angr
2021. 7. 16. 16:34ㆍrev/tip
[+] 설치
python -m venv angr
source angr/bin/activate
python -m pip install angr
[+] 실행
source angr/bin/activate
[+] 종료
deactivate
[+] Google CTF 2020 Beginner
15글자 입력
SUCCESS : 0x111d
FAILURE : 0x1100
# ans.py
import angr
import claripy
BASE = 0
FIND = 0x111d
AVOID = 0x1100
p = angr.Project("./a.out", main_opts={"base_addr":BASE})
state = p.factory.full_init_state(
args = ['./a.out'],
add_options=angr.options.unicorn,
)
sm = p.factory.simulation_manager(state)
sm.explore(find=FIND, avoid=AVOID)
found = sm.found[0]
for i in range(15):
c = found.posix.stdin.content[0][0].get_bytes(i, 1)
found.solver.add(c >= ord('!'))
found.solver.add(c <= ord('~'))
print(found.posix.dumps(0))
뒷부분은 제대로 쓴건지 모름
# ans2.py
import angr
import claripy
p = angr.Project("./a.out")
state = p.factory.full_init_state(
args = ["./a.out"],
add_options = angr.options.unicorn,
)
sm = p.factory.simulation_manager(state)
sm.explore(
find = lambda s: b'SUCCESS' in s.posix.dumps(1),
avoid = lambda s: b'FAILURE' in s.posix.dumps(1)
)
found = sm.found[0]
for i in range(15):
c = found.posix.stdin.content[0][0].get_bytes(i, 1)
found.solver.add(c >= ord('!'))
found.solver.add(c <= ord('~'))
print(found.posix.dumps(0))그냥 출력되는 문자열로 찾아도 풀린다