angr-ctf

angr 的项目地址

https://github.com/jakespringer/angr_ctf

angr实战

00

拖到IDA

就是输入正确的指令才能通关

这次试一下用angr来解题

goahead@DESKTOP-8KORQ75:/mnt/d/CTF/angr/angr_ctf-master/dist$ workon angr
(angr) goahead@DESKTOP-8KORQ75:/mnt/d/CTF/angr/angr_ctf-master/dist$ python
Python 3.6.9 (default, Mar 10 2023, 16:46:00)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import angr
>>> p = angr.Project("./00_angr_find")		#创建一个工程名
>>> init_state = p.factory.entry_state()	#给它初始化状态为从入口点开始
>>> sm = p.factory.simulation_manager(init_state)	#让angr执行
>>> sm.explore(find = 0x08048678)			# 给它探索的目的地，也就是IDA中分析到的“good job”
WARNING | 2023-11-17 14:12:29,194 | angr.storage.memory_mixins.default_filler_mixin | The program is accessing register with an unspecified value. This could indicate unwanted behavior.
WARNING | 2023-11-17 14:12:29,194 | angr.storage.memory_mixins.default_filler_mixin | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2023-11-17 14:12:29,195 | angr.storage.memory_mixins.default_filler_mixin | 1) setting a value to the initial state
WARNING | 2023-11-17 14:12:29,195 | angr.storage.memory_mixins.default_filler_mixin | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2023-11-17 14:12:29,195 | angr.storage.memory_mixins.default_filler_mixin | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to suppress these messages.
WARNING | 2023-11-17 14:12:29,195 | angr.storage.memory_mixins.default_filler_mixin | Filling register edi with 4 unconstrained bytes referenced from 0x80486b1 (__libc_csu_init+0x1 in 00_angr_find (0x80486b1))
WARNING | 2023-11-17 14:12:29,196 | angr.storage.memory_mixins.default_filler_mixin | Filling register ebx with 4 unconstrained bytes referenced from 0x80486b3 (__libc_csu_init+0x3 in 00_angr_find (0x80486b3))
WARNING | 2023-11-17 14:12:30,087 | angr.storage.memory_mixins.default_filler_mixin | Filling memory at 0x7ffeff60 with 4 unconstrained bytes referenced from 0x817e690 (strcmp+0x0 in libc.so.6 (0x7e690))
<SimulationManager with 1 active, 16 deadended, 1 found>
>>> sm.found[0]
<SimState @ 0x8048678>
>>> found_state = sm.found[0]
>>> found_state.posix.dumps(0)
b'JXWVXRKX'
>>> found_state.posix.dumps(1)
b'Enter the password: '
##  state.posix.dumps (0) 代表该状态程序的所有输入， state.posix.dumps (1) 代表该状态程序的所有输出。

所以输入JXWVXRKX就可以通关

goahead@DESKTOP-8KORQ75:/mnt/d/CTF/angr/angr_ctf-master/dist$ ./00_angr_find
Enter the password: JXWVXRKX
Good Job.

常规解法

letter_list = ['J', 'A', 'C', 'E', 'J', 'G', 'C', 'S']

def reverse_operation(value, i):
    return chr((value - 65 - 3 * i) % 26 + 65)

# 反向计算得到字母数组 s[8]
s = [reverse_operation(ord(letter), i) for i, letter in enumerate(letter_list)]

print("原始字母数组:", letter_list)
print("通过反向运算得到的字母数组:", ''.join(s))

01

拖到IDA,看到一个函数maybe_good,打开

很显然，我们想要的就是0x080485E0

执行程序

发现和00类似

直接使用angr

(angr) goahead@DESKTOP-8KORQ75:/mnt/d/CTF/angr/angr_ctf-master/dist$ workon angr
(angr) goahead@DESKTOP-8KORQ75:/mnt/d/CTF/angr/angr_ctf-master/dist$ python
Python 3.6.9 (default, Mar 10 2023, 16:46:00)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import angr
>>> p = p.angr.Project("./01_angr_avoid")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
NameError: name 'p' is not defined
>>> p = angr.Project("./01_angr_avoid")
>>> init_state=p.factory.entry_state()
>>> sm = p.factory.simulation_manager(init_state)
>>> sm.explore(find=0x080485E0,avoid=0x080485F2) #find的值就是要让angr到达的地址值，而avoid的值是不让angr到达的地址值

