Excuse the ads! We need some help to keep our site up.
API | Description |
---|---|
Angr |
|
claripy |
|
cle |
|
pyvex |
|
archinfo |
|
lazenca0x0@ubuntu:~$ sudo apt-get install python-dev libffi-dev build-essential virtualenvwrapper ... 생략 ... (angr) lazenca0x0@ubuntu:~$ deactivate lazenca0x0@ubuntu:~/Documents/angr$ workon angr (angr) lazenca0x0@ubuntu:~/Documents/angr$ |
lazenca0x0@ubuntu:~/Documents/angr$ workon angr (angr) lazenca0x0@ubuntu:~$ deactivate lazenca0x0@ubuntu:~/Documents/angr$ |
signed __int64 __fastcall main(__int64 a1, char **a2, char **a3) { signed __int64 result; // rax@3 __int64 v4; // rcx@6 char s; // [rsp+0h] [rbp-110h]@1 __int64 v6; // [rsp+108h] [rbp-8h]@1 v6 = *MK_FP(__FS__, 40LL); printf("Enter the password: ", a2, a3); if ( fgets(&s, 255, stdin) ) { if ( (unsigned int)sub_4006FD(&s, 255LL) ) { puts("Incorrect password!"); result = 1LL; } else { puts("Nice!"); result = 0LL; } } else { result = 0LL; } v4 = *MK_FP(__FS__, 40LL) ^ v6; return result; } |
0x400864 영역의 jmp 명령어에 의해 다음과 같이 이동합니다.
gdb-peda$ x/36i 0x4007E8 0x4007e8: push rbp 0x4007e9: mov rbp,rsp 0x4007ec: sub rsp,0x110 0x4007f3: mov rax,QWORD PTR fs:0x28 0x4007fc: mov QWORD PTR [rbp-0x8],rax 0x400800: xor eax,eax 0x400802: mov edi,0x400937 0x400807: mov eax,0x0 0x40080c: call 0x4005c0 <printf@plt> 0x400811: mov rdx,QWORD PTR [rip+0x200850] # 0x601068 <stdin> 0x400818: lea rax,[rbp-0x110] 0x40081f: mov esi,0xff 0x400824: mov rdi,rax 0x400827: call 0x4005e0 <fgets@plt> 0x40082c: test rax,rax 0x40082f: je 0x400866 0x400831: lea rax,[rbp-0x110] 0x400838: mov rdi,rax 0x40083b: call 0x4006fd 0x400840: test eax,eax 0x400842: jne 0x400855 0x400844: mov edi,0x40094c 0x400849: call 0x4005a0 <puts@plt> 0x40084e: mov eax,0x0 0x400853: jmp 0x40086b 0x400855: mov edi,0x400952 0x40085a: call 0x4005a0 <puts@plt> 0x40085f: mov eax,0x1 0x400864: jmp 0x40086b 0x400866: mov eax,0x0 0x40086b: mov rcx,QWORD PTR [rbp-0x8] 0x40086f: xor rcx,QWORD PTR fs:0x28 0x400878: je 0x40087f 0x40087a: call 0x4005b0 <__stack_chk_fail@plt> 0x40087f: leave 0x400880: ret gdb-peda$ |
explore() API를 이용해 0x400844 영역으로 가기 위한 값을 확인합니다.
import os import angr project = angr.Project("r100", auto_load_libs=False) path_group = project.factory.path_group() path_group.use_technique(angr.exploration_techniques.DFS()) avoid_addr = [0x400855] find_addr = 0x400844 path_group.explore(find=find_addr, avoid=avoid_addr) print path_group.found[0] print path_group.found[0].state.posix.dumps(0) |
import os import angr project = angr.Project("defcamp_quals_2015_r100", auto_load_libs=False) path_group = project.factory.path_group() path_group.explore(find=lambda path: 'Nice!' in path.state.posix.dumps(1)) print path_group.found[0].state.posix.dumps(0) |
|
(angr) lazenca0x0@ubuntu:~/Documents/angr$ python symbolicECE.py WARNING | 2017-09-06 23:27:40,112 | claripy | Claripy is setting the recursion limit to 15000. If Python segfaults, I am sorry. Code_Talkers (angr) lazenca0x0@ubuntu:~/Documents/angr$ ./r100 Enter the password: Code_Talkers Nice! (angr) lazenca0x0@ubuntu:~/Documents/angr$ |
|