Angr 基本介紹
- angr 來源于CGC項(xiàng)目,最初用于自動攻防锌蓄。
- 平臺無關(guān)(platform-agnostic)的二進(jìn)制分析框架
- ( Computer Security Lab ) UCSB稠项,Shellphish
Angr可以干什么涯雅?
- Disassembly and intermediate-representation lifting
- Program instrumentation
- Symbolic execution
- Control-flow analysis
- Data-dependency analysis
- Value-set analysis (VSA)
Angr安裝
# dependency
sudo apt-get install python-dev libffi-dev build-essential virtualenvwrapper
# install
# we'd better use it in virtual environment
mkvirtualenv angr && pip install angr
# more see https://docs.angr.io/INSTALL.html
ubuntu 16.04 安裝
virtualenvwrapper是一個Python虛擬環(huán)境,使用虛擬環(huán)境的主要原因是angr會修改libz3和libVEX皿渗,可能會影響其他程序的正常使用斩芭。
新建一個Python虛擬機(jī)環(huán)境:
$ export WORKON_HOME=~/Envs
$ mkdir -p $WORKON_HOME
$ source /usr/share/virtualenvwrapper/virtualenvwrapper.sh
$ mkvirtualenv angr
基本操作
Project
用來加載 binary,是使用 angr 的基礎(chǔ)乐疆。
>>> import angr
>>> proj = angr.Project('/bin/true')
基本屬性
查看對應(yīng)binary的基本屬性
- arch
- entry
- filename, absolute filename of the binary
- loader划乖,
- min_addr
- max_addr
- main_object,Project 加載的二進(jìn)制文件挤土,即主二進(jìn)制文件琴庵。
- pic,位置獨(dú)立
- execstack仰美,棧是否可以執(zhí)行
- shared_objects迷殿,共享目標(biāo)文件信息,名字以及映射地址
>>> proj.arch
<Arch AMD64 (LE)>
>>> proj.entry
0x401670
>>> proj.filename
'/bin/true'
>>> proj.loader
<Loaded true, maps [0x400000:0x5004000]>
>>> proj.loader.shared_objects # may look a little different for you!
{'ld-linux-x86-64.so.2': <ELF Object ld-2.24.so, maps [0x2000000:0x2227167]>,
'libc.so.6': <ELF Object libc-2.24.so, maps [0x1000000:0x13c699f]>}
>>> proj.loader.min_addr
0x400000
>>> proj.loader.max_addr
0x5004000
>>> proj.loader.main_object # we've loaded several binaries into this project. Here's the main one!
<ELF Object true, maps [0x400000:0x60721f]>
>>> proj.loader.main_object.execstack # sample query: does this binary have an executable stack?
False
>>> proj.loader.main_object.pic # sample query: is this binary position-independent?
