Intro to Binary Analysis with Z3 and Angr

#### Sam Brown

hack.lu 2018







#### ++ whoami

- + Sam Brown @\_samdb\_
- + Consultant, Research team @ MWR (now F-Secure)
- Worky worky Secure Dev, Code Review, Product Teardowns
- + Research/home time poking at Windows internals, browser security, playing with Angr and Z3





#### ++ Code

- + Code and setup instructions at: <a href="https://github.com/mwrlabs/z3\_and\_angr\_binary\_analysis\_workshop">https://github.com/mwrlabs/z3\_and\_angr\_binary\_analysis\_workshop</a>
- + All paths in the slides are relative from the repo base



#### ++

## Schedule

13:30 - 15:15 Background & Z3

15:15 - 15:30 Break/Extra exercise time

15:30 - End Angr



# Outline

- 1. What the Hell is Z3?
- 2. Z3-python
- 3. Lab Cheating at Logic Challenges
- 4. Lab Encoding CPU Instructions
- 5. Z3 in the Real World
- 6. Angr!
- 7. Lab Using Angr in Anger
- 8. Wrap-up



#### ++ What the Hell is Z3?

- + Z3 is an SMT solver
- + what





# What the Hell is a SMT Solver?

- + Satisfiability Modulo Theories (SMT) solvers
- + what





## What the Hell is a SMT Solver?

- + Built on top of SAT solvers..
- + 'satisfiability'
- + Boolean formula in => Can it be satisfied?
- + If so give me example values

# H MWR Labs





# What the Hell is a SAT Solver?



?

# Input: $(a \land b) \lor (a \land \neg b)$ $(a \land AND b) \land OR (a \land AND (Not b))$





# CNF?

- + Conjunctive Normal Form
- + an AND of ORs
- + AND, OR, NOT only
- + Used because any propositional logic can be converted to CNF in linear time









# What the Hell is a SAT Solver?

| Tri | Truth table: |   |                                       |  |
|-----|--------------|---|---------------------------------------|--|
|     | а            | b | $(a \wedge b) \vee (a \wedge \neg b)$ |  |
|     | Т            | Τ | T                                     |  |
|     | Т            | F | T                                     |  |
|     | F            | Τ | F                                     |  |
|     | F            | F | F                                     |  |
|     |              |   |                                       |  |







## What the Hell is a SMT Solver?

- + SMT builds on this
- + Converts constraints on integers, vectors, strings etc into forms SAT solvers can work with
- + Referred to as 'theories'







# What the Hell is a SMT Solver?





# More

A Peek Inside SAT Solvers – Jon Smock

https://www.youtube.com/watch?v=d76e4hV1iJY



# Outline

- 1. What the Hell is a SMT Solver?
- 2. z3-python
- 3. Lab Cheating at Logic Challenges
- 4. Lab Encoding CPU Instructions
- 5. Z3 in the Real World
- 6. Angr!
- 7. Lab Using Angr in Anger
- 8. Wrap-up



# 

- + Theorem prover from Microsoft Research
- + High performance
- + Well engineered
- + Open source: <a href="https://github.com/Z3Prover/z3">https://github.com/Z3Prover/z3</a>

```
MWR Labs
```



```
Z3
```

```
1 (declare-const a Int)
2 (declare-fun f (Int Bool) Int)
3 (assert (> a 10))
4 (assert (< (f a true) 100)) 4
5 (check-sat)</pre>
```

Declare an integer constant 'a'

Declare a function 'f' 'int f(int, bool);'

Is this possible?

```
MWR Labs
```



```
++
Z3
```

```
1 (declare-const a Int)
2 (declare-fun f (Int Bool) Int)
3 (assert (> a 10))
4 (assert (< (f a true) 100))
5 (check-sat)
6 (get-model) ←</pre>
```

If so, what might everything look like?

```
MWR Labs
```



```
TT Z3
```

$$A = 11$$

Function Definition

Ite = if then else

else

If arg1 == 11 and arg2 == true



# TT Z3

#### Theories:

- + Functions
- + Arithmetic
- + Bit-Vectors
- + Algebraic Data Types <
- + Arrays
- + Polynomial Arithmetic

