前言

angr是一种基于z3的自动化解题技术 - 是一个用于分析二进制文件的python框架。

对逆向分析来说 是很有帮助的

当然angr可以用在逆向分析, 但不限于逆向分析

(嘎嘎 摆烂 让电脑自己去跑flag)

然后玩过z3 应该就了解这是个干嘛的了

这个的重点就是 符号执行

项目地址 https://github.com/angr

符号执行

简单来说 就是

用符号代替真实值,通过限制条件来进行路径遍历

从而找到(得到flag的路径)正确的答案

就像下面这样

image-20230227183151711

安装踩坑

具体操作自行Google 或 BaiDu吧 Orz

简单过一下

  1. 安装依赖环境

sudo apt-get install python-dev libffi-dev build-essential virtualenvwrappe

2.设置环境变量

export WORKON_HOME=$HOME/Python-workhome

和我一样就好 没啥影响

  1. 启动服务

    可以先用whereis virtualenvwrapper.sh找到这个在哪

    然后下面 source 后边就填啥

source /usr/local/bin/virtualenvwrapper.sh

  1. 安装angr

    mkvirtualenv --python=$(which python3) angr && pip install angr

报错的话 重复执行这条指令就好

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
ix221@TieMianSheng:~/Desktop$ mkvirtualenv --python=$(which python3) angr && pip install angr
created virtual environment CPython3.8.10.final.0-64 in 902ms
  creator CPython3Posix(dest=/home/ix221/Python-workhome/angr, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/home/ix221/.local/share/virtualenv)
    added seed packages: pip==23.0, setuptools==67.1.0, wheel==0.38.4
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
Collecting angr
  Using cached angr-9.2.39-py3-none-manylinux2014_x86_64.whl (10.5 MB)
Collecting rpyc
  Using cached rpyc-5.3.1-py3-none-any.whl (74 kB)
Collecting claripy==9.2.39
  Using cached claripy-9.2.39-py3-none-any.whl (154 kB)
Collecting CppHeaderParser
  Using cached CppHeaderParser-2.7.4.tar.gz (54 kB)
  Preparing metadata (setup.py) ... done
Collecting psutil
  Using cached psutil-5.9.4-cp36-abi3-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (280 kB)
Collecting pyvex==9.2.39
  Downloading pyvex-9.2.39-py3-none-manylinux2014_x86_64.whl (3.0 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.0/3.0 MB 733.3 kB/s eta 0:00:00
Collecting pycparser>=2.18
  Using cached pycparser-2.21-py2.py3-none-any.whl (118 kB)
Collecting protobuf>=3.19.0
  Using cached protobuf-4.22.0-cp37-abi3-manylinux2014_x86_64.whl (302 kB)
Collecting nampa
  Using cached nampa-0.1.1-py2.py3-none-any.whl (9.2 kB)
Collecting itanium-demangler
  Using cached itanium_demangler-1.1-py3-none-any.whl (8.8 kB)
Collecting cle==9.2.39
  Using cached cle-9.2.39-py3-none-any.whl (170 kB)
Collecting networkx!=2.8.1,>=2.0
  Using cached networkx-3.0-py3-none-any.whl (2.0 MB)
Collecting sympy
  Using cached sympy-1.11.1-py3-none-any.whl (6.5 MB)
Collecting sortedcontainers
  Using cached sortedcontainers-2.4.0-py2.py3-none-any.whl (29 kB)
Collecting unicorn==2.0.1.post1
  Using cached unicorn-2.0.1.post1-py2.py3-none-manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (16.1 MB)
Collecting mulpyplexer
  Using cached mulpyplexer-0.09.tar.gz (2.8 kB)
  Preparing metadata (setup.py) ... done
Collecting dpkt
  Using cached dpkt-1.9.8-py3-none-any.whl (194 kB)
Collecting archinfo==9.2.39
  Using cached archinfo-9.2.39-py3-none-any.whl (57 kB)
Collecting cachetools
  Using cached cachetools-5.3.0-py3-none-any.whl (9.3 kB)
Collecting GitPython
  Using cached GitPython-3.1.31-py3-none-any.whl (184 kB)
Collecting progressbar2>=3
  Using cached progressbar2-4.2.0-py2.py3-none-any.whl (27 kB)
Collecting cffi>=1.14.0
  Using cached cffi-1.15.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (442 kB)
Collecting ailment==9.2.39
  Using cached ailment-9.2.39-py3-none-any.whl (23 kB)
Collecting capstone!=5.0.0rc2,>=3.0.5rc2
  Using cached capstone-4.0.2-py2.py3-none-manylinux1_x86_64.whl (2.1 MB)
Collecting decorator
  Downloading decorator-5.1.1-py3-none-any.whl (9.1 kB)
Collecting pysmt>=0.9.5
  Downloading PySMT-0.9.5-py2.py3-none-any.whl (319 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 319.1/319.1 kB 1.8 MB/s eta 0:00:00
