angr[2]--使用操作

最新推荐文章于 2024-05-23 23:25:18 发布
最新推荐文章于 2024-05-23 23:25:18 发布
阅读量844 收藏 2
点赞数 2
分类专栏: angr
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_38204481/article/details/103788005
版权

这里将会写angr模拟寄存器,栈,bss段,模拟堆,模拟文件

补充:格式化是angr的弱点,需要尽量避开

0x03设置寄存器的值

# -*- coding:utf-8 -*-
import angr
import claripy
import sys
reload(sys)
sys.setdefaultencoding("utf8")

#设置寄存器值

"""
angr只支持一次scanf,多次scanf需要绕过。
因为是32位寄存器所以需要32位
initial_state.regs.eax = password0   可以设置寄存器的值
solution0 = solution_state.se.eval(password0)  可以获取解决方案,但是只有一个位向量的
加载程序,设置开始地址,设置寄存器值(设置初始状态)   设置正确和错误的结果探索   取出跑出来的结果    

"""

def main(argv):
    project=angr.Project("./1")

    #这个地址是从ida里面找出来的,读入了数据之后的值
    """
.text:08048911                 call    get_user_input
.text:08048916                 mov     [ebp+var_14], eax
.text:08048919                 mov     [ebp+var_10], ebx
.text:0804891C                 mov     [ebp+var_C], edx
    """
    start_address=0x08048916
    initial_state=project.factory.blank_state(addr=start_address) #用blank_state 来实现从某个地址处载入

    #因为32位程序寄存器最多放32位
    password0_size_in_bits=32
    #用来生成位向量   这个东西应该是类似列表之类的东西
    password0=claripy.BVS('password0',password0_size_in_bits)
    password1 = claripy.BVS('password1', password0_size_in_bits)
    password2 = claripy.BVS('password2', password0_size_in_bits)

    #给寄存器赋值   ida里面可以看到这三个寄存器是决定程序的值是否走到 good job的值
    initial_state.regs.eax=password0
    initial_state.regs.ebx = password1
    initial_state.regs.edx = password2

    simulation=project.factory.simgr(initial_state)

    def is_successful(state):
        stdout_output=state.posix.dumps(sys.stdout.fileno())
        return "Good" in stdout_output

    def should_abort(state):
        stdout_output=state.posix.dumps(sys.stdout.fileno())
        return "Try" in stdout_output

    simulation.explore(find=is_successful,avoid=should_abort)

    if simulation.found:
        solution_state=simulation.found[0]
        #找到了之后想要拿出来需要一个一个取  应该是字典之类的东东西
        solution0=solution_state.se.eval(password0)
        solution1=solution_state.se.eval(password1)
        solution2=solution_state.se.eval(password2)


        solution= str(solution0)+","+str(solution1)+","+str(solution2)
        print hex(solution0), hex(solution1), hex(solution2)
        print solution

    else:
        raise Exception("Could not find the solution")


if __name__ == '__main__':
    main(sys.argv)

0x04设置栈


import angr
import claripy
import sys

def main(argv):
  path_to_binary = "./04_angr_symbolic_stack"
  project = angr.Project(path_to_binary)    #设置加载路径

  start_address = 0x08048697
  initial_state = project.factory.blank_state(addr=start_address)      #设置开始地址



  initial_state.regs.ebp = initial_state.regs.esp                      #设置栈的开始数据
  password0 = claripy.BVS('password0', 32)
  password1 = claripy.BVS('password1', 32)

  padding_length_in_bytes = 8  # :integer
  initial_state.regs.esp -= padding_length_in_bytes                  #放入栈中
  initial_state.stack_push(password0)  # :bitvector (claripy.BVS, claripy.BVV, claripy.BV)
  initial_state.stack_push(password1)




  simulation = project.factory.simgr(initial_state)                #运行,找到地址

  def is_successful(state):
      stdout_output = state.posix.dumps(sys.stdout.fileno())
      return 'Good Job' in str(stdout_output)

  def should_abort(state):
      stdout_output = state.posix.dumps(sys.stdout.fileno())
      return 'Try again.' in str(stdout_output)

  simulation.explore(find=is_successful, avoid=should_abort)

  if simulation.found:                                          #处理结果
      solution_state = simulation.found[0]

      solution0 = solution_state.se.eval(password0)
      solution1 = solution_state.se.eval(password1)


      solution = ' '.join(map('{:x}'.format, [solution0, solution1]))
      print(solution)
  else:
      raise Exception('Could not find the solution')


if __name__ == '__main__':
    main(sys.argv)