Lists, trees, enums, etc

Exponentials, sine, cosine, etc

# H MWR Labs



++ Z3

In browser tutorial: <a href="https://rise4fun.com/z3/tutorial">https://rise4fun.com/z3/tutorial</a>



#### ++ Z3-python

- + https://github.com/Z3Prover/z3/tree/master/src/a pi/python
- + pip install z3
- + Secretly a DSL
- Z3\_var\_one and Z3\_var\_two != And(Z3\_var\_one, Z3\_var\_two)



## Z3-python

```
I lite changed, iz insertions(+), iz detetions(+)
(angr) user@workshop:~/smt-workshop$ python
Python 2.7.13 (default, Nov 24 2017, 17:33:09)
[GCC 6.3.0 20170516] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from z3 import *
>>> a = Int('x')
>>> b = Int('y')
>>> s = Solver()
>>> s.add(a * 15 == b)
>>> s.check()
sat
>>> s.model()
[x = 0, y = 0]
>>> s.add(a != 0)
>>> s.check()
sat
>>> s.model()
[y = 15, x = 1]
>>>
```



# TTZ3-python

- + And (condition\_one, condition\_two)
- + Or (condition\_one, condition\_two)
- + Not (boolean expression)



# Z3-python

- + Distinct(\$list) set constraint all items in list must be unique
- + BitVec('name', size) create a bit vector of size bits
- + Bool('name'), Real('name') Boolean and real
  symbolic variables
- + If(condition, true\_result, false\_result) decision logic in Z3!

```
MWR Labs
```



```
Z3-python
```

```
Color = Datatype('Color')
Color.declare('red')
Color.declare('green')
Color.declare('blue')
Color = Color.create()
```

```
Color, (red, green, blue) = EnumSort('Color', ('red', 'green', 'blue'))
```





#### ++ Z3-python

#### Good tutorials:

- + http://ericpony.github.io/z3py-tutorial/guideexamples.htm
- + <a href="http://ericpony.github.io/z3py-tutorial/advanced-examples.htm">http://ericpony.github.io/z3py-tutorial/advanced-examples.htm</a>



# Outline

- 1. What the Hell is a SMT Solver?
- 2. z3-python
- 3. Lab Cheating at Logic Challenges
- 4. Lab Encoding CPU Instructions
- 5. Z3 in the Real World
- 6. Angr!
- 7. Lab Using Angr in Anger
- 8. Wrap-up







# Cheating at Logic Challenges - N-Queens





# Cheating at Logic Challenges - N-Queens

```
columns = [Int('col_%d' % i) for i in range(n)]
rows = [Int('row_%d' % i) for i in range(n)]
s = Solver()
```



# Cheating at Logic Challenges - N-Queens



# Cheating at Logic Challenges - N-Queens

```
if s.check() == sat:
    m = s.model()
```







# Cheating at Logic Challenges - N-Queens





# Cheating at Logic Challenges - Hackvent 15

```
We've captured a strange message. It looks like it is encrypted somehow ...
iw, hu, fv, lu, dv, cy, og, lc, gy, fq, od, lo, fq, is, ig, gu, hs, hi, ds, cy, oo, os,
iu, fs, gu, lh, dq, lv, gu, iw, hv, gu, di, hs, cy, oc, iw, gc
We've also intercepted what seems to be a hint to the key:
bytwycju + yzvyjjdy ^ vugljtyn + ugdztnwv | xbfziozy = bzuwtwol
wwnnngbw - uclfgydu & oncycbxh | ogcnwbsd ^ cgyoyfjg = vyhyjivb
yzdgotby | oigsjgoj | ttligxut - dhcqxtfw & szblgodf = sfgsoxdd
yjjowdqh & niiqztgs + ctvtwysu & diffhlnl - thhwohwn = xsvuojtx
nttuhlnq ^ oqbctlzh - nshtztns ^ htwizvwi + udluvhcz = syhjizjq
           zoljwdfl
fjivucti
                                            jqxizzxq
                      sugvqgww
                                 uxztiywn
```





