Reprint: All right symbol execution overview
Before you learn this framework, you must first know the symbol execution.
Symbolic execution techniques use symbolic values instead of numeric values to execute a program, and the resulting variable's value is an expression that consists of the symbolic value and constant of the input variable. Symbolic execution technology was first proposed by King in 1976, and after more than 30 years of development, it is still widely researched and plays an important role in software testing and program validation. Symbolic execution is an important formal method and static analysis technique, which uses mathematics and logic to define some basic concepts first. The path of a program is a sequence of statements for a program that includes some sequence of code snippets for a program, and a connection between code fragments is a control transfer caused by a branch statement. A path is feasible (feasible), which is the existence of at least one set of values for a program's input variables, and if this set of values is used as input, the program will execute along this path. Otherwise, the path is not feasible (infeasible). Path condition,pc is for a path, which is a constraint on the symbolic value of a program's input variable, and a set of input values enables the program to execute along this path when and only if the set of input values satisfies the path condition of the path. Specifically see here, link
Angr Framework Introduction
Finding and exploiting vulnerabilities in binary code is a very challenging task, and its challenges lie in the fact that it is difficult to visualize the data structure, control flow information, etc. in binary code. Angr is a Python-based binary vulnerability Analysis framework that integrates various previous analytics technologies to facilitate the development of subsequent security researchers. ---it is capable of performing dynamic symbolic execution analysis (e.g., Klee and mayhem), as well as performing multiple static analyses.
Of course, the use of this tool in the CTF is still relatively fire, in some international competitions often see the magic of it, such as the following we will be talking about the Defcon CTF Qualifier 2016 Baby-re This problem it just took 10min to finish watching the automated analysis to get the flag. Angr's github address is, link
Installation of Angr
Theoretically, Angr currently supports multiple platforms for Linux, Windows, and Macs. But the best support is the Linux platform. It is not recommended to install on Windows because the dependent library files associated with the Windows platform are more difficult to install.
Next, let's introduce the installation on Ubuntu.
- Install the standalone Python virtual environment, Virtualenvwrapper is a Python virtual environment, the main reason for using this is that Angr will be modified for libz3 or Libvex, in order to prevent the modification of the installed library to affect the use of other programs after , using a Python virtual machine environment is a good choice.
1 |
sudo apt-get install Python-dev libffi-dev build-essential virtualenvwrapper |
At this point virtualenvwrapper can be used, the common commands are as follows:
- List of Virtual environments: Workon, can also be used: lsvirtualenv
- New virtual Environment: mkvirtualenv [Virtual Environment name]
- Start/Switch Virtual environment: Workon [Virtual Environment name]
- Delete Virtual Environment: rmvirtualenv [Virtual Environment name]
- Leaving the virtual environment: deactivate
After the installation, we launch the virtual environment and enter the virtual Python library to load into the Angr library.
123456 |
[Email protected]:~/examples/defcon2016quals_baby-re_0$ workon Angr (Angr) [Email protected]:~/examples/ defcon2016quals_baby-re_0$ Pythonpython 2.7.6 (default, OCT, 20:30:19) [GCC 4.8.4] on Linux2type "help", "Copyrigh T "," credits "or" license "for more information.>>> import Angr |
A simple example of the use of Angr
1234567891011121314151617181920212223242526272829303132333435363738394041424344 |
#include <stdio.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <stdlib.h> char *sneaky = "Sosneaky"; int Authenticate(char *username, char *password) {Char stored_pw[9]; stored_pw[8] = 0; int pwfile; //Evil back d00r if (strcmp (password, sneaky) = = 0) return 1; Pwfile = open (username, o_rdonly); Read (Pwfile, STORED_PW,8); if (strcmp (password, stored_pw) = = 0) return 1; return 0; }int accepted() {printf ("Welcome to the admin console, trusted user!\n"); }int rejected() {printf ("Go away!"); exit (1); }int main(int argc, char **argv) {Char username[9]; Char password[9]; int authed;username[8] = 0; password[8] = 0; printf ("Username: \ n"); Read0, username, 8); Read0, &authed, 1); printf ("Password: \ n"); Read0, password, 8); Read0, &authed, 1); authed = Authenticate (username, password);if (authed) accepted (); else rejected ();} |
The logic of this program is very simple, the function of the sample program is to let you enter the user name and password, and then the AUTHENTICATE function will be tested, if the failure to display the go away, the reverse shows the success of authentication.