核心代码

initial_state.regs.ebp = initial_state.regs.esp 
  password0 = claripy.BVS('password0', 32)
    padding_length_in_bytes = 8  # :integer       减8是因为两个数据,每个32bit也就是4个字节共8个字节
  initial_state.regs.esp -= padding_length_in_bytes                  #放入栈中
  initial_state.stack_push(password0)

0x05模拟bass段

import angr
import claripy
import sys
import binascii

def main(argv):
  path_to_binary = "./05_angr_symbolic_memory"
  project = angr.Project(path_to_binary)

  start_address = 0x08048601
  initial_state = project.factory.blank_state(addr=start_address)

  # The binary is calling scanf("%8s %8s %8s %8s").
  # (!)
  password0 = claripy.BVS('password0', 8*8)      #设置数据个数,这里的数是bit数,一个字节是8个bit
  password1 = claripy.BVS('password1', 8 * 8)
  password2 = claripy.BVS('password2', 8 * 8)
  password3 = claripy.BVS('password3', 8 * 8)


  # Determine the address of the global variable to which scanf writes the user
  # input. The function 'initial_state.memory.store(address, value)' will write
  # 'value' (a bitvector) to 'address' (a memory location, as an integer.) The
  # 'address' parameter can also be a bitvector (and can be symbolic!).
  # (!)
  password0_address = 0x09FD92A0                       #把数据放到
  initial_state.memory.store(password0_address, password0)
  password0_address = 0x09FD92A8
  initial_state.memory.store(password0_address, password1)
  password0_address = 0x09FD92B0
  initial_state.memory.store(password0_address, password2)
  password0_address = 0x09FD92B8
  initial_state.memory.store(password0_address, password3)


  simulation = project.factory.simgr(initial_state)

  def is_successful(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return 'Good Job' in str(stdout_output)

  def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return 'Try again.' in str(stdout_output)

  simulation.explore(find=is_successful, avoid=should_abort)

  if simulation.found:
    solution_state = simulation.found[0]

    # Solve for the symbolic values. We are trying to solve for a string.
    # Therefore, we will use eval, with named parameter cast_to=str
    # which returns a string instead of an integer.
    # (!)
    solution0 = solution_state.se.eval(password0)
    solution1 = solution_state.se.eval(password1)
    solution2 = solution_state.se.eval(password2)
    solution3 = solution_state.se.eval(password3)

    solution = ''.join(map('{:x}'.format, [solution0, solution1,solution2,solution3]))

    print (binascii.a2b_hex(solution))       #16进制数转字符串
  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

设置数据的内容

password0_address = 0x09FD92A0                       #把数据放到
initial_state.memory.store(password0_address, password0)

0x06模拟堆

import angr
import claripy
import sys
import binascii

def main(argv):
  path_to_binary = "./06_angr_symbolic_dynamic_memory"
  project = angr.Project(path_to_binary)

  start_address = 0x08048699
  initial_state = project.factory.blank_state(addr=start_address)

  # The binary is calling scanf("%8s %8s").
  # (!)
  password0 = claripy.BVS('password0', 8*8) #buffer0
  password1 = claripy.BVS('password1', 8*8) #buffer1