# Cheating at Logic Challenges - Hackvent 15

See <u>z3/hackvent\_15/README.md</u> for details



#### ++

# Cheating at Logic Challenges - DIY Sudoku

```
z3/suduko
```

- \$ workon angr
- \$ python skeleton.py tests.txt

#### Files:

- + skeleton.py => Your solution
- + solution.py => My solution
- + tests.txt => Random puzzles from <a href="http://magictour.free.fr/top100">http://magictour.free.fr/top100</a>





## Cheating at Logic Challenges - DIY Sudoku

#### Steps:

- 1. puzzle is a string with 81 chars, . for unknowns, ints for known values
- 2. Create a 9\*9 grid of symbolic variables
- 3. Add baseline value constraints on every square
- 4. Add constraints for known int values to hold
- 5. Add unique constraints on rows/columns/squares







## Cheating at Logic Challenges

DIY (If time) Java RNG seed recovery

z3/rng

Recover the seed from Java's default insecure Random Number Generator!

See: README.md



# Outline

- 1. What the Hell is a SMT Solver?
- 2. z3-python
- 3. Lab Cheating at Logic Challenges
- 4. Lab Encoding CPU Instructions
- 5. Z3 in the Real World
- 6. Angr!
- 7. Lab Using Angr in Anger
- 8. Wrap-up







## Encoding CPU Instructions

- + Automatically analyse assembly
- + Transform instructions into constraints on registers, flags
- + Answer Q's about sequences of instructions

z3/x86



#### ++

# Encoding CPU Instructions

- + Use a simplified example
- + No stack, memory, function support





## Encoding CPU Instructions

#### registers.py

```
from [3 import *

class Registers:

def __init__(self):
    self.eax = BitVec('eax', 32)
    self.ebx = BitVec('ebx', 32)
    self.ecx = BitVec('ecx', 32)
    self.edx = BitVec('edx', 32)
    self.edi = BitVec('edi', 32)
    self.esi = BitVec('esi', 32)
    self.esp = BitVec('esp', 32)
    self.esp = BitVec('esp', 32)
    self.eip = BitVec('eip', 32)
```



## Encoding CPU Instructions

```
from [3 import *
class Registers:
    def __init__(self):
        self.eax = BitVec('eax', 32)
        self.ebx = BitVec('ebx', 32)
        self.ecx = BitVec('ecx', 32)
        self.edx = BitVec('edx', 32)
        self.edi = BitVec('edi', 32)
        self.esi = BitVec('esi', 32)
        self.ebp = BitVec('ebp', 32)
                                                  Carry
        self.esp = BitVec('esp', 32)
        self.eip = BitVec('eip', 32)
                                                 Zero
        self.cf = Bool('cf')
        self.zf = Bool('zf')
                                                Sign
        self.sf = Bool('sf')←
        self.of = Bool('of')
                                                 Overflow
```







## Encoding CPU Instructions

Xor: example – xor.py

Performs a bitwise exclusive OR (XOR) operation on the destination (first) and source (second) operands and stores the result in the destination operand location. The source operand can be an immediate, a register, or a memory location; the destination operand can be a register or a memory location. (However, two memory operands cannot be used in one instruction.) Each bit of the result is 1 if the corresponding bits of the operands are different; each bit is 0 if the corresponding bits are the same.

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. The state of the AF flag is undefined.

https://c9x.me/x86/html/file\_module\_x86\_id\_330.html







## Encoding CPU Instructions

#### Add: example - add.py

Adds the first operand (destination operand) and the second operand (source operand) and stores the result in the destination operand. The destination operand can be a register or a memory location; the source operand can be an immediate, a register, or a memory location. (However, two memory operands cannot be used in one instruction.) When an immediate value is used as an operand, it is sign-extended to the length of the destination operand format.

