angr 00_angr_find demo

Posted 漫小牛

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了angr 00_angr_find demo相关的知识,希望对你有一定的参考价值。


00_angr_find是angr的第一个例子,下载位置:https://github.com/jakespringer/angr_ctf

1 启动angr

依次执行如下指令:

export WORKON_HOME=$HOME/Python-workhome
source /usr/share/virtualenvwrapper/virtualenvwrapper.sh
workon angr

如果没有ipython,可通过如下指令安装:

pip3 install ipython

2 使用angr解00_angr_find

(1)输入ipython进行python环境

(angr) dist$ ipython
Python 3.8.2 (default, Apr 27 2020, 15:53:34) 
Type 'copyright', 'credits' or 'license' for more information
IPython 7.26.0 -- An enhanced Interactive Python. Type '?' for help.

(2)输入import angr引入angr库

In [1]: import angr

(3)通过angr的方法新建一个工程

In [2]: p = angr.Project("./00_angr_find")

(4)告诉angr从哪开始执行(angr是依赖unicorn的,unicorn可以执行任意一段二进制代码)
给出一个初始化状态,并从初始化状态开始执行:

In [3]: init_state = p.factory.entry_state()

In [4]: sm = p.factory.simulation_manager(init_state)

(5)告诉angr从哪儿结束
ida的基本块流图为:

结束的位置应为push offset aGoodJob ; "Good Job."这条语句的地址08048678,并执行:

In [5]: sm.explore(find=0x08048678)
WARNING | 2021-08-16 21:54:44,296 | angr.storage.memory_mixins.default_filler_mixin | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior.
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | 1) setting a value to the initial state
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to suppress these messages.
WARNING | 2021-08-16 21:54:44,297 | angr.storage.memory_mixins.default_filler_mixin | Filling register edi with 4 unconstrained bytes referenced from 0x80486b1 (__libc_csu_init+0x1 in 00_angr_find (0x80486b1))
WARNING | 2021-08-16 21:54:44,298 | angr.storage.memory_mixins.default_filler_mixin | Filling register ebx with 4 unconstrained bytes referenced from 0x80486b3 (__libc_csu_init+0x3 in 00_angr_find (0x80486b3))
WARNING | 2021-08-16 21:54:46,799 | angr.storage.memory_mixins.default_filler_mixin | Filling memory at 0x7ffeff60 with 4 unconstrained bytes referenced from 0x818ac20 (strcmp+0x0 in libc.so.6 (0x8ac20))
Out[5]: <SimulationManager with 1 active, 16 deadended, 1 found>

从执行的一些路径看,找到了一条路径可以到达给定的08048678地址。
(6)获取找到的这个状态:

In [6]: sm.found[0]
Out[6]: <SimState @ 0x8048678>

In [7]: found_state = sm.found[0]

(7)由于我们关心的是程序的输入,在这里可以把程序的输入打印出来

In [8]: found_state.posix.dumps(0)
Out[8]: b'JXWVXRKX'

(8)到这里,可以进行一下测试,这个输入的结果正是题目的flag:

(angr) dist$ ./00_angr_find 
Enter the password: JXWVXRKX
Good Job.

以上是关于angr 00_angr_find demo的主要内容,如果未能解决你的问题,请参考以下文章

angr 00_angr_find demo

CTF 逆向工具angr的学习笔记

angr进阶 添加约束

angr 01_angr_avoid avoid路径优化

angr 01_angr_avoid avoid路径优化

angr 01_angr_avoid avoid路径优化