  # Instead of telling the binary to write to the address of the memory
  # allocated with malloc, we can simply fake an address to any unused block of
  # memory and overwrite the pointer to the data. This will point the pointer
  # with the address of pointer_to_malloc_memory_address0 to fake_heap_address.
  # Be aware, there is more than one pointer! Analyze the binary to determine
  # global location of each pointer.
  # Note: by default, Angr stores integers in memory with big-endianness. To
  # specify to use the endianness of your architecture, use the parameter
  # endness=project.arch.memory_endness. On x86, this is little-endian.
  # (!)
  fake_heap_address0 = 0x40000
  pointer_to_malloc_memory_address0 =0x09FD92AC
  initial_state.memory.store(pointer_to_malloc_memory_address0, fake_heap_address0, endness=project.arch.memory_endness)
  #buffer0    把数据放入内存堆地址(数据具体存到哪随意) 这个地址的指针,也就是变量的具体值要准确
  fake_heap_address1 = 0x40010
  pointer_to_malloc_memory_address1 = 0x09FD92B4
  initial_state.memory.store(pointer_to_malloc_memory_address1, fake_heap_address1, endness=project.arch.memory_endness) #buffer1


  # Store our symbolic values at our fake_heap_address. Look at the binary to
  # determine the offsets from the fake_heap_address where scanf writes.
  # (!)
  initial_state.memory.store(fake_heap_address0, password0)
  initial_state.memory.store(fake_heap_address1, password1)


  simulation = project.factory.simgr(initial_state)

  def is_successful(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return 'Good Job' in str(stdout_output)

  def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return 'Try again.' in str(stdout_output)
  simulation.explore(find=is_successful, avoid=should_abort)

  if simulation.found:
    solution_state = simulation.found[0]

    solution0 = solution_state.se.eval(password0)
    solution1 = solution_state.se.eval(password1)

    solution = ''.join(map("{:x}".format,[solution0,solution1]))
    # print(solution)
    print (binascii.a2b_hex(solution.strip()))
  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

一组数据进行两次写入,第一次把数据写入到具体位置也就是申请的空间
第二次把第一次写入的地址写入到程序的变量位置(这里是bss段)
其实就是写入内存和0x01没有本质区别

 fake_heap_address0 = 0x40000
  pointer_to_malloc_memory_address0 =0x09FD92AC
  initial_state.memory.store(pointer_to_malloc_memory_address0, fake_heap_address0, endness=project.arch.memory_endness)
  #buffer0    把数据放入内存堆地址(数据具体存到哪随意) 这个地址的指针,也就是变量的具体值要准确
  initial_state.memory.store(fake_heap_address0, password0)

0x07angr 模拟文件

# This challenge could, in theory, be solved in multiple ways. However, for the
# sake of learning how to simulate an alternate filesystem, please solve this
# challenge according to structure provided below. As a challenge, once you have
# an initial solution, try solving this in an alternate way.
#
# Problem description and general solution strategy:
# The binary loads the password from a file using the fread function. If the
# password is correct, it prints "Good Job." In order to keep consistency with
# the other challenges, the input from the console is written to a file in the 
# ignore_me function. As the name suggests, ignore it, as it only exists to
# maintain consistency with other challenges.
# We want to:
# 1. Determine the file from which fread reads.
# 2. Use Angr to simulate a filesystem where that file is replaced with our own
#    simulated file.
# 3. Initialize the file with a symbolic value, which will be read with fread
#    and propogated through the program.
# 4. Solve for the symbolic input to determine the password.
import binascii
import angr
import claripy
import sys

def main(argv):
  path_to_binary = "./07_angr_symbolic_file"
  project = angr.Project(path_to_binary)

  start_address = 0x80488D6
  initial_state = project.factory.blank_state(addr=start_address)     #开始地址需要在打开文件之前,这里模拟了文件


  filename = "MRXJKZYR.txt" # :string     设置文件名
  symbolic_file_size_bytes = 0x40


  password = claripy.BVS('password', symbolic_file_size_bytes * 8)       #生成符号



  password_file = angr.storage.SimFile(filename, content=password)       #把内容放入文件
  initial_state.fs.insert(filename, password_file)
  simulation = project.factory.simgr(initial_state)                       #运行


  def is_successful(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return 'Good Job' in str(stdout_output)

  def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return 'Try again.' in str(stdout_output)

  simulation.explore(find=is_successful, avoid=should_abort)

  if simulation.found:
    solution_state = simulation.found[0]

    solution = solution_state.se.eval(password)
    solution="".join(map("{:x}".format,[solution]))

    print (binascii.a2b_hex(solution))
  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

