简介

本篇为angr-ctf的学习笔记,angr-ctf的题目可以快速入门掌握angr的使用方法。

使用git下载项目之后,每个挑战需要自己编译产生对应的二进制文件。这里参考https://github.com/lcatro/Angr-CTF-Learn-Note进行编译。然后需要补全scaffold00.py

image-20201115182653743

00_angr_find

第0个问题直接使用explore()函数即可。

angr.Project(执行二进制文件地址) 打开二进制文件

project.factory.entry_state() 创建空白的执行上下文环境

project.factory.simgr(上下文对象) 创建模拟器

simulation.explore(find = 搜索程序执行路径的地址) 执行路径搜索

01_angr_avoid

该问题还是使用explore()函数,除了find指定要寻找的路径,还可以使用avoid参数来避免错误路径。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import angr
import sys

def main(argv):
    path_to_binary = './01_angr_avoid'
    project = angr.Project(path_to_binary)
    initial_state = project.factory.entry_state()
    simulation = project.factory.simgr(initial_state)

  # Explore the binary, but this time, instead of only looking for a state that
  # reaches the print_good_address, also find a state that does not reach 
  # will_not_succeed_address. The binary is pretty large, to save you some time,
  # everything you will need to look at is near the beginning of the address 
  # space.
  # (!)
    print_good_address = 0x08048636
    will_not_succeed_address = 0x0804864A
    simulation.explore(find=print_good_address, avoid=will_not_succeed_address)

    if simulation.found:
        solution_state = simulation.found[0]
        print(solution_state.posix.dumps(sys.stdin.fileno()))
    else:
        raise Exception('Could not find the solution')

if __name__ == '__main__':
    main(sys.argv)

02_angr_condition

除了直接指定find的地址,还可以使用自己编写的函数来进行布尔判断。