>>> found_state = sm.found[0]
>>> found_state.posix.dumps(0)
b'HUJOZMYS'
>>> found_state.posix.dumps(1)
b'Enter the password: '

故输入HUJOZMYS即可通关

02

观察有多个地方输出“Good job”

使用脚本：

# It is very useful to be able to search for a state that reaches a certain
# instruction. However, in some cases, you may not know the address of the
# specific instruction you want to reach (or perhaps there is no single
# instruction goal.) In this challenge, you don't know which instruction
# grants you success. Instead, you just know that you want to find a state where
# the binary prints "Good Job."
#
# Angr is powerful in that it allows you to search for a states that meets an
# arbitrary condition that you specify in Python, using a predicate you define
# as a function that takes a state and returns True if you have found what you
# are looking for, and False otherwise.

import angr
import sys

def main(argv):
  path_to_binary = "./02_angr_find_condition"
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  simulation = project.factory.simgr(initial_state)

  def is_successful(state):		#判断当前状态能否使程序输出 Good Job，然后返回 True or False，
    stdout_output = state.posix.dumps(sys.stdout.fileno()) #把标准输出赋值给 stdout_output ，那不是字符串而是一个bytes 对象
    if b'Good Job.' in stdout_output:  #  要使用 b'Good Job.' 替代 Good Job. 检查是否输出了字符串 Good Job.
      return True  # (3)
    else:
      return False

  def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    if b'Try again.' in stdout_output:
      return True
    else:
      return False

  simulation.explore(find=is_successful, avoid=should_abort)

  if simulation.found:
    solution_state = simulation.found[0]
    print(solution_state.posix.dumps(sys.stdin.fileno()))
  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

输出结果为：b'HETOBRCU'

03 寄存器符号化

发现要输入多个参数（3个）

则我们直接跳过输入，让angr直接从0x8048980 处开始执行

start_address = 0x08048980 # :integer (probably hexadecimal)
initial_state = project.factory.blank_state(addr=start_address)
#这次使用 blank_state() 方法替代了 entry_state() 。通过把 addr=start_address 传递给 blank_state()

观察反汇编，使用eax,ebx,edx,进行传参，故位数为32位

用 claripy 通过 BVS() 方法生成三个位向量。这个方法需要两个参数：第一个参数表示符号名，第二个参数表示这个符号的长度 单位bit。因为符号值都保存在寄存器里，并且寄存器都是32位的，所以位向量的大小也需要是32位的。

password0_size_in_bits = 32 # :integer
password0 = claripy.BVS('password0', password0_size_in_bits)
password1 = claripy.BVS('password1', password0_size_in_bits)
password2 = claripy.BVS('password2', password0_size_in_bits)

现在我们已经创建了三个符号位向量，现在就把他们赋值给 eax,ebx,edx。我准备修改先前创建的状态 initial_state，并更新寄存器的内容，幸运的是，angr提供了一个非常智能的方法：

initial_state.regs.eax = password0
initial_state.regs.ebx = password1
initial_state.regs.edx = password2

现在我们准备跟以前一样定义 find , avoid 状态。

simulation = project.factory.simgr(initial_state) 

def is_successful(state):
  stdout_output = state.posix.dumps(sys.stdout.fileno())
  if b'Good Job.\n' in stdout_output:
    return True
  else: return False

def should_abort(state):
  stdout_output = state.posix.dumps(sys.stdout.fileno())
  if b'Try again.\n' in  stdout_output:
    return True
  else: return False 

simulation.explore(find=is_successful, avoid=should_abort)

下面就是打印解了。

if simulation.found:
    solution_state = simulation.found[0]

    # Solve for the symbolic values. If there are multiple solutions, we only
    # care about one, so we can use eval, which returns any (but only one)
    # solution. Pass eval the bitvector you want to solve for.
    # (!) NOTE: state.se is deprecated, use state.solver (it's exactly the same).
    solution0 = format(solution_state.solver.eval(password0), 'x')
    # 我们根据注入的三个符号值调用求解引擎的 eval()方法； format() 方法格式化解并去掉16进制的 “0x”。
    solution1 = format(solution_state.solver.eval(password1), 'x')
    solution2 = format(solution_state.solver.eval(password2), 'x')

    # Aggregate and format the solutions you computed above, and then print
    # the full string. Pay attention to the order of the integers, and the
    # expected base (decimal, octal, hexadecimal, etc).

