angr学习

Reverse Comments

angr学习

angr基本脚本

一、非命令行输入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import angr
import sys

def Go():
    path_to_binary = "*****"
    project = angr.Project(path_to_binary, auto_load_libs=False)
    initial_state = project.factory.entry_state()
    simulation = project.factory.simgr(initial_state)
    #一般我会先查看程序起始地址,64位程序可能是0x400000,32位可能是0x800000
    #print(project.entry)
    print_good_address = 0x4009E7 
    simulation.explore(find=print_good_address)

    if simulation.found:
        solution_state = simulation.found[0]
        solution = solution_state.posix.dumps(sys.stdin.fileno()) # 大概意思是dump出输入
        print(solution)
    else:
        raise Exception('Could not find the solution')


if __name__ == "__main__":
    Go()
    #path_to_binary = "oruga"
    #project = angr.Project(path_to_binary, auto_load_libs=False)
    #print(project.entry)

二、使用命令行参数情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import angr
import sys
import claripy

def Go():
    path_to_binary = "chall"
    project = angr.Project(path_to_binary, auto_load_libs=False)
    #print(project.entry)
    argv1 = claripy.BVS('argv1',33*8)
    initial_state = project.factory.entry_state(args=["./chall", argv1])
    simulation = project.factory.simgr(initial_state)

    print_good_address = 0x400817
    simulation.explore(find=print_good_address)

    if simulation.found:
        solution_state = simulation.found[0].solver.eval(argv1)   # 打印结果
        solution = solution_state.to_bytes(33,"big")
        print(solution)
    else:
        raise Exception('Could not find the solution')


if __name__ == "__main__":
    Go()

代替scanf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import angr
import sys
import claripy
def main(argv):

  path_to_binary =  'ROR.exe' # :string
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()

  class ReplacementScanf(angr.SimProcedure):
    def run(self, format_string, param0):
      scanf0 = claripy.BVS('scanf0', 8 * 80)
      scanf0_address = param0
      print(scanf0_address)
      self.state.memory.store(scanf0_address, scanf0, endness = project.arch.memory_endness)
      self.state.globals['solutions'] = scanf0

  scanf_symbol = 'scanf'
  project.hook_symbol(scanf_symbol, ReplacementScanf())
  simulation = project.factory.simgr(initial_state)

  def is_successful(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return 'Congratulations'.encode() in stdout_output
  simulation.explore(find=is_successful)

  if simulation.found:

    solution_state = simulation.found[0]
    stored_solutions = solution_state.globals['solutions']
    scanf0_solution = solution_state.solver.eval(stored_solutions)
    print(scanf0_solution)

  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

angr练习十八道

02_angr_find_condition

本题知识点:在没有地址情况下,利用字符串来确定寻找地址和规避地址。

ida: 

1
2
3
4
5
6
7
8
9
10
11
12
13
def is_successful(state):
  # Dump whatever has been printed out by the binary so far into a string.
  stdout_output = state.posix.dumps(sys.stdout.fileno())

  # Return whether 'Good Job.' has been printed yet.
  # (!)
  return b'Good Job.' in stdout_output  # :boolean

def should_abort(state):
  stdout_output = state.posix.dumps(sys.stdout.fileno())
  return b'Try again.' in stdout_output  # :boolean

simulation.explore(find=is_successful, avoid=should_abort)

通过 stdout_output = state.posix.dumps(sys.stdout.fileno())return b'Good Job.' in stdout_output # :boolean来判断是否到底指定情况的地址,适用于多种情况而非一个地址的情况。

fevergunCtfer & Reverse & Crypto

Reverse , Crypto