avatar

Angr 入门笔记 (一)

Angr 入门笔记 (一)

AngrCTF Github 题目下载

00_angr_find

import angr
import sys
name = sys.argv[1]
p=angr.Project(name,auto_load_libs=False)

state=p.factory.entry_state()
#state=p.factory.blank_state() #no-initalize
#state=p.factory.full_init__state() #full-initalize

simgr=p.factory.simgr(state)

Find = 0x08048678
Avoid = 0x08048645

res=simgr.explore(find = Find,avoiid = Avoid)

print (res.found[0].posix.dumps(0))
# JXWVXRKX

主要过程:

  • 1.加载文件
  • 2.创建程序状态
  • 3.找到约束条件
  • 4.开始寻找符合条件

01_angr_avoid

import angr
import sys
name = sys.argv[1]
p=angr.Project(name,auto_load_libs=False)

state=p.factory.entry_state()
#state=p.factory.blank_state() #no-initalize
#state=p.factory.full_init__state() #full-initalize
sm = p.factory.simulation_manager(state)

# simgr=p.factory.simgr(state)

Find = 0x80485E0
Avoid = 0x80485EF

res=sm.explore(find=Find,avoid=Avoid)
print (res.found[0].posix.dumps(0))
#HUJOZMYS

和上一道差不多

02_angr_find_condition

import angr
import sys

def IsGood(state):
return b'Good' in state.posix.dumps(1)

def IsBad(state):
return b'Try' in state.posix.dumps(1)

name = sys.argv[1]
p=angr.Project(name,auto_load_libs=False)

state=p.factory.entry_state()
#state=p.factory.blank_state() #no-initalize
#state=p.factory.full_init__state() #full-initalize

simgr=p.factory.simgr(state)

Find = IsGood
Avoid = IsBad

res=simgr.explore(find=Find,avoid=Avoid)

print (res.found[0].posix.dumps(0))
#HETOBRCU

使用函数来做约为约束条件

03_angr_symbolic_registers

import angr
import sys
import claripy

name = sys.argv[1]
p=angr.Project(name)

# state=p.factory.entry_state()

start_addr = 0x8048980
state=p.factory.blank_state(addr=start_addr) #no-initalize

# sympbolic vector
pass1 = claripy.BVS('pass1',32)
pass2 = claripy.BVS('pass2',32)
pass3 = claripy.BVS('pass3',32)

state.regs.eax = pass1
state.regs.ebx = pass2
state.regs.edx = pass3

#state=p.factory.full_init__state() #full-initalize

simgr=p.factory.simgr(state)

def IsGood():
return b'Good' in state.posix.dumps(1)

def IsBad():
return b'Try' in state.posix.dumps(1)


res=simgr.explore(find=0x80489E9,avoid=0x80489D4)

if res.found:
found_state = simgr.found[0]
print (found_state.solver.eval(pass1),found_state.solver.eval(pass2),found_state.solver.eval(pass3))
else:
raise Exception("No solution found")

#b9ffd04e ccf63fe8 8fd4d959

使用angr将输入的符号向量加载到寄存器里面

04_angr_symbolic_stack

最开始是利用angr对scanf的解析不是特别好,所以需要把符号向量加载到内存里面,但现在可以直接用

05_angr_symbolic_memory

import angr
import sys
import claripy

def main(argv):
p=angr.Project(argv)

# state=p.factory.entry_state()
start_addr = 0x08048601
state=p.factory.blank_state(addr=start_addr) #no-initalize
#state=p.factory.full_init__state() #full-initalize

p1 = claripy.BVS('p1',64)
p2 = claripy.BVS('p2',64)
p3 = claripy.BVS('p3',64)
p4 = claripy.BVS('p4',64)

p1_addr = 0xA1BA1D8
p2_addr = 0xA1BA1D0
p3_addr = 0xA1BA1C8
p4_addr = 0xA1BA1C0

state.memory.store(p1_addr,p1)
state.memory.store(p2_addr,p2)
state.memory.store(p3_addr,p3)
state.memory.store(p4_addr,p4)

simgr=p.factory.simgr(state)

def Good():
return b"Good" in state.posix.dumps(1)

def Bad():
return b"Try" in state.posix.dumps(1)