Next we write the script using Angr
12345678910111213141516171819202122232425 |
#!/usr/bin/env python#_ *_ coding:utf-8 _*_Import Angr def basic_symbolic_execution(): p = Angr. Project (' Fauxware ') #新建一个angr的工程, the path to the target binary in parentheses State = P.factory.entry_state ()#接着新建一个SimState的对象Path = P.factory.path (state)#使用factory. Path This container gets the start of state of the Path objectPathgroup = P.factory.path_group (path)#根据前面获取的函数入口点的path对象, use the Path_group container to get the path list that will be executed along the path startPathgroup.step (until=Lambda Lpg:len (lpg.active) > 1)#接下来就让pathgroup对象一直执行下去 until the number of paths to be selected is greater than one, that is, when the selection branch is generated, then stop. #对应在上述的简单程序中authenticate函数的 if (strcmp (password, sneaky) = = 0) This conditional judgment statementINPUT_0 = pathgroup.active[0].state.posix.dumps (0) #dump出所有分支的内容 to see which of the answers should be the most probable. Input_1 = pathgroup.active[1].state.posix.dumps (0) if ' Sosneaky ' in input_0: return INPUT_0 Else: return input_1def Test(): Passif __name__ = = ' __main__ ': print basic_symbolic_execution () |
The results are as follows:
123 |
(Angr) [Email protected]:~/examples/fauxware$ python solve.py sosneaky (Angr) [Email protected]:~/examples/fauxware$ |
A simple example of the use of Angr II (CTF question)
This problem is Defcon CTF Qualifier baby-re0, after opening the binary executable, we move down to the main bottom, see the 0x4028e7 there are two very obvious paths, one path is 0x402941, printing error. The other is 0x4028e9, which will print the flag. But in the middle of the program there are a lot of cumbersome instructions to see people dazzled, then we use Angr to solve the problem.
The script is as follows:
123456789101112131415161718 |
#!/usr/bin/env Python2#_ *_ coding:utf-8 _*_Import Angrdef main(): proj = Angr. Project ('./baby-re ', load_options={' auto_load_libs ': False}) Path_group = Proj.factory.path_group (threads=4) # set Four threads, no more meaning for this program thread # If it's 0x40294b, if it's 0x402941, don't do it.Path_group.explore (find=0x40294b, avoid=0x402941) # flag in 0X40292C's Place Print path_group.found[0].state.posix.dumps (0) return path_group.found[0].state.posix.dumps (1) # dumps out flag if __name__ = = ' __main__ ': Print (repr (main ())) |
The results are as follows:
1234567891011121314151617 |
(Angr) [email protected]:~/examples/defcon2016quals_baby-re_0$ python solve.py WARNING | 2017-04-09 16:34:11,976 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:34:14,865 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:34:19,274 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:34:26,447 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:34:38,414 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:34:58,141 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:35:24,905 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sAd Think about implementing. WARNING | 2017-04-09 16:36:00,673 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:36:45,998 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:37:48,193 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:39:20,551 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:41:20,080 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing. WARNING | 2017-04-09 16:44:18,468 | Simuvex.plugins.symbolic_memory | concretizing symbolic length. Much sad; Think about implementing.+000000077+000000097+000000116+000000104+000000032+000000105+000000115+000000032+ 000000104+000000097+000000114+000000100+000000033b ' var[0]: var[1]: var[2]: var[3]: Var[4]: var[5]: var[6]: var[7]: var[8]: var[9]: var[10]: var[11]: var[12]: The flag Is:math is hard!\n ' (Angr) [EMAIL&N bsp;protected]:~/examples/defcon2016quals_baby-re_0$ |
After about 10min, the flag we got was math is hard!
Symbol execution-Python-based binary analysis framework Angr