True
加載選項(xiàng)
基本選項(xiàng)
- auto_load_libs 是否自動加載程序的依賴咖杂。
- except_missing_libs庆寺,當(dāng)加載一個程序的依賴不成功時,就會產(chǎn)生異常诉字。
- force_load_libs懦尝,強(qiáng)制加載的庫。
- skip_libs壤圃,防止加載的庫陵霉。
- custom_ld_path,優(yōu)先的共享庫的搜尋路徑伍绳。
高級選項(xiàng)
- main_ops 是選項(xiàng)到選項(xiàng)值的映射踊挠。
- lib_opts 是庫名到一個字典的映射,這個字典將名字映射到其對應(yīng)的值上冲杀。
angr.Project(main_opts={'backend': 'ida', 'custom_arch': 'i386'}, lib_opts={'libc.so.6': {'backend': 'elf'}})
Loader
loader (CLE Load Everything效床,CLE)用于將一個 binary 加載到對應(yīng)的虛擬地址空間睹酌。每類 binary 都有對應(yīng)的加載器后端 (cle.Backend)。比如 cle.ELF 用來加載ELF文件扁凛。此外忍疾,angr 加載的 binary 都有自己的內(nèi)存空間闯传,但是并不是內(nèi)存空間中每一個對象都會有對應(yīng)的binary谨朝。
主加載對象信息
我們可以得出 loader 加載的主對象的基本信息
# This is the "main" object, the one that you directly specified when loading the project
>>> proj.loader.main_object
<ELF Object true, maps [0x400000:0x60105f]>
>>> obj = proj.loader.main_object
# The entry point of the object
>>> obj.entry
0x400580
>>> obj.min_addr, obj.max_addr
(0x400000, 0x60105f)
# Retrieve this ELF's segments and sections
>>> obj.segments
<Regions: [<ELFSegment offset=0x0, flags=0x5, filesize=0xa74, vaddr=0x400000, memsize=0xa74>,
<ELFSegment offset=0xe28, flags=0x6, filesize=0x228, vaddr=0x600e28, memsize=0x238>]>
>>> obj.sections
<Regions: [<Unnamed | offset 0x0, vaddr 0x0, size 0x0>,
<.interp | offset 0x238, vaddr 0x400238, size 0x1c>,
<.note.ABI-tag | offset 0x254, vaddr 0x400254, size 0x20>,
...etc
# You can get an individual segment or section by an address it contains:
>>> obj.find_segment_containing(obj.entry)
<ELFSegment offset=0x0, flags=0x5, filesize=0xa74, vaddr=0x400000, memsize=0xa74>
>>> obj.find_section_containing(obj.entry)
<.text | offset 0x580, vaddr 0x400580, size 0x338>
# Get the address of the PLT stub for a symbol
>>> addr = obj.plt['__libc_start_main']
>>> addr
0x400540
>>> obj.reverse_plt[addr]
'__libc_start_main'
# Show the prelinked base of the object and the location it was actually mapped into memory by CLE
>>> obj.linked_base
0x400000
>>> obj.mapped_base
0x400000
其它加載對象信息
# All loaded objects
>>> proj.loader.all_objects
[<ELF Object fauxware, maps [0x400000:0x60105f]>,
<ELF Object libc.so.6, maps [0x1000000:0x13c42bf]>,
<ELF Object ld-linux-x86-64.so.2, maps [0x2000000:0x22241c7]>,
<ELFTLSObject Object cle##tls, maps [0x3000000:0x300d010]>,
<KernelObject Object cle##kernel, maps [0x4000000:0x4008000]>,
<ExternObject Object cle##externs, maps [0x5000000:0x5008000]>
# This is a dictionary mapping from shared object name to object
>>> proj.loader.shared_objects
{ 'libc.so.6': <ELF Object libc.so.6, maps [0x1000000:0x13c42bf]>
'ld-linux-x86-64.so.2': <ELF Object ld-linux-x86-64.so.2, maps [0x2000000:0x22241c7]>}
# Here's all the objects that were loaded from ELF files
# If this were a windows program we'd use all_pe_objects!
>>> proj.loader.all_elf_objects
[<ELF Object true, maps [0x400000:0x60105f]>,
<ELF Object libc.so.6, maps [0x1000000:0x13c42bf]>,
<ELF Object ld-linux-x86-64.so.2, maps [0x2000000:0x22241c7]>]
# Here's the "externs object", which we use to provide addresses for unresolved imports and angr internals
>>> proj.loader.extern_object
<ExternObject Object cle##externs, maps [0x5000000:0x5008000]>
# This object is used to provide addresses for emulated syscalls
>>> proj.loader.kernel_object
<KernelObject Object cle##kernel, maps [0x4000000:0x4008000]>
# Finally, you can to get a reference to an object given an address in it
>>> proj.loader.find_object_containing(0x400000)
<ELF Object true, maps [0x400000:0x60105f]>
符號以及重定位信息
我們還可以使用 CLE 來操作二進(jìn)制文件中的符號。
- 查找符號甥绿,傳入符號名或者對應(yīng)的地址字币。
>>> malloc = proj.loader.find_symbol('malloc')
>>> malloc
<Symbol "malloc" in libc.so.6 at 0x1054400>
- 基本符號信息,符號名共缕,所屬者洗出,它的地址
>>> malloc.name
'malloc'
