Angr

Angr 基本介紹

  • angr 來源于CGC項(xiàng)目,最初用于自動攻防锌蓄。
  • 平臺無關(guān)(platform-agnostic)的二進(jìn)制分析框架
  • ( Computer Security Lab ) UCSB稠项,Shellphish

Angr可以干什么涯雅?

  • Disassembly and intermediate-representation lifting
  • Program instrumentation
  • Symbolic execution
  • Control-flow analysis
  • Data-dependency analysis
  • Value-set analysis (VSA)

Angr安裝

# dependency
sudo apt-get install python-dev libffi-dev build-essential virtualenvwrapper
# install
# we'd better use it in virtual environment
mkvirtualenv angr && pip install angr
# more see https://docs.angr.io/INSTALL.html

ubuntu 16.04 安裝

virtualenvwrapper是一個Python虛擬環(huán)境,使用虛擬環(huán)境的主要原因是angr會修改libz3和libVEX皿渗,可能會影響其他程序的正常使用斩芭。
新建一個Python虛擬機(jī)環(huán)境:

$ export WORKON_HOME=~/Envs
$ mkdir -p $WORKON_HOME
$ source /usr/share/virtualenvwrapper/virtualenvwrapper.sh
$ mkvirtualenv angr

基本操作

Project

用來加載 binary,是使用 angr 的基礎(chǔ)乐疆。

>>> import angr
>>> proj = angr.Project('/bin/true')

基本屬性

查看對應(yīng)binary的基本屬性

  • arch
  • entry
  • filename, absolute filename of the binary
  • loader划乖,
    • min_addr
    • max_addr
    • main_object,Project 加載的二進(jìn)制文件挤土,即主二進(jìn)制文件琴庵。
      • pic,位置獨(dú)立
      • execstack仰美,棧是否可以執(zhí)行
    • shared_objects迷殿,共享目標(biāo)文件信息,名字以及映射地址
>>> proj.arch
<Arch AMD64 (LE)>
>>> proj.entry
0x401670
>>> proj.filename
'/bin/true'
>>> proj.loader
<Loaded true, maps [0x400000:0x5004000]>

>>> proj.loader.shared_objects # may look a little different for you!
{'ld-linux-x86-64.so.2': <ELF Object ld-2.24.so, maps [0x2000000:0x2227167]>,
 'libc.so.6': <ELF Object libc-2.24.so, maps [0x1000000:0x13c699f]>}

>>> proj.loader.min_addr
0x400000
>>> proj.loader.max_addr
0x5004000

>>> proj.loader.main_object  # we've loaded several binaries into this project. Here's the main one!
<ELF Object true, maps [0x400000:0x60721f]>

>>> proj.loader.main_object.execstack  # sample query: does this binary have an executable stack?
False
>>> proj.loader.main_object.pic  # sample query: is this binary position-independent?
True

加載選項(xiàng)

基本選項(xiàng)

  • auto_load_libs 是否自動加載程序的依賴咖杂。
  • except_missing_libs庆寺,當(dāng)加載一個程序的依賴不成功時,就會產(chǎn)生異常诉字。
  • force_load_libs懦尝,強(qiáng)制加載的庫。
  • skip_libs壤圃,防止加載的庫陵霉。
  • custom_ld_path,優(yōu)先的共享庫的搜尋路徑伍绳。

高級選項(xiàng)

  • main_ops 是選項(xiàng)到選項(xiàng)值的映射踊挠。
  • lib_opts 是庫名到一個字典的映射,這個字典將名字映射到其對應(yīng)的值上冲杀。
angr.Project(main_opts={'backend': 'ida', 'custom_arch': 'i386'}, lib_opts={'libc.so.6': {'backend': 'elf'}})

Loader

loader (CLE Load Everything效床,CLE)用于將一個 binary 加載到對應(yīng)的虛擬地址空間睹酌。每類 binary 都有對應(yīng)的加載器后端 (cle.Backend)。比如 cle.ELF 用來加載ELF文件扁凛。此外忍疾,angr 加載的 binary 都有自己的內(nèi)存空間闯传,但是并不是內(nèi)存空間中每一個對象都會有對應(yīng)的binary谨朝。