Collecting z3-solver==4.10.2.0
  Downloading z3_solver-4.10.2.0-py2.py3-none-manylinux1_x86_64.whl (52.9 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 52.9/52.9 MB 4.2 MB/s eta 0:00:00
Collecting pyelftools>=0.27
  Using cached pyelftools-0.29-py2.py3-none-any.whl (174 kB)
Collecting pefile
  Downloading pefile-2023.2.7-py3-none-any.whl (71 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 71.8/71.8 kB 4.7 MB/s eta 0:00:00
Collecting bitstring
  Downloading bitstring-4.0.1-py3-none-any.whl (45 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 45.6/45.6 kB 3.7 MB/s eta 0:00:00
Collecting python-utils>=3.0.0
  Downloading python_utils-3.5.2-py2.py3-none-any.whl (24 kB)
Collecting ply
  Downloading ply-3.11-py2.py3-none-any.whl (49 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 49.6/49.6 kB 6.4 MB/s eta 0:00:00
Collecting gitdb<5,>=4.0.1
  Downloading gitdb-4.0.10-py3-none-any.whl (62 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.7/62.7 kB 2.6 MB/s eta 0:00:00
Collecting future
  Downloading future-0.18.3.tar.gz (840 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 840.9/840.9 kB 9.1 MB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Collecting plumbum
  Using cached plumbum-1.8.1-py3-none-any.whl (126 kB)
Collecting mpmath>=0.19
  Downloading mpmath-1.2.1-py3-none-any.whl (532 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 532.6/532.6 kB 8.4 MB/s eta 0:00:00
Collecting smmap<6,>=3.0.1
  Downloading smmap-5.0.0-py3-none-any.whl (24 kB)
Building wheels for collected packages: CppHeaderParser, mulpyplexer, future
  Building wheel for CppHeaderParser (setup.py) ... done
  Created wheel for CppHeaderParser: filename=CppHeaderParser-2.7.4-py3-none-any.whl size=44979 sha256=20962a961caf0de2c40744ba31b9f86fcf27005fb134442aa7e756cff66c96c2
  Stored in directory: /home/ix221/.cache/pip/wheels/7d/f0/ee/af6e3d91d8ef23c0496fb78df6d17e73f037da4fcabf68b273
  Building wheel for mulpyplexer (setup.py) ... done
  Created wheel for mulpyplexer: filename=mulpyplexer-0.9-py3-none-any.whl size=3777 sha256=925b6640e6acdc7e4a17b5ef05bc1c9561db143bb2c698d7dc75fd2cff327dc8
  Stored in directory: /home/ix221/.cache/pip/wheels/bd/60/29/0201c20e9b8d877d9384f64ca2ad9e7436015b8ddcac568085
  Building wheel for future (setup.py) ... done
  Created wheel for future: filename=future-0.18.3-py3-none-any.whl size=492025 sha256=e0a8a61a4fe0fb57a8d0304312ca8671e6864c5d64ef7d658ab187fca558db56
  Stored in directory: /home/ix221/.cache/pip/wheels/a0/0b/ee/e6994fadb42c1354dcccb139b0bf2795271bddfe6253ccdf11
Successfully built CppHeaderParser mulpyplexer future
Installing collected packages: z3-solver, unicorn, sortedcontainers, pysmt, pyelftools, ply, mulpyplexer, mpmath, itanium-demangler, dpkt, sympy, smmap, python-utils, pycparser, psutil, protobuf, plumbum, pefile, networkx, future, decorator, CppHeaderParser, capstone, cachetools, bitstring, archinfo, ailment, rpyc, progressbar2, nampa, gitdb, claripy, cffi, pyvex, GitPython, cle, angr
Successfully installed CppHeaderParser-2.7.4 GitPython-3.1.31 ailment-9.2.39 angr-9.2.39 archinfo-9.2.39 bitstring-4.0.1 cachetools-5.3.0 capstone-4.0.2 cffi-1.15.1 claripy-9.2.39 cle-9.2.39 decorator-5.1.1 dpkt-1.9.8 future-0.18.3 gitdb-4.0.10 itanium-demangler-1.1 mpmath-1.2.1 mulpyplexer-0.9 nampa-0.1.1 networkx-3.0 pefile-2023.2.7 plumbum-1.8.1 ply-3.11 progressbar2-4.2.0 protobuf-4.22.0 psutil-5.9.4 pycparser-2.21 pyelftools-0.29 pysmt-0.9.5 python-utils-3.5.2 pyvex-9.2.39 rpyc-5.3.1 smmap-5.0.0 sortedcontainers-2.4.0 sympy-1.11.1 unicorn-2.0.1.post1 z3-solver-4.10.2.0