>>> malloc.owner_obj
<ELF Object libc.so.6, maps [0x1000000:0x13c42bf]>
# .rebased_addr is its address in the global address space. This is what is shown in the print output.
>>> malloc.rebased_addr
0x1054400
# .linked_addr is its address relative to the prelinked base of the binary. This is the address reported in, for example, readelf(1)
>>> malloc.linked_addr
0x54400
# .relative_addr is its address relative to the object base. This is known in the literature (particularly the Windows literature) as an RVA (relative virtual address).
>>> malloc.relative_addr
0x54400
- 符號的導(dǎo)入導(dǎo)出信息
>>> malloc.is_export
True
>>> malloc.is_import
False
# On Loader, the method is find_symbol because it performs a search operation to find the symbol.
# On an individual object, the method is get_symbol because there can only be one symbol with a given name.
>>> main_malloc = proj.loader.main_object.get_symbol("malloc")
>>> main_malloc
<Symbol "malloc" in true (import)>
>>> main_malloc.is_export
False
>>> main_malloc.is_import
True
>>> main_malloc.resolvedby
<Symbol "malloc" in libc.so.6 at 0x1054400>
后端
backend name | description | requires custom_arch ? |
---|---|---|
elf | Static loader for ELF files based on PyELFTools | no |
pe | Static loader for PE files based on PEFile | no |
mach-o | Static loader for Mach-O files. Does not support dynamic linking or rebasing. | no |
cgc | Static loader for Cyber Grand Challenge binaries | no |
backedcgc | Static loader for CGC binaries that allows specifying memory and register backers | no |
elfcore | Static loader for ELF core dumps | no |
ida | Launches an instance of IDA to parse the file | yes |
blob | Loads the file into memory as a flat image | yes |
Symbolic Function
默認(rèn)情況下,angr 會嘗試將程序中調(diào)用的庫函數(shù)用自己模擬的函數(shù)來代替图谷,這些函數(shù)一般對應(yīng)的對象為SimProcedures 翩活。我們可以從 angr.SIM_PROCEDURES 中找到所有的函數(shù)。這些函數(shù)的命名規(guī)范為package name(libc, posix, win32, etc...)+function name便贵。
需要注意的是
- 當(dāng)
auto_load_libs
是True
的時候菠镇,真正的庫函數(shù)會被執(zhí)行。 - 承璃。利耍。。
hook
hook 指定的函數(shù)盔粹,使得angr執(zhí)行自己給定的函數(shù)隘梨。
>>> stub_func = angr.SIM_PROCEDURES['stubs']['ReturnUnconstrained'] # this is a CLASS
>>> proj.hook(0x10000, stub_func()) # hook with an instance of the class
>>> proj.is_hooked(0x10000) # these functions should be pretty self-explanitory
True
>>> proj.unhook(0x10000)
>>> proj.hooked_by(0x10000)
<ReturnUnconstrained>
# length keyword argument to make execution jump some number of bytes forward after your hook finishes.
>>> @proj.hook(0x20000, length=5)
... def my_hook(state):
... state.regs.rax = 1
>>> proj.is_hooked(0x20000)
True
factory
原因
- 很多 angr 中的類需要使用到 project 才能實(shí)例化,使用 factory可以避免傳遞 project 對象舷嗡。
- factory 也可以提供一些方便的構(gòu)造器轴猎。
方法
- block(addr)
- 提取給定地址的基本塊,返回一個塊對象进萄。
- 需要注意的是Angr分析程序的單元是基本捻脖。
- bitvector
- 寄存器使用位向量來描述
基本塊
屬性
- instructions
- 對應(yīng)基本塊的指令的個數(shù)。
- instructions_addrs
- 基本塊每個
- capstone
- capstone block對象
- vex
- ?