核心内容

  filename = "MRXJKZYR.txt" # :string     设置文件名
  symbolic_file_size_bytes = 0x40                         #  设置文件长度
  password = claripy.BVS('password', symbolic_file_size_bytes * 8)       #生成符号
  password_file = angr.storage.SimFile(filename, content=password)       #把内容放入文件
  initial_state.fs.insert(filename, password_file)
九层台
关注
专栏目录
angr学习【一】
BadRer的博客
05-12 5446
前言 最近由于遇到一些题需要使用angr框架解决。因此呢,学习一下吧,这个框架。 环境安装 https://github.com/angr 不多说了 题目一
angr学习-入门篇
hongduilanjun的博客
08-01 388
(题库仓库,里面有个讲解angr的PPT,里面有官方的题解很详细)
Angr安装与使用使用篇(一)
qq_42308741的博客
10-28 1069
针对angr提供的17道练习题,现在进行求解00_angr_find,它是关于输入密码的问题,需要使用angr求解出正确密码。 参考博客点这里 #1 创建项目 project = angr.Project(“00_angr_find”) #2 通过entry_state()创建一个默认初始状态,这个状态是为了告诉angr该从哪里开始 initial_state = project.factory.entry_state() 查看当前initial_state的值,为0x8048450。 使用I
angr使用学习(持续更新)
最新发布
2302_79135465的博客
05-23 630
首先我是直接在kali中安装的,也是边练边学的。嗯,要在纯净python环境,所以是在 virtualenv 虚拟环境里,也不是特别会用这个,按照教程一步步做的进入了对应环境退出是deactivateen,ipython交互性确实好一些。
Angr入门(一)
qq_44370676的博客
08-16 3445
Angr初探
angr使用2
九层台
12-17 980
angr就是一个工具提供了对一个程序某一段代码的测试功能,在ctf中一般其实就是用来爆破。 之前一个示例演示了基本的运行,接下来呢看一下如果程序不从头开始,设置运行环境。 上面是个base64解密,下面是另一个加密,前面的没必要测试,看后面的。 看汇编代码 原始数据的赋值是R0决定的(也就是用R0来传参的) #coding=utf-8 import angr import claripy i...
Python库 | angr-4.6.1.12.tar.gz
02-28
2. **静态分析**:angr提供了多种静态分析工具,如CFG(控制流图)重建,用于理解程序的结构和控制流程,以及VEX(Virtual Execution Platform),它是LLVM项目的一个分支,用于将机器码转换为中间表示,方便进行...
符号执行-Angr
ChuMeng1999的博客
11-09 1477
目录预备知识1.关于Angr实验目的实验环境实验步骤一实验步骤二实验步骤三 预备知识 1.关于Angr Angr是一个利用python开发的二进制程序分析框架,我们可以利用这个工具尝试对一些CTF题目进行符号执行来找到正确的解答,即flag。当然,要注意的是符号执行的路径选择问题到现在依旧是一个很大的问题,换句话说也就是当我们的程序存在循环时,因为符号执行会尽量遍历所有的路径,所以每次循环之后会形成至少两个分支,当循环的次数足够多时,就会造成路径爆炸,整个机器的内存会被耗尽(我们这次分析的程序只有两个分支,
angr-example(解CTF题目)
40KO的博客
05-03 2910
0x0废话 emmm,总之就是官方给的examples啦。持续更新... 链接:https://docs.angr.io/examples 0x1defcamp_r100 angr在CTF中最常见的使用方式就是利用符号执行来探索路径。来看主函数 可以看到本题中只需要达到0x400844这个地址,我们的输入就是正确的flag,即我们打印到达0x400844这个地址的state的标准...
符号执行angr解ctf逆向题组
12-28
2. **`angr`安装与配置**:了解如何在本地环境中安装和配置`angr`,以及如何导入必要的库。 3. **基本用法**:学习如何加载二进制文件,设置初始状态,并启动符号执行。 4. **路径探索**:理解如何限制路径长度、...
Angr安装与使用使用篇(八)
qq_42308741的博客
11-16 172
