Angr（七）——angr_ctf_angr-ctf从入门到精通-CSDN博客

本文链接：https://blog.csdn.net/qq_45953112/article/details/125884522

通过angr_ctf熟悉angr的使用方法

参考链接：

bilibili - angr符号执行

GitHub - angr_ctf

10

1. 直接下载angr_ctf提供的ELF可执行文件10_angr_simprocedures

2. 用IDA静态分析

main函数调用scanf读取用户输入到buffer中，之后调用complex_function函数逐字符对buffer中的内容进行处理。最后将处理后的内容与password中的内容比较。

3. 编写脚本求解程序输出Good Job时对应的输入，为了避免字符串比较带来的路径爆炸，可以对字符串比较函数进行hook。与09中通过地址进行hook不同，由于10中多次调用了字符串比较函数，所以直接对符号（函数名）进行hook

import angr
import claripy
 
 
def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)
 
def isBad(state):
	return b'Try again.' in state.posix.dumps(1)
 
p = angr.Project("./10")
init_state = p.factory.entry_state()
class mySimProcedure(angr.SimProcedure):
	def run(self, buffer_addr, buffer_size):
		bvt = self.state.memory.load(buffer_addr, buffer_size)
		target = "ORSDDWXHZURJRBDH".encode()
		return claripy.If(target == bvt, claripy.BVV(1, 32), claripy.BVV(0, 32))
check_symbol = "check_equals_ORSDDWXHZURJRBDH"
p.hook_symbol(check_symbol, mySimProcedure())
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	print("{}".format(found_state.posix.dumps(0)))

4. 运行脚本查看结果

5. 检查结果的正确性

11

1. 直接下载angr_ctf提供的ELF可执行文件11_angr_sim_scanf

2. 用IDA静态分析

main函数中，调用complex_function函数对字符串s中的8个字符逐个处理，再读取两个无符号整数到buffer0和buffer1，分别比较buffer0与s的前四个字符，buffer1与s的后四个字符（32位）。

3. 编写脚本求解程序输出Good Job时对应的输入

import angr
import claripy

def isGood(state):
	return b'Good Job.' in state.posix.dumps(1)
 
def isBad(state):
	return b'Try again.' in state.posix.dumps(1)
 
p = angr.Project("./11")
init_state = p.factory.entry_state()
class mySimProcedure(angr.SimProcedure):
	def run(self, format_addr, buffer0_addr, buffer1_addr):
		buffer0 = claripy.BVS('buffer0', 32)
		buffer1 = claripy.BVS('buffer1', 32)
		self.state.memory.store(buffer0_addr, buffer0, endness=p.arch.memory_endness)
		self.state.memory.store(buffer1_addr, buffer1, endness=p.arch.memory_endness)
		self.state.globals['solutions0'] = buffer0
		self.state.globals['solutions1'] = buffer1
scanf_symbol = "__isoc99_scanf"
p.hook_symbol(scanf_symbol, mySimProcedure())
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
	found_state = sm.found[i]
	store_solution0 = found_state.globals['solutions0']
	store_solution1 = found_state.globals['solutions1']
	res0 = found_state.solver.eval(store_solution0)
	res1 = found_state.solver.eval(store_solution1)
	print("{} {}".format(res0, res1))

4. 运行脚本查看结果