대상 프로그램 분석
password를 입력 받아서 complex_function()이랗는 함수를 통해 반환된 문자열을 "ILIUFVJF"와 비교하여 일치할 경우, "Good Job"을 출력한다. 따라서 "Good Job"을 출력하는 입력값을 찾는 것이 목표이다.
솔루션
import angr
import sys
def main(argv):
# Create an Angr project.
# If you want to be able to point to the binary from the command line, you can
# use argv[1] as the parameter. Then, you can run the script from the command
# line as follows:
# python ./scaffold00.py [binary]
# (!)
path_to_binary = argv[1] # :string
project = angr.Project(path_to_binary)
# Tell Angr where to start executing (should it start from the main()
# function or somewhere else?) For now, use the entry_state function
# to instruct Angr to start from the main() function.
initial_state = project.factory.entry_state(
add_options = { angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS}
)
# Create a simulation manager initialized with the starting state. It provides
# a number of useful tools to search and execute the binary.
simulation = project.factory.simgr(initial_state)
# Explore the binary to attempt to find the address that prints "Good Job."
# You will have to find the address you want to find and insert it here.
# This function will keep executing until it either finds a solution or it
# has explored every possible path through the executable.
# (!)
print_good_address = 0x804868C # :integer (probably in hexadecimal)
simulation.explore(find=print_good_address)
# Check that we have found a solution. The simulation.explore() method will
# set simulation.found to a list of the states that it could find that reach
# the instruction we asked it to search for. Remember, in Python, if a list
# is empty, it will be evaluated as false, otherwise true.
if simulation.found:
# The explore method stops after it finds a single state that arrives at the
# target address.
solution_state = simulation.found[0]
# Print the string that Angr wrote to stdin to follow solution_state. This
# is our solution.
print(solution_state.posix.dumps(sys.stdin.fileno()).decode())
print(sys.stdin.fileno())
else:
# If Angr could not find a path that reaches print_good_address, throw an
# error. Perhaps you mistyped the print_good_address?
raise Exception('Could not find the solution')
if __name__ == '__main__':
main(sys.argv)
간단히 정리하면, angr 프로젝트 만들고, main()을 entry로 지정하기 위해 entry state만들고, simulation manager만들고,
explore해서 solution을 찾는다.
참고한 자료
https://docs.angr.io/en/latest/index.html
https://github.com/jakespringer/angr_ctf
'Security & Hacking' 카테고리의 다른 글
| command injection (0) | 2025.02.11 |
|---|---|
| CodeQL (0) | 2025.02.11 |
| angr 핵심 개념 (0) | 2025.02.10 |
| SSL Stripping (0) | 2025.02.10 |
| decrypt_safe_linking 이해 (0) | 2025.01.11 |