    #重组3个解，组合为一个字符串，然后打印出来。
    solution = solution0 + " " + solution1 + " " + solution2 # (2)
    print("[+] Success! Solution is: {}".format(solution))
  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

04 符号化栈

手搓一下

F5反汇编进入 handle_user()函数

发现只要将输入的两个数分别与另外两个数进行异或操作，再与两个数比较就能得到正确答案

因此，只需将最终要比较的数分别和那两个数异或就能得到输入（两次异或等于不操作）

使用angr

因为我们要跳过scanf,故call scanf 下面的add esp,10h（平衡堆栈）我们也不用执行

所以，从下一行 0x08048697开始执行

import angr
import claripy
import sys

def main(argv):
    bin_path = "./04_angr_symbolic_stack"
    p = angr.Project(bin_path)

    start_addr = 0x08048697
    init_state = p.factory.blank_state(addr = start_addr)

用 claripy 通过 BVS() 方法生成两个个位向量。

    #ebp = esp
    init_state.regs.esp = init_state.reg.esp

    password0 = claripy.BVS('password0',32)
    password1= claripy.BVS('password0',32)

    #因为他push 两个参数为 [ebp-0Ch]和[ebp-10h]，而栈的地址是向下增长的
 	#一个参数大小为4字节，所以padding 的位置为0x0C-4 = 0x08
    padding_length_in_bytes = 0x08
    #提升堆栈
    initial_state.regs.esp -= padding_length_in_bytes
    #push password0
  	initial_state.stack_push(password0)
    #push password1
  	initial_state.stack_push(password1)

    sm = p.factory.simgr(init_state)

    def is_successful(state):
        stdout_output = state.posix.dumps(sys.stdout.fileno())
        if b'Good Job' in stdout_output:
          return True
        else:
          return False

    def should_abort(state):
        stdout_output = state.posix.dumps(sys.stdout.fileno())
        if b'Try again' in stdout_output:
          return True
        else:
          return False

    simulation.explore(find=is_successful, avoid=should_abort)

      if simulation.found:
      	solution_state = simulation.found[0]
        solution0 = solution_state.se.eval(password0)
    	solution1 = solution_state.se.eval(password1)
        print("Solution is:{} {}".format(solution0,solution1))
     else:
        raise Exception"Solution not found"

if __name__ == '__main__':
    main(sys.argv)

答案输入：

1704280884 -1912626145

或者

1704280884 2382341151

都对！因为将-1912626145转化为无符号整型就是2382341151（python实现将有符号整型a转为无符号整型：print(a+2**32)）

05 符号化内存

找到scanf附近，发现需要输入4个变量，并且这4个变量都是通过push内存直接传入的

因此，本次得到目标是符号化内存

首先，看一下从哪个地址开始执行吧，因为无需调用scanf函数，故他的堆栈平衡也不用操作，

所以直接从0x08048601开始执行

start_address = 0x08048601
init_state = project.factory.blank_state(addr = start_address)

用 claripy 通过 BVS() 方法生成四个位向量。由于scanf("%8s %8s %8s %8s")，所以每个参数64位

password0 = claripy.BVS('password0',64)
password1 = claripy.BVS('password1',64)
password2 = claripy.BVS('password2',64)
password3 = claripy.BVS('password3',64)

把内存单元的地址值和变量之间进行一定关系的绑定

password0_address = 0x0A1BA1C0
password1_address = 0x0A1BA1C8
password2_address = 0x0A1BA1D0
password3_address = 0x0A1BA1D8

initial_state.memory.store(password0_address, password0)
initial_state.memory.store(password1_address, password1)
initial_state.memory.store(password2_address, password2)
initial_state.memory.store(password3_address, password3)