主加載對象信息

我們可以得出 loader 加載的主對象的基本信息

# This is the "main" object, the one that you directly specified when loading the project
>>> proj.loader.main_object
<ELF Object true, maps [0x400000:0x60105f]>
>>> obj = proj.loader.main_object

# The entry point of the object
>>> obj.entry
0x400580

>>> obj.min_addr, obj.max_addr
(0x400000, 0x60105f)

# Retrieve this ELF's segments and sections
>>> obj.segments
<Regions: [<ELFSegment offset=0x0, flags=0x5, filesize=0xa74, vaddr=0x400000, memsize=0xa74>,
           <ELFSegment offset=0xe28, flags=0x6, filesize=0x228, vaddr=0x600e28, memsize=0x238>]>
>>> obj.sections
<Regions: [<Unnamed | offset 0x0, vaddr 0x0, size 0x0>,
           <.interp | offset 0x238, vaddr 0x400238, size 0x1c>,
           <.note.ABI-tag | offset 0x254, vaddr 0x400254, size 0x20>,
            ...etc

# You can get an individual segment or section by an address it contains:
>>> obj.find_segment_containing(obj.entry)
<ELFSegment offset=0x0, flags=0x5, filesize=0xa74, vaddr=0x400000, memsize=0xa74>
>>> obj.find_section_containing(obj.entry)
<.text | offset 0x580, vaddr 0x400580, size 0x338>

# Get the address of the PLT stub for a symbol
>>> addr = obj.plt['__libc_start_main']
>>> addr
0x400540
>>> obj.reverse_plt[addr]
'__libc_start_main'

# Show the prelinked base of the object and the location it was actually mapped into memory by CLE
>>> obj.linked_base
0x400000
>>> obj.mapped_base
0x400000

其它加載對象信息

# All loaded objects
>>> proj.loader.all_objects
[<ELF Object fauxware, maps [0x400000:0x60105f]>,
 <ELF Object libc.so.6, maps [0x1000000:0x13c42bf]>,
 <ELF Object ld-linux-x86-64.so.2, maps [0x2000000:0x22241c7]>,
 <ELFTLSObject Object cle##tls, maps [0x3000000:0x300d010]>,
 <KernelObject Object cle##kernel, maps [0x4000000:0x4008000]>,
 <ExternObject Object cle##externs, maps [0x5000000:0x5008000]>


# This is a dictionary mapping from shared object name to object
>>> proj.loader.shared_objects
{ 'libc.so.6': <ELF Object libc.so.6, maps [0x1000000:0x13c42bf]>
  'ld-linux-x86-64.so.2': <ELF Object ld-linux-x86-64.so.2, maps [0x2000000:0x22241c7]>}

# Here's all the objects that were loaded from ELF files
# If this were a windows program we'd use all_pe_objects!
>>> proj.loader.all_elf_objects
[<ELF Object true, maps [0x400000:0x60105f]>,
 <ELF Object libc.so.6, maps [0x1000000:0x13c42bf]>,
 <ELF Object ld-linux-x86-64.so.2, maps [0x2000000:0x22241c7]>]

# Here's the "externs object", which we use to provide addresses for unresolved imports and angr internals
>>> proj.loader.extern_object
<ExternObject Object cle##externs, maps [0x5000000:0x5008000]>

# This object is used to provide addresses for emulated syscalls
>>> proj.loader.kernel_object
<KernelObject Object cle##kernel, maps [0x4000000:0x4008000]>

# Finally, you can to get a reference to an object given an address in it
>>> proj.loader.find_object_containing(0x400000)
<ELF Object true, maps [0x400000:0x60105f]>