[notice] A new release of pip is available: 23.0 -> 23.0.1
[notice] To update, run: pip install --upgrade pip
(angr)

如上就算安装好了

  1. 测试

安装成功后的回显

image-20230227183404554

基础语句

切换到angr环境:workon angr

退出angr环境:deactivate

export WORKON_HOME=$HOME/Python-workhome

source /home/ix221/.local/bin/virtualenvwrapper.sh

1
2
3
4
5
6
7
8
import angr
p=angr.Project('./r100',auto_load_libs=False)#加载二进制程序
state=p.factory.entry_state()#创建一个状态,默认为程序的入口地址
simgr=p.factory.simgr(state)#创建一个模拟器用来模拟程序执行
res=simgr.explore(find=0x400844,avoid=0x400855)#约束执行的流程,0x400844为打印nice附近的地址,0x400855附近即为打印错误的地址
print (res.found[0].posix.dumps(0))#打印found的第一个结果

# 显而易见 很好看懂

实例

根据两个回显 一个成功 一个失败

就可以试试用angr跑跑

1、2018 网鼎杯线上赛第二场 Reverse 的 Martricks

贴ida64 c代码

image-20230227185230041

image-20230227185313487

按F5 然后space

找到那两个字符串

image-20230227185424125

贴exp

1
2
3
4
5
6
7
8
import angr
p=angr.Project('./martricks',auto_load_libs=False)#加载二进制程序
state=p.factory.entry_state()#创建一个状态,默认为程序的入口地址
simgr=p.factory.simgr(state)#创建一个模拟器用来模拟程序执行
res=simgr.explore(find=0x400A84,avoid=0x400A90)
print(res.found[0].posix.dumps(0))#打印found的第一个结果

#flag{Everyth1n_th4t_kill5_m3_m4kes_m3_fee1_aliv3}

image-20230227190751839

2、[网鼎杯 2020 青龙组]singal

这道题是个vm逆向 有很多方法可以做出来

我最开始是动调 找每个case的具体算法做的

做了一天。。。。。(菜菜求带带)

具体做法请大佬们去Google 或 Baidu吧 Orz

Orz

然后这儿就记录一下怎么用angr来解题吧

其实就是因为这道题而学的angr 哈哈哈哈

1
2
3
4
5
6
7
8
import angr
p=angr.Project('signal.exe',auto_load_libs=False)#加载二进制程序
state=p.factory.entry_state()#创建一个状态,默认为程序的入口地址
simgr=p.factory.simgr(state)#创建一个模拟器用来模拟程序执行
res=simgr.explore(find=0x40175E,avoid=0x4016E6)
print(res.found[0].posix.dumps(0))#打印found的第一个结果

#flag{757515121f3d478}

总结

好用极了

good good very good

好的 本期结束

感谢观看

Orz Orz