针对angr提供的17道练习题,现在进行求解07_angr_symbolic_file,它也是关于符号寄存器的问题,需要使用angr求解出正确密码。但是需要提供排除地址以减少路径求解时间。 具体代码如下所示 import angr import claripy import sys def main(argv): path_to_binary = argv[1] project = angr.Project(path_to_binary) start_address = 0x80488ea
Angr安装与使用使用篇(十二)
qq_42308741的博客
12-01 593
针对angr提供的17道练习题,现在进行求解11_angr_sim_scanf,它也是关于hook输入的问题,需要使用angr求解出正确密码。但是需要提供排除地址以减少路径求解时间。 具体代码如下所示 import angr import claripy import sys def main(argv): path_to_binary = argv[1] project = angr.Project(path_to_binary) initial_state = project.facto
Angr安装与使用使用篇(十四)
qq_42308741的博客
12-12 203
针对angr提供的17道练习题,现在进行求解13_angr_static_binary,它也是关于hook输入的问题,需要使用angr求解出正确密码。但是需要提供排除地址以减少路径求解时间。 具体代码如下所示 import angr import claripy import sys def test(): file='13_angr_static_binary' project=angr.Project(file) initial_state=project.factory.entry_state
angr:基于python的二进制分析框架 安装与使用
lacoucou的专栏
04-30 3568
1.安装教程请参考http://blog.csdn.net/xiaosatianyu/article/details/51586498简单列举下命令:sudo pip install virtualenvwrapper export WORKON_HOME=$HOME/Python-workhome source /usr/local/bin/virtualenvwrapper.sh mkvirtu
Angr实例分析——使用Capstone
zhuzhuzhu22的博客
06-21 2684
本博客由闲散白帽子胖胖鹏鹏胖胖鹏潜力所写,仅仅作为个人技术交流分享,不得用做商业用途。转载请注明出处,未经许可禁止将本博客内所有内容转载、商用。            因为项目需求,需要手动解析汇编代码,从而找到其中的特征。所以,在Angr中,我们需要使用Capstone进行汇编代码的提取。我们在使用Angr.Project()新建工程之后,Angr已经为我们生成了一个Capstone,我们需要做...
Angr 操作栈的符号执行 04_angr_symbolic_stack
小龙在线
09-17 391
Angr不支持多个输入参数,而参数都存入栈中。我们可以跳过输入,直接操作栈,来遍历出想要的结果。那从哪儿开始执行呢? 此例,可以从scanf输入密码结束之后,把我们的密码注入,也就是sanf的栈注销(add esp, 10h)的后面0x08048697。 这里我们通过gdb来查看符号执行时,要设置的padding大小: 经过complex_function0和complex_function1后,可以计算出padding大小0xffffcf28 - 0xffffcf20: # This challen
(逆向)angr 执行二进制函数
瘦果的专栏
04-16 2099
关于angr: github 搜索angr 首先编译源码: #include unsigned int ORHash(char *str , int len){      int i = 0 ;      unsigned int hash = 1315423911;      for (i =0;i         hash ^= (hash>1 ) ;    
angr尝试
九层台
12-16 670
中文简介添加链接描述 但是官方github上的pdf文档介绍的更详细。 测试了一下中文简介的内容大概就这些,只是测试加上个人理解,不一定正确不喜勿喷 #coding=utf-8 import angr b=angr.Project("./level2") print (hex(b.entry)) #程序的载入地址 print hex(b.loader.min_addr), hex(b.loa...
angr-9.0.5450-py3-none-macosx_10_14_x86_64.whl Python库解压指南
angr通过Python包管理工具pip进行安装,通常以-wheel文件格式分发,如本例中的“angr-9.0.5450-py3-none-macosx_10_14_x86_64.whl”文件,适用于macOS系统。用户可以通过pip安装命令安装该库:“pip install angr-...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值