方法
- pp()
- 漂亮地輸出對象基本塊的匯編代碼垮斯。
state
project 只是給出程序最初鏡像的信息郎仆,state 可以給出模擬程序執(zhí)行到某條指令時的進(jìn)程的具體狀態(tài)。在 angr 中兜蠕,則使用 SimState 來描述扰肌。
- state 中所有的信息均使用位向量.
- 可以直接向寄存器和內(nèi)存中存儲整數(shù),angr 會將其轉(zhuǎn)換為位向量熊杨。
預(yù)置執(zhí)行狀態(tài)
我們可以根據(jù) factory 來設(shè)置程序執(zhí)行到指定地址的默認(rèn)狀態(tài)曙旭。
-
.blank_state()
constructs a "blank slate" blank state, with most of its data left uninitialized. When accessing uninitialized data, an unconstrained symbolic value will be returned. -
.entry_state()
constructs a state ready to execute at the main binary's entry point. -
.full_init_state()
constructs a state that is ready to execute through any initializers that need to be run before the main binary's entry point, for example, shared library constructors or preinitializers. When it is finished with these it will jump to the entry point. -
.call_state()
constructs a state ready to execute a given function.- you should call it with
.call_state(addr, arg1, arg2, ...)
, whereaddr
is the address of the function you want to call andargN
is the Nth argument to that function, either as a python integer, string, or array, or a bitvector.
- you should call it with
基本狀態(tài)信息
寄存器
- state.regs.rip
內(nèi)存
模式:state.mem[addr].type.xxx
- 要訪問的內(nèi)存地址
- type指定相應(yīng)地址應(yīng)該被解釋成的類型盗舰。
- xxx
- 空,可直接存儲數(shù)據(jù)桂躏。
- 使用.resolved 來把數(shù)據(jù)輸出為位向量钻趋。
- 使用.concrete 來把數(shù)據(jù)輸出為int值。
>>> import angr
>>> proj = angr.Project('/bin/true')
>>> state = proj.factory.entry_state()
# copy rsp to rbp
>>> state.regs.rbp = state.regs.rsp
# store rdx to memory at 0x1000
>>> state.mem[0x1000].uint64_t = state.regs.rdx
# dereference rbp
>>> state.regs.rbp = state.mem[state.regs.rbp].uint64_t.resolved
# add rax, qword ptr [rsp + 8]
>>> state.regs.rax += state.mem[state.regs.rsp + 8].uint64_t.resolved
文件系統(tǒng)
執(zhí)行
基本執(zhí)行
>>> proj = angr.Project('examples/fauxware/fauxware')
>>> state = proj.factory.entry_state()
>>> while True:
... succ = state.step()
... if len(succ.successors) == 2:
... break
... state = succ.successors[0]
>>> state1, state2 = succ.successors
>>> state1
<SimState @ 0x400629>
>>> state2
<SimState @ 0x400699>
低層次內(nèi)存訪問
- 默認(rèn)大端序存儲剂习。
>>> s = proj.factory.blank_state()
>>> s.memory.store(0x4000, s.solver.BVV(0x0123456789abcdef0123456789abcdef, 128))
>>> s.memory.load(0x4004, 6) # load-size is in bytes
<BV48 0x89abcdef0123>
>>> import archinfo
>>> s.memory.load(0x4000, 4, endness=archinfo.Endness.LE)
