation.found[
0
]
load_symbol
=
solution.memory.load(
0x804A050
,
16
)
solution.add_constraints(load_symbol
=
=
'AUPDNNPROEZRJWKB'
)
flag
=
solution.solver.
eval
(password, cast_to
=
bytes)
print
(
'flag: '
, flag)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/09_angr_hooks"
)
init_state
=
proj.factory.entry_state()
checkpoints_addr
=
0x080486B3
skip_len
=
5
@proj
.hook(checkpoints_addr, length
=
skip_len)
def
skip_check(state):
buffer_addr
=
0x0804A054
load_buffer_symbol
=
state.memory.load(buffer_addr,
16
)
check_str
=
'XYMKBKUHNIQYNQXE'
state.regs.eax
=
claripy.If(
load_buffer_symbol
=
=
check_str,
claripy.BVV(
1
,
32
),
claripy.BVV(
0
,
32
)
)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
success, avoid
=
fail)
if
simulation.found:
solution
=
simulation.found[
0
]
flag
=
solution.posix.dumps(sys.stdin.fileno())
print
(
'flag: '
, flag)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()
import
angr
import
claripy
import
sys
def
success(state):
return
b
'Good Job'
in
state.posix.dumps(sys.stdout.fileno())
def
fail(state):
return
b
'Try again'
in
state.posix.dumps(sys.stdout.fileno())
def
main():
proj
=
angr.Project(
"/home/darenfy/angr_CTF/Angr_Tutorial_For_CTF/problems/09_angr_hooks"
)
init_state
=
proj.factory.entry_state()
checkpoints_addr
=
0x080486B3
skip_len
=
5
@proj
.hook(checkpoints_addr, length
=
skip_len)
def
skip_check(state):
buffer_addr
=
0x0804A054
load_buffer_symbol
=
state.memory.load(buffer_addr,
16
)
check_str
=
'XYMKBKUHNIQYNQXE'
state.regs.eax
=
claripy.If(
load_buffer_symbol
=
=
check_str,
claripy.BVV(
1
,
32
),
claripy.BVV(
0
,
32
)
)
simulation
=
proj.factory.simgr(init_state)
simulation.explore(find
=
success, avoid
=
fail)
if
simulation.found:
solution
=
simulation.found[
0
]
flag
=
solution.posix.dumps(sys.stdin.fileno())
print
(
'flag: '
, flag)
else
:
print
(
'no flag'
)
if
__name__
=
=
'__main__'
:
main()