执行

simulation = project.factory.simgr(initial_state)

def is_successful(state):
  stdout_output = state.posix.dumps(sys.stdout.fileno())
  if b'Good Job' in stdout_output:
    return True
  else:
    return False

def should_abort(state):
  stdout_output = state.posix.dumps(sys.stdout.fileno())
  if b'Try again' in stdout_output:
    return True
  else:
    return False

simulation.explore(find=is_successful, avoid=should_abort)

if simulation.found:
  solution_state = simulation.found[0]

  solution0 = solution_state.se.eval(password0, cast_to=bytes)
  solution1 = solution_state.se.eval(password1, cast_to=bytes)
  solution2 = solution_state.se.eval(password2, cast_to=bytes)
  solution3 = solution_state.se.eval(password3, cast_to=bytes)
 #将b'NAXTHGNR' b'JVSFTPWE' b'LMGAUHWC' b'XMDCPALU' 转化为 NAXTHGNR JVSFTPWE LMGAUHWC XMDCPALU
  print("Solution is: {} {} {} {}".format(solution0.decode('utf-8'),solution1.decode('utf-8'),solution2.decode('utf-8'),solution3.decode('utf-8')))
  else:
    raise Exception('Could not find the solution')

结果：NAXTHGNR JVSFTPWE LMGAUHWC XMDCPALU

06符号化堆

观察反汇编

程序使用了malloc动态分配内存，故本次我们要执行符号化堆

先看下从哪开始执行

不调用scanf，所以我们从0x08048699处开始执行

start_address = 0x08048699
initial_state = project.factory.blank_state(addr=start_address)

需要两个参数，所以用 claripy 通过 BVS() 方法生成两个位向量

password0 = claripy.BVS('password0', 64)
password1 = claripy.BVS('password1', 64)

因为malloc是随机分配地址的，所以我们直接指定地址

addr_esp = initial_state.regs.esp
fake_heap_address0 = addr_esp - 0x100
fake_heap_address1 = addr_esp - 0x200

将地址和变量进行绑定，默认情况下，Angr 在内存中存储整数时采用大字节。要使用参数 endness=project.arch.memory_endness。在 x86 架构上，这是小端序。

pointer_to_malloc_memory_address0 = 0x0ABCC8A4
pointer_to_malloc_memory_address1 = 0x0ABCC8AC
initial_state.memory.store(pointer_to_malloc_memory_address0, fake_heap_address0, endness=project.arch.memory_endness)
initial_state.memory.store(pointer_to_malloc_memory_address1, fake_heap_address1, endness=project.arch.memory_endness)

在我们的 fake_heap_address 处存储我们的符号值。查看二进制文件，确定 scanf 从 fake_heap_address 写入的偏移量。

initial_state.memory.store(fake_heap_address0, password0)
initial_state.memory.store(fake_heap_address1, password1)

执行

simulation = project.factory.simgr(initial_state)

  def is_successful(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    if b'Good Job' in stdout_output:
      return True
    else:
      return False

  def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    if b'Try again' in stdout_output:
      return True
    else:
      return False

  simulation.explore(find=is_successful, avoid=should_abort)

  if simulation.found:
    solution_state = simulation.found[0]

    solution0 = solution_state.se.eval(password0, cast_to=bytes)
    solution1 = solution_state.se.eval(password1, cast_to=bytes)
    #solution = ???
    print("Solution is: {} {}".format(solution0.decode('utf-8'), solution1.decode('utf-8')))
   # print(solution)
  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

结果是：UBDKLMBV UNOERNYS

07 文件内容符号化

拖到IDA,F5一下

看到文件操作，因此本次目标符号化文件内容

起始地址我们需要在初始化文件之前（因为这里并没有符号化文件名），输入password之后,选择的是ignore_me之后，选的是0x80488D6

start_address = 0x080488D6
initial_state = project.factory.blank_state(addr=start_address)

给它文件名和大小

filename = "OJKSQYDP.txt"
file_size = 0x40

紧接着进行文件文本符号化

password = initial_state.solver.BVS("password",file_size*8)
sim_file = angr.storage.SimFile(filename,content=password,size=file_size)

然后进行相应的 插入操作：

initial_state.fs.insert(filename,sim_file)

最后进行文本内容的求解：

sm = project.factory.simulation_manager(initial_state)

结果为 AZOMMMZM