<BV32 0x67453201>
State Option
# Example: enable lazy solves, an option that causes state satisfiability to be checked as infrequently as possible.
# This change to the settings will be propagated to all successor states created from this state after this line.
>>> s.options.add(angr.options.LAZY_SOLVES)
# Create a new state with lazy solves enabled
>>> s = proj.factory.entry_state(add_options={angr.options.LAZY_SOLVES})
# Create a new state without simplification options enabled
>>> s = proj.factory.entry_state(remove_options=angr.options.simplification)
solver
solver 基本就是一個約束求解引擎蛮位。
操作位向量
位向量與 python 中的整形的轉(zhuǎn)換。
- 將給定數(shù)值轉(zhuǎn)換為指定位數(shù)的位向量鳞绕。
# 64-bit bitvectors with concrete values 1 and 100
>>> one = state.solver.BVV(1, 64)
>>> one
<BV64 0x1>
>>> one_hundred = state.solver.BVV(100, 64)
>>> one_hundred
<BV64 0x64>
# create a 27-bit bitvector with concrete value 9
>>> weird_nine = state.solver.BVV(9, 27)
>>> weird_nine
<BV27 0x9>
- 位向量運(yùn)算失仁,位向量的位數(shù)必須一樣。
>>> one + one_hundred
<BV64 0x65>
# You can provide normal python integers and they will be coerced to the appropriate type:
>>> one_hundred + 0x100
<BV64 0x164>
# The semantics of normal wrapping arithmetic apply
>>> one_hundred - one*200
<BV64 0xffffffffffffff9c>
# use extend to extent the length of bitvector
# also there is sign_extend
>>> weird_nine.zero_extend(64 - 27)
<BV64 0x9>
>>> one + weird_nine.zero_extend(64 - 27)
<BV64 0xa>
- 位向量符號
# Create a bitvector symbol named "x" of length 64 bits
>>> x = state.solver.BVS("x", 64)
>>> x
<BV64 x_9_64>
>>> y = state.solver.BVS("y", 64)
>>> y
<BV64 y_10_64>
- 混合位向量符號的運(yùn)算
>>> x + one
<BV64 x_9_64 + 0x1>
>>> (x + one) / 2
<BV64 (x_9_64 + 0x1) / 0x2>
>>> x - y
<BV64 x_9_64 - y_10_64>
AST 查看
>>> tree = (x + 1) / (y + 2)
>>> tree
<BV64 (x_9_64 + 0x1) / (y_10_64 + 0x2)>
>>> tree.op
'__div__'
>>> tree.args
(<BV64 x_9_64 + 0x1>, <BV64 y_10_64 + 0x2>)
>>> tree.args[0].op
'__add__'
>>> tree.args[0].args
(<BV64 x_9_64>, <BV64 0x1>)
>>> tree.args[0].args[1].op
'BVV'
>>> tree.args[0].args[1].args
(1, 64)
符號約束
- 比較默認(rèn)情況下按照無符號進(jìn)行比較们何。
>>> x == 1
<Bool x_9_64 == 0x1>
>>> x == one
<Bool x_9_64 == 0x1>
>>> x > 2
<Bool x_9_64 > 0x2>
>>> x + y == one_hundred + 5
<Bool (x_9_64 + y_10_64) == 0x69>
>>> one_hundred > 5
<Bool True>
>>> one_hundred > -5
<Bool False>
- 如何判斷
>>> yes = one == 1
>>> no = one == 2
>>> maybe = x == y
>>> state.solver.is_true(yes)
True
>>> state.solver.is_false(yes)
False
>>> state.solver.is_true(no)
False
>>> state.solver.is_false(no)
True
>>> state.solver.is_true(maybe)
False
>>> state.solver.is_false(maybe)
False
約束求解
基本步驟
- 添加約束
- 求解
>>> state.solver.add(x > y)
>>> state.solver.add(y > 2)
>>> state.solver.add(10 > x)
>>> state.solver.eval(x)
4
# get a fresh state without constraints
>>> state = proj.factory.entry_state()
>>> input = state.solver.BVS('input', 64)
>>> operation = (((input + 4) * 3) >> 1) + input
>>> output = 200
>>> state.solver.add(operation == output)
>>> state.solver.eval(input)
0x3333333333333381
# If we add conflicting or contradictory constraints
>>> state.solver.add(input < 2**32)
>>> state.satisfiable()
False
Simulation Managers
我們用 state 來描述程序執(zhí)行到某個地址時程序的具體狀態(tài)萄焦。同時,我們使用 Simulation Managers 來管理程序如何由一個狀態(tài)到另一個狀態(tài)冤竹。它是 angr 中模擬控制程序的重要接口拂封。
創(chuàng)建模擬管理器
>>> simgr = proj.factory.simgr(state) # TODO: change name before merge
<SimulationManager with 1 active>
查看狀態(tài)信息
對于一個管理器來說,它可以存儲多個狀態(tài)鹦蠕,自然也可以查看每個狀態(tài)的具體信息冒签。其中 active 狀態(tài)由我們默認(rèn)傳入的狀態(tài)初始化得到。
>>> simgr.active
[<SimState @ 0x401670>]
>>> simgr.active[0].regs.rip # new and exciting!