符號以及重定位信息

我們還可以使用 CLE 來操作二進(jìn)制文件中的符號。

  • 查找符號甥绿,傳入符號名或者對應(yīng)的地址字币。
>>> malloc = proj.loader.find_symbol('malloc')
>>> malloc
<Symbol "malloc" in libc.so.6 at 0x1054400>
  • 基本符號信息,符號名共缕,所屬者洗出,它的地址
>>> malloc.name
'malloc'

>>> malloc.owner_obj
<ELF Object libc.so.6, maps [0x1000000:0x13c42bf]>

# .rebased_addr is its address in the global address space. This is what is shown in the print output.
>>> malloc.rebased_addr
0x1054400
# .linked_addr is its address relative to the prelinked base of the binary. This is the address reported in, for example, readelf(1)
>>> malloc.linked_addr
0x54400
# .relative_addr is its address relative to the object base. This is known in the literature (particularly the Windows literature) as an RVA (relative virtual address).
>>> malloc.relative_addr
0x54400
  • 符號的導(dǎo)入導(dǎo)出信息
>>> malloc.is_export
True
>>> malloc.is_import
False

# On Loader, the method is find_symbol because it performs a search operation to find the symbol.
# On an individual object, the method is get_symbol because there can only be one symbol with a given name.
>>> main_malloc = proj.loader.main_object.get_symbol("malloc")
>>> main_malloc
<Symbol "malloc" in true (import)>
>>> main_malloc.is_export
False
>>> main_malloc.is_import
True
>>> main_malloc.resolvedby
<Symbol "malloc" in libc.so.6 at 0x1054400>

后端

backend name description requires custom_arch?
elf Static loader for ELF files based on PyELFTools no
pe Static loader for PE files based on PEFile no
mach-o Static loader for Mach-O files. Does not support dynamic linking or rebasing. no
cgc Static loader for Cyber Grand Challenge binaries no
backedcgc Static loader for CGC binaries that allows specifying memory and register backers no
elfcore Static loader for ELF core dumps no
ida Launches an instance of IDA to parse the file yes
blob Loads the file into memory as a flat image yes

Symbolic Function

默認(rèn)情況下,angr 會嘗試將程序中調(diào)用的庫函數(shù)用自己模擬的函數(shù)來代替图谷,這些函數(shù)一般對應(yīng)的對象為SimProcedures 翩活。我們可以從 angr.SIM_PROCEDURES 中找到所有的函數(shù)。這些函數(shù)的命名規(guī)范為package name(libc, posix, win32, etc...)+function name便贵。

需要注意的是

  • 當(dāng)auto_load_libsTrue 的時候菠镇,真正的庫函數(shù)會被執(zhí)行。
  • 承璃。利耍。。

hook

hook 指定的函數(shù)盔粹,使得angr執(zhí)行自己給定的函數(shù)隘梨。

>>> stub_func = angr.SIM_PROCEDURES['stubs']['ReturnUnconstrained'] # this is a CLASS
>>> proj.hook(0x10000, stub_func())  # hook with an instance of the class

>>> proj.is_hooked(0x10000)            # these functions should be pretty self-explanitory
True
>>> proj.unhook(0x10000)
>>> proj.hooked_by(0x10000)
<ReturnUnconstrained>

# length keyword argument to make execution jump some number of bytes forward after your hook finishes.
>>> @proj.hook(0x20000, length=5)
... def my_hook(state):
...     state.regs.rax = 1

>>> proj.is_hooked(0x20000)
True

factory

原因

  • 很多 angr 中的類需要使用到 project 才能實(shí)例化,使用 factory可以避免傳遞 project 對象舷嗡。
  • factory 也可以提供一些方便的構(gòu)造器轴猎。

方法

  • block(addr)
    • 提取給定地址的基本塊,返回一個塊對象进萄。
    • 需要注意的是Angr分析程序的單元是基本捻脖。
  • bitvector
    • 寄存器使用位向量來描述

基本塊

屬性

  • instructions
    • 對應(yīng)基本塊的指令的個數(shù)。
  • instructions_addrs
    • 基本塊每個
  • capstone
    • capstone block對象
  • vex
    • ?

