In [1]:
import angr
import claripy
from angr.sim_type import SimTypePointer, SimTypeFunction, SimTypeChar, SimTypeInt, parse_defns
from angr.errors import AngrCallableMultistateError

In [2]:
#angr logging is way too verbose
import logging
log_things = ["angr", "pyvex", "claripy", "cle"]
for log in log_things:
    logger = logging.getLogger(log)
    logger.disabled = True
    logger.propagate = False

In [3]:
charstar = SimTypePointer(SimTypeChar())
prototype = SimTypeFunction((charstar, charstar), SimTypeInt(False))

In [4]:
def loadproj(p, addr, find_addr, password):
    state = p.factory.call_state(addr, "userargs", password, prototype=prototype)
    simgr = p.factory.simgr(state)
    simgr.explore(find=(find_addr,), avoid=())
    return simgr

In [5]:
def getconcrete(p, addr, password):
    state = p.factory.call_state(addr, "userargs", password, prototype=prototype)
    simgr = p.factory.simgr(state)
    simgr.run()
    return simgr.deadended[0].regs.eax._model_concrete.value

In [6]:
#fauxware analysis

In [7]:
password_orig = claripy.BVS('pass_arg', 8*9)
pass_arg_orig = angr.PointerWrapper(password_orig, buffer=True)
p = angr.Project('fauxware', auto_load_libs=False)
simgr = loadproj(p, 0x401209, 0x40124a, pass_arg_orig)
p_state = simgr.found[0]

The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.


In [8]:
#fauxware break1 is a function with two accepting condiitons "SOSNEAKY" and "RNRMD@JX"

In [9]:
password_break1 = claripy.BVS('pass_arg', 8*9)
pass_arg_break1 = angr.PointerWrapper(password_break1, buffer=True)
p_break1 = angr.Project('fauxware-break1', auto_load_libs=False)
simgr_break1 = loadproj(p_break1, 0x401209, 0x4012c0, pass_arg_break1)
p_break1_state = simgr_break1.found[0]

The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.


In [10]:
#fauxware break2 is functionally the same break1 but condition order is different

In [11]:
password_break2 = claripy.BVS('pass_arg', 8*9)
pass_arg_break2 = angr.PointerWrapper(password_break2, buffer=True)
p_break2 = angr.Project('fauxware-break2', auto_load_libs=False)
simgr_break2 = loadproj(p_break2, 0x401209, 0x4012c0, pass_arg_break2)
p_break2_state = simgr_break2.found[0]

The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.


In [12]:
#Analysis of equivalence of original and break1

In [13]:
sol_orig_break1 = claripy.Solver()
for i in p_state.solver.constraints:
    sol_orig_break1.add(i)
for i in p_break1_state.solver.constraints:
    sol_orig_break1.add(i)
if sol_orig_break1.satisfiable(extra_constraints=(password_orig == password_break1,)):
    print("Satisfiable when orig == break1")
if sol_orig_break1.satisfiable(extra_constraints=(password_orig != password_break1,)):
    print("Satisfiable when orig != break1")

Satisfiable when orig == break1


In [14]:
#Analysis of equivalence of original and break2

In [15]:
sol_orig_break2 = claripy.Solver()
for i in p_state.solver.constraints:
    sol_orig_break2.add(i)
for i in p_break2_state.solver.constraints:
    sol_orig_break2.add(i)
if sol_orig_break2.satisfiable(extra_constraints=(password_orig == password_break2,)):
    print("Satisfiable when orig == break2")
if sol_orig_break2.satisfiable(extra_constraints=(password_orig != password_break2,)):
    print("Satisfiable when orig != break2")

Satisfiable when orig != break1


In [16]:
#Analysis between break1 and break2

In [17]:
sol_break1_break2 = claripy.Solver()
for i in p_break1_state.solver.constraints:
    sol_break1_break2.add(i)
for i in p_break2_state.solver.constraints:
    sol_break1_break2.add(i)
if sol_break1_break2.satisfiable(extra_constraints=(password_break1 == password_break2,)):
    print("Satisfiable when break1 == break2")
if sol_break1_break2.satisfiable(extra_constraints=(password_break1 != password_break2,)):
    print("Satisfiable when break1 != break2")

Satisfiable when break1 != break2


In [18]:
# in principle break1 and break2 should be the same however the order of the exploration matters