通过angr_ctf熟悉angr的使用方法
参考链接:
12
1. 直接下载angr_ctf提供的ELF可执行文件12_angr_veritesting
2. 用IDA静态分析
main函数中调用scanf函数读取长度为32字节的字符串输入到起始地址为buffer[3]的内存空间中,逐个比较buffer[i + 3]和complex_function(75, i + 93)。
3. 编写脚本求解程序输出Good Job时对应的输入,可以通过veritesting缓解路径爆炸
import angr
import claripy
def isGood(state):
return b'Good Job.' in state.posix.dumps(1)
def isBad(state):
return b'Try again.' in state.posix.dumps(1)
p = angr.Project("./12")
init_state = p.factory.entry_state()
sm = p.factory.simulation_manager(init_state, veritesting=True)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
print(found_state.posix.dumps(0))
4. 运行脚本查看结果
5. 检查结果的正确性
13
1. 直接下载angr_ctf提供的ELF可执行文件13_angr_static_binary
2. 用IDA静态分析
函数逻辑比较简单,与前面几例的也比较类似,这里不再赘述。
3. 编写脚本求解程序输出Good Job时对应的输入,由于该程序是静态链接的,故对于scanf、printf、puts等函数,angr不会自动将其hook,替换成angr自己实现的函数,而是进行符号执行。为了避免路径爆炸和过多的开销,可以手动hook
import angr
import claripy
def isGood(state):
return b'Good Job.' in state.posix.dumps(1)
def isBad(state):
return b'Try again.' in state.posix.dumps(1)
p = angr.Project("./13")
init_state = p.factory.entry_state()
printf_addr = 0x804ED40
scanf_addr = 0x804ED80
puts_addr = 0x804F350
strcmp_addr = 0x805B450
libc_start_main_addr = 0x8048D10
p.hook(printf_addr, angr.SIM_PROCEDURES['libc']['printf']())
p.hook(scanf_addr, angr.SIM_PROCEDURES['libc']['scanf']())
p.hook(puts_addr, angr.SIM_PROCEDURES['libc']['puts']())
p.hook(strcmp_addr, angr.SIM_PROCEDURES['libc']['strcmp']())
p.hook(libc_start_main_addr, angr.SIM_PROCEDURES['glibc']['__libc_start_main']())
sm = p.factory.simulation_manager(init_state)
sm.explore(find=isGood, avoid=isBad)
for i in range(0, len(sm.found)):
found_state = sm.found[i]
print(found_state.posix.dumps(0))
4. 运行脚本查看结果
5. 验证结果的正确性