angr 00_angr_find demo
Posted 漫小牛
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了angr 00_angr_find demo相关的知识,希望对你有一定的参考价值。
文章目录
00_angr_find是angr的第一个例子,下载位置:https://github.com/jakespringer/angr_ctf
1 启动angr
依次执行如下指令:
export WORKON_HOME=$HOME/Python-workhome
source /usr/share/virtualenvwrapper/virtualenvwrapper.sh
workon angr
如果没有ipython,可通过如下指令安装:
pip3 install ipython
2 使用angr解00_angr_find
(1)输入ipython进行python环境
(angr) dist$ ipython
Python 3.8.2 (default, Apr 27 2020, 15:53:34)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.26.0 -- An enhanced Interactive Python. Type '?' for help.
(2)输入import angr引入angr库
In [1]: import angr
(3)通过angr的方法新建一个工程
In [2]: p = angr.Project("./00_angr_find")
(4)告诉angr从哪开始执行(angr是依赖unicorn的,unicorn可以执行任意一段二进制代码)
给出一个初始化状态,并从初始化状态开始执行:
In [3]: init_state = p.factory.entry_state()
In [4]: sm = p.factory.simulation_manager(init_state)
(5)告诉angr从哪儿结束
ida的基本块流图为:
结束的位置应为push offset aGoodJob ; "Good Job."这条语句的地址08048678,并执行:
In [5]: sm.explore(find=0x08048678)
WARNING | 2021-08-16 21:54:44,296 | angr.storage.memory_mixins.default_filler_mixin | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior.
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | 1) setting a value to the initial state
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | 2) adding the state option ZERO_FILL_UNCONSTRAINED_MEMORY,REGISTERS, to make unknown regions hold null
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_MEMORY,REGISTERS, to suppress these messages.
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | Filling register edi with 4 unconstrained bytes referenced from 0x80486b1 (__libc_csu_init+0x1 in 00_angr_find (0x80486b1))
WARNING | 2021-08-16 21:54:44,298 | angr.storage.memory_mixins.default_filler_mixin | Filling register ebx with 4 unconstrained bytes referenced from 0x80486b3 (__libc_csu_init+0x3 in 00_angr_find (0x80486b3))
WARNING | 2021-08-16 21:54:46,799 | angr.storage.memory_mixins.default_filler_mixin | Filling memory at 0x7ffeff60 with 4 unconstrained bytes referenced from 0x818ac20 (strcmp+0x0 in libc.so.6 (0x8ac20))
Out[5]: <SimulationManager with 1 active, 16 deadended, 1 found>
从执行的一些路径看,找到了一条路径可以到达给定的08048678地址。
(6)获取找到的这个状态:
In [6]: sm.found[0]
Out[6]: <SimState @ 0x8048678>
In [7]: found_state = sm.found[0]
(7)由于我们关心的是程序的输入,在这里可以把程序的输入打印出来
In [8]: found_state.posix.dumps(0)
Out[8]: b'JXWVXRKX'
(8)到这里,可以进行一下测试,这个输入的结果正是题目的flag:
(angr) dist$ ./00_angr_find
Enter the password: JXWVXRKX
Good Job.
以上是关于angr 00_angr_find demo的主要内容,如果未能解决你的问题,请参考以下文章