方法

  • pp()
    • 漂亮地輸出對象基本塊的匯編代碼垮斯。

state

project 只是給出程序最初鏡像的信息郎仆,state 可以給出模擬程序執(zhí)行到某條指令時的進(jìn)程的具體狀態(tài)。在 angr 中兜蠕,則使用 SimState 來描述扰肌。

  • state 中所有的信息均使用位向量.
  • 可以直接向寄存器和內(nèi)存中存儲整數(shù),angr 會將其轉(zhuǎn)換為位向量熊杨。

預(yù)置執(zhí)行狀態(tài)

我們可以根據(jù) factory 來設(shè)置程序執(zhí)行到指定地址的默認(rèn)狀態(tài)曙旭。

  • .blank_state() constructs a "blank slate" blank state, with most of its data left uninitialized. When accessing uninitialized data, an unconstrained symbolic value will be returned.
  • .entry_state() constructs a state ready to execute at the main binary's entry point.
  • .full_init_state() constructs a state that is ready to execute through any initializers that need to be run before the main binary's entry point, for example, shared library constructors or preinitializers. When it is finished with these it will jump to the entry point.
  • .call_state() constructs a state ready to execute a given function.
    • you should call it with .call_state(addr, arg1, arg2, ...), where addr is the address of the function you want to call and argN is the Nth argument to that function, either as a python integer, string, or array, or a bitvector.

基本狀態(tài)信息

寄存器

  • state.regs.rip

內(nèi)存

模式:state.mem[addr].type.xxx

  • 要訪問的內(nèi)存地址
  • type指定相應(yīng)地址應(yīng)該被解釋成的類型盗舰。
  • xxx
    • 空,可直接存儲數(shù)據(jù)桂躏。
    • 使用.resolved 來把數(shù)據(jù)輸出為位向量钻趋。
    • 使用.concrete 來把數(shù)據(jù)輸出為int值。
>>> import angr
>>> proj = angr.Project('/bin/true')
>>> state = proj.factory.entry_state()

# copy rsp to rbp
>>> state.regs.rbp = state.regs.rsp

# store rdx to memory at 0x1000
>>> state.mem[0x1000].uint64_t = state.regs.rdx

# dereference rbp
>>> state.regs.rbp = state.mem[state.regs.rbp].uint64_t.resolved

# add rax, qword ptr [rsp + 8]
>>> state.regs.rax += state.mem[state.regs.rsp + 8].uint64_t.resolved

文件系統(tǒng)

執(zhí)行

基本執(zhí)行

>>> proj = angr.Project('examples/fauxware/fauxware')
>>> state = proj.factory.entry_state()
>>> while True:
...     succ = state.step()
...     if len(succ.successors) == 2:
...         break
...     state = succ.successors[0]

>>> state1, state2 = succ.successors
>>> state1
<SimState @ 0x400629>
>>> state2
<SimState @ 0x400699>

低層次內(nèi)存訪問

  • 默認(rèn)大端序存儲剂习。
>>> s = proj.factory.blank_state()
>>> s.memory.store(0x4000, s.solver.BVV(0x0123456789abcdef0123456789abcdef, 128))
>>> s.memory.load(0x4004, 6) # load-size is in bytes
<BV48 0x89abcdef0123>
>>> import archinfo
>>> s.memory.load(0x4000, 4, endness=archinfo.Endness.LE)
<BV32 0x67453201>

State Option

# Example: enable lazy solves, an option that causes state satisfiability to be checked as infrequently as possible.
# This change to the settings will be propagated to all successor states created from this state after this line.
>>> s.options.add(angr.options.LAZY_SOLVES)

