Shulou(Shulou.com)06/01 Report--

How to use Angr to carry out simple CTF reverse analysis, aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

I. symbol execution generalization

To put it simply, symbol execution is to replace the real value with symbols when running the program. The advantage of symbolic execution over real value execution is that when a program is executed with a real value, there is only one program path that we can traverse, and when a symbol is used for execution, because the symbol is variable, we can take advantage of this feature. Traverse every path of the program as much as possible, so that there must be at least one branch that can output the correct result. The result of each branch can be expressed as a discrete relation, and the correct result can be analyzed by using the constraint solving engine, which is a simple description of symbolic execution.

Angr is a binary program analysis framework developed by python. We can use this tool to try to execute symbols on some CTF problems to find the correct answer, that is, flag. Of course, it should be noted that the path selection of symbol execution is still a big problem, in other words, when there is a loop in our program, because symbol execution will traverse all paths as far as possible, so at least two branches will be formed after each loop, and when there are enough cycles, the path will explode and the memory of the whole machine will be exhausted.

II. Use of Angr

Personally, I feel that Angr is very useful in solving REVERSE problems, but when dealing with PWN problems, it is often used in some auxiliary positions, such as finding sensitive functions such as strcmp. This time we briefly explain how to use Angr to analyze and solve REVERSE problems. I'll first explain a few key steps of Angr in practice, and then use a simple CTF topic to practice. It is recommended that you use ipython for simple practice. Ipython's tab completion allows you to see many wonderful functions in Angr.

1. Run the program

When we get a program, we first need to create an Angr project for the program.

P = angr.Project ('program')

We can get some information about the program through this project, such as the program name p.filename and so on.

Then we need to run the program, and deal with some input of the program, as mentioned earlier, when the symbol is executed, we do not use the real value, but the symbols, which can be simply understood as variables, so we need to construct a symbol in Angr as the input of the program.

(1) Command line parameters

When a program requires command-line arguments, we first need to use the claripy module to define abstract data.

Import claripy

The BVS function of claripy can create abstract data of a specified length. The BVS function requires two parameters, * as the variable name, and the second parameter as the variable length.

Argv = [p.filename,] arg = claripy.BVS ('arg1', 8) argv.append (arg1)

In this way, we have created a command-line argument, and we can now run the program to the program entrance and get the current state.

State = p.factory.entry_state (args=argv)

P.factory is a collection of factory functions in which a variety of functions can be called for symbolic execution, where the entry_state () function takes a list as a command-line argument to the program and returns the state of the program entry (which is explained in Section 2.2).

(2) Standard input

When the program needs to read data from the standard input, it needs to use the read_from () function. Note that this function is in the state, and we can impose some constraints on the input to reduce the path of symbol execution traversal.

For _ in xrange (5): K = state.posix.files [0] .read _ from (1) state.se.add (krypton10)

This means that we read five bytes from standard input, and each byte is not a newline character.

2. Several states of programs in Angr

We mentioned earlier that the state of getting the program entry point represents several results after the program symbol execution in Angr. In Angr, when we get the status of the program entry point, we need to use Angr's Simgr simulator for symbol execution.

Sm = p.factory.simgr (state)

Means to create an emulator from the entry point for symbol execution.

When Angr looks for a path, the current state of the program can be expressed in many ways.

Step () means that a block (42bytes) is executed downwards, and the step () function generates an active state, indicating that the branch is executing.

Run () indicates the end of the run, and the run () function generates a deadended state, indicating the end of the branch.

Explore () can restrict addresses to reduce the number of paths that symbols perform traversing. For example

Sm.explore (find=0x400676,avoid= [0x40073d])

Explore () generates a found state, indicating the results of exploration, etc.

3. Get output

When the symbol executes traversing the play path, it will produce a large number of states, and we need to find a path we need from these states.

We can get the output of the current state program

Print sm.found.posix.dumps (1)

Command line argument

Print sm.found.solver.eval (arg1,cast_to = str)

Standard input

Inp = sm.found.posix.files [0] .all _ bytes () print sm.found.solver.eval (inp,cast_to = str) z

When solving the values of command line parameters and standard input, we use the constraint solving engine to solve the problem.

3. Angr practice

Bin (re50) download:

Http://oj.xctf.org.cn/web/practice/defensetrain/465f6bb8f4ad4d65a70cce2bd69dfacf/

Script writing

Import angr import sys print "[*] start--" p = angr.Project (sys.argv [1]) # Establishment project initialization binary file state = p.factory.entry_state () # get the state at the entry point''state.posix.files [0] .read _ from (1) represents the Standard input reads a byte''for _ in xrange (int (sys.argv [2])): # simply constrains the input (not carriage return) k = state.posix.files [0] .read _ from (1) state.se.add (kcarriage returns 10) k = state.posix.files [0] .read _ from (1) state.se.add (kcarriage returns 10) # returns is the Terminator state.posix. Files [0] .length (0) state.posix.files [0] .length = int (sys.argv [2]) + 1 # constraint input length (greater than the actual length is also acceptable) print "[*] simgr start--" sm = p.factory.simgr (state) # initialization process simulator sm.explore (find=lambda s: "correct!" In s.posix.dumps (1)) # find the existence of "correct!" in the process of running. The path of And discard other paths print "[*] program excuted--" for pp in sm.found: out = pp.posix.dumps (1) # indicates that the output of the program print out inp = pp.posix.files [0] .all _ bytes () # takes the input variable print pp.solver.eval (inp Cast_to = str) # using constraint solving engine to solve input

Running

Root@kali:~# python re50.py ppp 4 [*] start-- / usr/local/lib/python2.7/dist-packages/cle/loader.py:729: UnicodeWarning: Unicode equal comparison failed to convert both arguments to Unicode-interpreting them as being unequal if ilibname.strip ('.0123456789') = = spec.strip (' .0123456789'): [*] Simgr start-- [*] program excuted-- please input the key:correct! 9563 root@kali:~#

We get the correct key value of 9563.

This is the answer to the question about how to use Angr for simple CTF reverse analysis. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.