<BV64 0x1020300>
>>> state.regs.rip # still the same!
<BV64 0x401670>
執(zhí)行
執(zhí)行一個基本塊片部,這并不會修改最初的時候傳入的狀態(tài)镣衡。
>>> simgr.step()
# Step until the first symbolic branch
>>> while len(simgr.active) == 1:
... simgr.step()
>>> simgr
<SimulationManager with 2 active>
>>> simgr.active
[<SimState @ 0x400692>, <SimState @ 0x400699>]
# Step until everything terminates
>>> simgr.run()
>>> simgr
<SimulationManager with 3 deadended>
Stash Management
- 轉(zhuǎn)移stash
>>> simgr.move(from_stash='deadended', to_stash='authenticated', filter_func=lambda s: 'Welcome' in s.posix.dumps(1))
>>> simgr
<SimulationManager with 2 authenticated, 1 deadended>
- 列舉stash
>>> for s in simgr.deadended + simgr.authenticated:
... print hex(s.addr)
0x1000030
0x1000078
0x1000078
# If you prepend the name of a stash with one_, you will be given the first state in the stash.
>>> simgr.one_deadended
<SimState @ 0x1000030>
# If you prepend the name of a stash with mp_, you will be given a mulpyplexed version of the stash.
>>> simgr.mp_authenticated
MP([<SimState @ 0x1000078>, <SimState @ 0x1000078>])
>>> simgr.mp_authenticated.posix.dumps(0)
MP(['\x00\x00\x00\x00\x00\x00\x00\x00\x00SOSNEAKY\x00',
'\x00\x00\x00\x00\x00\x00\x00\x00\x00S\x80\x80\x80\x80@\x80@\x00'])
explore!5涤啤@扰浮!
尋找到達(dá)指定地址時程序的狀態(tài)辖所。 一般會有一個find參數(shù)
- 要停止的指令的地址
- 一組停止的指令地址
- 一個檢查某個狀態(tài)是否滿足要求的函數(shù)
對于找到的狀態(tài)會放在 find 對應(yīng)的 store 中惰说。
同時,也可以在explore中添加avoid條件缘回,即避免 angr 探索這些對應(yīng)的地址吆视。
>>> proj = angr.Project('examples/CSCI-4968-MBE/challenges/crackme0x00a/crackme0x00a')
>>> simgr = proj.factory.simgr()
>>> simgr.explore(find=lambda s: "Congrats" in s.posix.dumps(1))
<SimulationManager with 1 active, 1 found>
>>> s = simgr.found[0]
>>> print s.posix.dumps(1)
Enter password: Congrats!