# Create a new state with lazy solves enabled
>>> s = proj.factory.entry_state(add_options={angr.options.LAZY_SOLVES})

# Create a new state without simplification options enabled
>>> s = proj.factory.entry_state(remove_options=angr.options.simplification)

solver

solver 基本就是一個約束求解引擎蛮位。

操作位向量

位向量與 python 中的整形的轉(zhuǎn)換。

  • 將給定數(shù)值轉(zhuǎn)換為指定位數(shù)的位向量鳞绕。
# 64-bit bitvectors with concrete values 1 and 100
>>> one = state.solver.BVV(1, 64)
>>> one
 <BV64 0x1>
>>> one_hundred = state.solver.BVV(100, 64)
>>> one_hundred
 <BV64 0x64>

# create a 27-bit bitvector with concrete value 9
>>> weird_nine = state.solver.BVV(9, 27)
>>> weird_nine
<BV27 0x9>
  • 位向量運(yùn)算失仁,位向量的位數(shù)必須一樣。
>>> one + one_hundred
<BV64 0x65>

# You can provide normal python integers and they will be coerced to the appropriate type:
>>> one_hundred + 0x100
<BV64 0x164>

# The semantics of normal wrapping arithmetic apply
>>> one_hundred - one*200
<BV64 0xffffffffffffff9c>

# use extend to extent the length of bitvector
# also there is sign_extend
>>> weird_nine.zero_extend(64 - 27)
<BV64 0x9>
>>> one + weird_nine.zero_extend(64 - 27)
<BV64 0xa>
  • 位向量符號
# Create a bitvector symbol named "x" of length 64 bits
>>> x = state.solver.BVS("x", 64)
>>> x
<BV64 x_9_64>
>>> y = state.solver.BVS("y", 64)
>>> y
<BV64 y_10_64>
  • 混合位向量符號的運(yùn)算
>>> x + one
<BV64 x_9_64 + 0x1>

>>> (x + one) / 2
<BV64 (x_9_64 + 0x1) / 0x2>

>>> x - y
<BV64 x_9_64 - y_10_64>

AST 查看

>>> tree = (x + 1) / (y + 2)
>>> tree
<BV64 (x_9_64 + 0x1) / (y_10_64 + 0x2)>
>>> tree.op
'__div__'
>>> tree.args
(<BV64 x_9_64 + 0x1>, <BV64 y_10_64 + 0x2>)
>>> tree.args[0].op
'__add__'
>>> tree.args[0].args
(<BV64 x_9_64>, <BV64 0x1>)
>>> tree.args[0].args[1].op
'BVV'
>>> tree.args[0].args[1].args
(1, 64)

符號約束

  • 比較默認(rèn)情況下按照無符號進(jìn)行比較们何。
>>> x == 1
<Bool x_9_64 == 0x1>
>>> x == one
<Bool x_9_64 == 0x1>
>>> x > 2
<Bool x_9_64 > 0x2>
>>> x + y == one_hundred + 5
<Bool (x_9_64 + y_10_64) == 0x69>
>>> one_hundred > 5
<Bool True>
>>> one_hundred > -5
<Bool False>
  • 如何判斷
>>> yes = one == 1
>>> no = one == 2
>>> maybe = x == y
>>> state.solver.is_true(yes)
True
>>> state.solver.is_false(yes)
False
>>> state.solver.is_true(no)
False
>>> state.solver.is_false(no)
True
>>> state.solver.is_true(maybe)
False
>>> state.solver.is_false(maybe)
False

約束求解

基本步驟

  • 添加約束
  • 求解
>>> state.solver.add(x > y)
>>> state.solver.add(y > 2)
>>> state.solver.add(10 > x)
>>> state.solver.eval(x)
4

# get a fresh state without constraints
>>> state = proj.factory.entry_state()
>>> input = state.solver.BVS('input', 64)
>>> operation = (((input + 4) * 3) >> 1) + input
>>> output = 200
>>> state.solver.add(operation == output)
>>> state.solver.eval(input)
0x3333333333333381
# If we add conflicting or contradictory constraints
>>> state.solver.add(input < 2**32)
>>> state.satisfiable()
False