# res=simgr.explore(find=Good,avoid=Bad)
res=simgr.explore(find=0x804866A,avoid=0x804865B)
# print (res.found[0].posix.dumps(0))

if simgr.found:
found_state = simgr.found[0]
print (
(found_state.solver.eval(p1,cast_to=bytes)).decode("utf-8"),
(found_state.solver.eval(p2,cast_to=bytes)).decode("utf-8"),
(found_state.solver.eval(p3,cast_to=bytes)).decode("utf-8"),
(found_state.solver.eval(p4,cast_to=bytes)).decode("utf-8")
)
else:
raise Exception("No Solution")

if __name__ == '__main__':
main(sys.argv[1])
# b'NAXTHGNR JVSFTPWE LMGAUHWC XMDCPALU'

大致就是04的实现

06_angr_symbolic_dynamic_memory

import angr
import sys

def main(argv):
p=angr.Project(argv)

# state=p.factory.entry_state()

state=p.factory.blank_state(addr = 0x8048699) #no-initalize
#state=p.factory.full_init__state() #full-initalize

# print("ESP:", state.regs.esp) #0x7fff0000

buffer0 = 0x7fff0000-0x100
buffer1 = 0x7fff0000-0x200

buffer0_addr = 0xABCC8A4
buffer1_addr = 0xABCC8AC

state.memory.store(buffer0_addr,buffer0,endness=p.arch.memory_endness)
state.memory.store(buffer1_addr,buffer1,endness=p.arch.memory_endness)

p0 = state.solver.BVS("p0",8*8)
p1 = state.solver.BVS("p1",8*8)

state.memory.store(buffer0,p0)
state.memory.store(buffer1,p1)

# simgr = p.factory.

simgr=p.factory.simgr(state)

def IsGood(state):
return b'Good' in state.posix.dumps(1)

def IsBad(state):
return b'Try' in state.posix.dumps(1)

Find = IsGood
Avoid = IsBad

res=simgr.explore(find=Find,avoid=Avoid)
# print (res.found[0].posix.dumps(0))
if res.found:
found = res.found[0]
print(
found.solver.eval(p0,cast_to=bytes).decode("utf-8"),
found.solver.eval(p1,cast_to=bytes).decode("utf-8")
)

if __name__ == '__main__':
main(sys.argv[1])

# UBDKLMBV UNOERNYS

再堆上面赋值

  • 1.根据ESP找到对应fake_buffer
  • 2.找到真的buffer_addr
  • 3.将fake_buffer加载到buffer_addr,同时指明端序
  • 4.创建符号向量
  • 5.模拟执行并判断

07_angr_symbolic_file

import angr
import sys

def main(argv):
p=angr.Project(argv)

# state=p.factory.entry_state()
state=p.factory.blank_state(addr = 0x80488D6) #no-initalize
#state=p.factory.full_init__state() #full-initalize

filename = "OJKSQYDP.txt"
file_szie = 0x40
password = state.solver.BVS('password',file_szie*8)

sim_file = angr.storage.SimFile(filename,content=password, size=file_szie)

state.fs.insert(filename,sim_file)

simgr=p.factory.simgr(state)

Find = 0x80489AD
Avoid = 0x8048996

res=simgr.explore(find=Find,avoid=Avoid)

print (res.found[0].solver.eval(password,cast_to=bytes))

if __name__ == '__main__':
main(sys.argv[1])

这道把符号向量放到了一个文件里面

  • 1.定义符号向量文件的大小、文件名
  • 2.创建符号向量文件
  • 3.加载文件
  • 4.模拟执行
Author: Joe1sn
Link: http://blog.joe1sn.top/2021/AngrNote_P1/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
Donate
  • 微信
    微信