>>> flag = s.posix.dumps(0)
>>> print(flag)
g00dJ0B!
extra
- stash 類型
Stash | Description |
---|---|
active | This stash contains the states that will be stepped by default, unless an alternate stash is specified. |
deadended | A state goes to the deadended stash when it cannot continue the execution for some reason, including no more valid instructions, unsat state of all of its successors, or an invalid instruction pointer. |
pruned | When using LAZY_SOLVES , states are not checked for satisfiability unless absolutely necessary. When a state is found to be unsat in the presence of LAZY_SOLVES , the state hierarchy is traversed to identify when, in its history, it initially became unsat. All states that are descendants of that point (which will also be unsat, since a state cannot become un-unsat) are pruned and put in this stash.( 使用LAZY_SOLVES時,不檢查可滿足性酥宴,當(dāng)一個狀態(tài)在LAZY_SOLVES之前就被拋棄時啦吧,當(dāng)被遍歷去識別這個狀態(tài)的時候,直到找到一個不能被拋棄的節(jié)點(diǎn)拙寡。修剪到這個節(jié)點(diǎn)授滓,并將這個狀態(tài)存起來。) |
unconstrained | If the save_unconstrained option is provided to the SimulationManager constructor, states that are determined to be unconstrained (i.e., with the instruction pointer controlled by user data or some other source of symbolic data) are placed here.(這個save_unconstrained選項(xiàng)被SMC激活,狀態(tài)不在被約束般堆,指令將會用戶數(shù)據(jù)和一些其它的符號數(shù)據(jù)源控制) |
unsat | If the save_unsat option is provided to the SimulationManager constructor, states that are determined to be unsatisfiable (i.e., they have constraints that are contradictory, like the input having to be both "AAAA" and "BBBB" at the same time) are placed here. (save_unsat表示狀態(tài)的滿足條件) |
analysis
給出程序的各種分析信息在孝。
如控制流圖
# Originally, when we loaded this binary it also loaded all its dependencies into the same virtual address space
# This is undesirable for most analysis.
>>> proj = angr.Project('/bin/true', auto_load_libs=False)
>>> cfg = proj.analyses.CFGFast()
<CFGFast Analysis Result at 0x2d85130>
# cfg.graph is a networkx DiGraph full of CFGNode instances
# You should go look up the networkx APIs to learn how to use this!
>>> cfg.graph
<networkx.classes.digraph.DiGraph at 0x2da43a0>
>>> len(cfg.graph.nodes())
951
# To get the CFGNode for a given address, use cfg.get_any_node
>>> entry_node = cfg.get_any_node(proj.entry)
>>> len(list(cfg.graph.successors(entry_node)))
2
class angr.block.CapstoneBlock(addr, insns, thumb, arch)
Deep copy of the capstone blocks, which have serious issues with having extended lifespans outside of capstone itself
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
angr-0ctf_momo
1.需要逆向找到約束求解的三個條件
dx, dword ptr [edx*4 + 0x81fe260]
al, byte ptr [0x81fe6e0]
dl, byte ptr [0x81fe6e4]
2.需要掌握“逆向MoVfuscator編譯程序”能力
1.使用qira+ida進(jìn)行人工分析,
2.或使用“movfuscator的反混淆器”
3.使用Makefile+二進(jìn)制插樁
4.angr求解是建立在對程序逆向的理解程度
3.angr約束求解的過程淮摔,有一部分還理解的不是很清楚
參考網(wǎng)站:
1:angr學(xué)習(xí)(四):
http://www.cnblogs.com/fancystar/p/7893248.html
2:Makefile+二進(jìn)制插樁:
https://blog.xy14qg.top/2016/0ctf-2016-writeup/#momo-reverse
3:angr用例解析——0ctf_momo_3:
http://blog.csdn.net/doudoudouzoule/article/details/79537019
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
相關(guān)資料:
在網(wǎng)上發(fā)現(xiàn)一個開源項(xiàng)目私沮,https://github.com/kirschju/demovfuscator 是專門來應(yīng)該movfuscator的反混淆器,果斷安裝
momo使用qira解決movfuscator
http://blog.csdn.net/charlie_heng/article/details/79206863