Simulation Managers

我們用 state 來描述程序執(zhí)行到某個地址時程序的具體狀態(tài)萄焦。同時,我們使用 Simulation Managers 來管理程序如何由一個狀態(tài)到另一個狀態(tài)冤竹。它是 angr 中模擬控制程序的重要接口拂封。

創(chuàng)建模擬管理器

>>> simgr = proj.factory.simgr(state) # TODO: change name before merge
<SimulationManager with 1 active>

查看狀態(tài)信息

對于一個管理器來說,它可以存儲多個狀態(tài)鹦蠕,自然也可以查看每個狀態(tài)的具體信息冒签。其中 active 狀態(tài)由我們默認(rèn)傳入的狀態(tài)初始化得到。

>>> simgr.active
[<SimState @ 0x401670>]
>>> simgr.active[0].regs.rip                 # new and exciting!
<BV64 0x1020300>
>>> state.regs.rip                           # still the same!
<BV64 0x401670>

執(zhí)行

執(zhí)行一個基本塊片部,這并不會修改最初的時候傳入的狀態(tài)镣衡。

>>> simgr.step()

# Step until the first symbolic branch
>>> while len(simgr.active) == 1:
...    simgr.step()

>>> simgr
<SimulationManager with 2 active>
>>> simgr.active
[<SimState @ 0x400692>, <SimState @ 0x400699>]

# Step until everything terminates
>>> simgr.run()
>>> simgr
<SimulationManager with 3 deadended>

Stash Management

  • 轉(zhuǎn)移stash
>>> simgr.move(from_stash='deadended', to_stash='authenticated', filter_func=lambda s: 'Welcome' in s.posix.dumps(1))
>>> simgr
<SimulationManager with 2 authenticated, 1 deadended>
  • 列舉stash
>>> for s in simgr.deadended + simgr.authenticated:
...     print hex(s.addr)
0x1000030
0x1000078
0x1000078
# If you prepend the name of a stash with one_, you will be given the first state in the stash. 
>>> simgr.one_deadended
<SimState @ 0x1000030>
#  If you prepend the name of a stash with mp_, you will be given a mulpyplexed version of the stash.
>>> simgr.mp_authenticated
MP([<SimState @ 0x1000078>, <SimState @ 0x1000078>])
>>> simgr.mp_authenticated.posix.dumps(0)
MP(['\x00\x00\x00\x00\x00\x00\x00\x00\x00SOSNEAKY\x00',
    '\x00\x00\x00\x00\x00\x00\x00\x00\x00S\x80\x80\x80\x80@\x80@\x00'])

explore!5涤啤@扰浮!

尋找到達(dá)指定地址時程序的狀態(tài)辖所。 一般會有一個find參數(shù)

  • 要停止的指令的地址
  • 一組停止的指令地址
  • 一個檢查某個狀態(tài)是否滿足要求的函數(shù)

對于找到的狀態(tài)會放在 find 對應(yīng)的 store 中惰说。

同時,也可以在explore中添加avoid條件缘回,即避免 angr 探索這些對應(yīng)的地址吆视。

>>> proj = angr.Project('examples/CSCI-4968-MBE/challenges/crackme0x00a/crackme0x00a')
>>> simgr = proj.factory.simgr()
>>> simgr.explore(find=lambda s: "Congrats" in s.posix.dumps(1))
<SimulationManager with 1 active, 1 found>
>>> s = simgr.found[0]
>>> print s.posix.dumps(1)
Enter password: Congrats!

>>> flag = s.posix.dumps(0)
>>> print(flag)
g00dJ0B!

extra

  • stash 類型
Stash Description
active This stash contains the states that will be stepped by default, unless an alternate stash is specified.
deadended A state goes to the deadended stash when it cannot continue the execution for some reason, including no more valid instructions, unsat state of all of its successors, or an invalid instruction pointer.
pruned When using LAZY_SOLVES, states are not checked for satisfiability unless absolutely necessary. When a state is found to be unsat in the presence of LAZY_SOLVES, the state hierarchy is traversed to identify when, in its history, it initially became unsat. All states that are descendants of that point (which will also be unsat, since a state cannot become un-unsat) are pruned and put in this stash.( 使用LAZY_SOLVES時,不檢查可滿足性酥宴,當(dāng)一個狀態(tài)在LAZY_SOLVES之前就被拋棄時啦吧,當(dāng)被遍歷去識別這個狀態(tài)的時候,直到找到一個不能被拋棄的節(jié)點(diǎn)拙寡。修剪到這個節(jié)點(diǎn)授滓,并將這個狀態(tài)存起來。)
unconstrained If the save_unconstrained option is provided to the SimulationManager constructor, states that are determined to be unconstrained (i.e., with the instruction pointer controlled by user data or some other source of symbolic data) are placed here.(這個save_unconstrained選項(xiàng)被SMC激活,狀態(tài)不在被約束般堆,指令將會用戶數(shù)據(jù)和一些其它的符號數(shù)據(jù)源控制)
unsat If the save_unsat option is provided to the SimulationManager constructor, states that are determined to be unsatisfiable (i.e., they have constraints that are contradictory, like the input having to be both "AAAA" and "BBBB" at the same time) are placed here. (save_unsat表示狀態(tài)的滿足條件)

analysis

給出程序的各種分析信息在孝。

如控制流圖

# Originally, when we loaded this binary it also loaded all its dependencies into the same virtual address  space
# This is undesirable for most analysis.
>>> proj = angr.Project('/bin/true', auto_load_libs=False)
>>> cfg = proj.analyses.CFGFast()
<CFGFast Analysis Result at 0x2d85130>

# cfg.graph is a networkx DiGraph full of CFGNode instances
# You should go look up the networkx APIs to learn how to use this!
>>> cfg.graph
<networkx.classes.digraph.DiGraph at 0x2da43a0>
>>> len(cfg.graph.nodes())
951

# To get the CFGNode for a given address, use cfg.get_any_node
>>> entry_node = cfg.get_any_node(proj.entry)
>>> len(list(cfg.graph.successors(entry_node)))
2

class angr.block.CapstoneBlock(addr, insns, thumb, arch)

Deep copy of the capstone blocks, which have serious issues with having extended lifespans outside of capstone itself
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////


angr-0ctf_momo

1.需要逆向找到約束求解的三個條件

dx, dword ptr [edx*4 + 0x81fe260]
al, byte ptr [0x81fe6e0]
dl, byte ptr [0x81fe6e4]

2.需要掌握“逆向MoVfuscator編譯程序”能力

1.使用qira+ida進(jìn)行人工分析,
2.或使用“movfuscator的反混淆器”
3.使用Makefile+二進(jìn)制插樁
4.angr求解是建立在對程序逆向的理解程度

3.angr約束求解的過程淮摔,有一部分還理解的不是很清楚

參考網(wǎng)站:
1:angr學(xué)習(xí)(四):
http://www.cnblogs.com/fancystar/p/7893248.html
2:Makefile+二進(jìn)制插樁:
https://blog.xy14qg.top/2016/0ctf-2016-writeup/#momo-reverse
3:angr用例解析——0ctf_momo_3:
http://blog.csdn.net/doudoudouzoule/article/details/79537019
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
相關(guān)資料:
在網(wǎng)上發(fā)現(xiàn)一個開源項(xiàng)目私沮,https://github.com/kirschju/demovfuscator 是專門來應(yīng)該movfuscator的反混淆器,果斷安裝
momo使用qira解決movfuscator
http://blog.csdn.net/charlie_heng/article/details/79206863

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
  • 序言:七十年代末和橙,一起剝皮案震驚了整個濱河市仔燕,隨后出現(xiàn)的幾起案子,更是在濱河造成了極大的恐慌胃碾,老刑警劉巖涨享,帶你破解...
    沈念sama閱讀 216,372評論 6 498
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件筋搏,死亡現(xiàn)場離奇詭異仆百,居然都是意外死亡,警方通過查閱死者的電腦和手機(jī)奔脐,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 92,368評論 3 392
  • 文/潘曉璐 我一進(jìn)店門俄周,熙熙樓的掌柜王于貴愁眉苦臉地迎上來,“玉大人髓迎,你說我怎么就攤上這事峦朗。” “怎么了排龄?”我有些...
    開封第一講書人閱讀 162,415評論 0 353
  • 文/不壞的土叔 我叫張陵波势,是天一觀的道長。 經(jīng)常有香客問我橄维,道長尺铣,這世上最難降的妖魔是什么? 我笑而不...
    開封第一講書人閱讀 58,157評論 1 292
  • 正文 為了忘掉前任争舞,我火速辦了婚禮凛忿,結(jié)果婚禮上,老公的妹妹穿的比我還像新娘竞川。我一直安慰自己店溢,他們只是感情好,可當(dāng)我...
    茶點(diǎn)故事閱讀 67,171評論 6 388
  • 文/花漫 我一把揭開白布委乌。 她就那樣靜靜地躺著床牧,像睡著了一般。 火紅的嫁衣襯著肌膚如雪遭贸。 梳的紋絲不亂的頭發(fā)上戈咳,一...
    開封第一講書人閱讀 51,125評論 1 297
  • 那天,我揣著相機(jī)與錄音,去河邊找鬼除秀。 笑死糯累,一個胖子當(dāng)著我的面吹牛,可吹牛的內(nèi)容都是我干的册踩。 我是一名探鬼主播泳姐,決...
    沈念sama閱讀 40,028評論 3 417
  • 文/蒼蘭香墨 我猛地睜開眼,長吁一口氣:“原來是場噩夢啊……” “哼暂吉!你這毒婦竟也來了胖秒?” 一聲冷哼從身側(cè)響起,我...
    開封第一講書人閱讀 38,887評論 0 274
  • 序言:老撾萬榮一對情侶失蹤慕的,失蹤者是張志新(化名)和其女友劉穎阎肝,沒想到半個月后,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體肮街,經(jīng)...
    沈念sama閱讀 45,310評論 1 310
  • 正文 獨(dú)居荒郊野嶺守林人離奇死亡风题,尸身上長有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 37,533評論 2 332
  • 正文 我和宋清朗相戀三年,在試婚紗的時候發(fā)現(xiàn)自己被綠了嫉父。 大學(xué)時的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片沛硅。...
    茶點(diǎn)故事閱讀 39,690評論 1 348
  • 序言:一個原本活蹦亂跳的男人離奇死亡,死狀恐怖绕辖,靈堂內(nèi)的尸體忽然破棺而出摇肌,到底是詐尸還是另有隱情,我是刑警寧澤仪际,帶...
    沈念sama閱讀 35,411評論 5 343
  • 正文 年R本政府宣布围小,位于F島的核電站,受9級特大地震影響树碱,放射性物質(zhì)發(fā)生泄漏肯适。R本人自食惡果不足惜,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 41,004評論 3 325
  • 文/蒙蒙 一赴恨、第九天 我趴在偏房一處隱蔽的房頂上張望疹娶。 院中可真熱鬧,春花似錦伦连、人聲如沸雨饺。這莊子的主人今日做“春日...
    開封第一講書人閱讀 31,659評論 0 22
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽额港。三九已至,卻和暖如春歧焦,著一層夾襖步出監(jiān)牢的瞬間移斩,已是汗流浹背肚医。 一陣腳步聲響...
    開封第一講書人閱讀 32,812評論 1 268
  • 我被黑心中介騙來泰國打工, 沒想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留向瓷,地道東北人肠套。 一個月前我還...
    沈念sama閱讀 47,693評論 2 368
  • 正文 我出身青樓,卻偏偏與公主長得像猖任,于是被迫代替她去往敵國和親你稚。 傳聞我的和親對象是個殘疾皇子,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 44,577評論 2 353

推薦閱讀更多精彩內(nèi)容