The ADD instruction performs integer addition. It evaluates the result for both signed and unsigned integer operands and sets the OF and CF flags to indicate a carry (overflow) in the signed or unsigned result, respectively. The SF flag indicates the sign of the signed result.

The OF, SF, ZF, AF, CF, and PF flags are set according to the result.

https://c9x.me/x86/html/file\_module\_x86\_id\_5.html





## Encoding CPU Instructions

Or - DIY / Skeleton: or.py My solution: or\_solution.py

Performs a bitwise inclusive OR operation between the destination (first) and source (second) operands and stores the result in the destination operand location. The source operand can be an immediate, a register, or a memory location; the destination operand can be a register or a memory location. (However, two memory operands cannot be used in one instruction.) Each bit of the result of the OR instruction is set to 0 if both corresponding bits of the first and second operands are 0; otherwise, each bit is set to 1.

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. The state of the AF flag is undefined.

https://c9x.me/x86/html/file\_module\_x86\_id\_219.html





## Encoding CPU Instructions

sub - DIY / Skeleton: sub.py, My solution: sub\_solution.py

Subtracts the second operand (source operand) from the first operand (destination operand) and stores the result in the destination operand. The destination operand can be a register or a memory location; the source operand can be an immediate, register, or memory location.

(However, two memory operands cannot be used in one instruction.) When an immediate value is used as an operand, it is sign-extended to the length of the destination operand format.

The SUB instruction performs integer subtraction. It evaluates the result for both signed and unsigned integer operands and sets the OF and CF flags to indicate an overflow in the signed or unsigned result, respectively. The SF flag indicates the sign of the signed result.

The OF, SF, ZF, AF, PF, and CF flags are set according to the result.





## Encoding CPU Instructions

Jmp: example – jmp.py

Fake this - just goes directly to operand address







# Encoding CPU Instructions

Jnz: example – jnz.py

| Instruction | Description                           | signed-ness | Flags  | short<br>jump<br>opcodes | near<br>jump<br>opcodes |
|-------------|---------------------------------------|-------------|--------|--------------------------|-------------------------|
| JNE<br>JNZ  | Jump if not equal<br>Jump if not zero |             | ZF = 0 | 75                       | 0F 85                   |







## Encoding CPU Instructions

jg - DIY, Skeleton: jg.py, My solution: jg\_solution.py

| Instruction | Description                                  | signed-ness | Flags              | short<br>jump<br>opcodes | near<br>jump<br>opcodes |
|-------------|----------------------------------------------|-------------|--------------------|--------------------------|-------------------------|
| JG<br>JNLE  | Jump if greater<br>Jump if not less or equal | signed      | ZF = 0 and SF = OF | 7 <b>F</b>               | 0F 8F                   |







## Encoding CPU Instructions – Equivalents

Given two sequences of assembly instructions – do they have the exact same effect?

z3/equivalence\_checking

http://zubcic.re/blog/experimenting-with-z3-dead-code-elimination







## Encoding CPU Instructions - Opaque Predicates

- + Opaque Predicate: A conditional jump which is always taken or not taken
- + Code Obfuscation
- + Can we auto detect them to remove them?

z3/opaque predicates

http://zubcic.re/blog/experimenting-with-z3proving-opaque-predicates







#### Real World

- + Memory, stack, full flags, oddities make this harder
- + 'Lift' instructions to a simpler (to a program!) representation
- + Write constraints for the 'simpler' representation



# Outline

- 1. What the Hell is a SMT Solver?
- 2. z3-python
- 3. Lab Cheating at Logic Challenges
- 4. Lab Encoding CPU Instructions
- 5. Z3 in the Real World
- 6. Angr!
- 7. Lab Using Angr in Anger
- 8. Wrap-up





#### Z3 in the Real World

**Bond Allocations** 

Microsoft Sage/Microsoft Security Risk Detection

Angr

MSR's Project Everest

**Goal**: verified HTTPS replacement

CLOUDY, WITH A CHANCE OF EXPLOITS -

# Microsoft launches "fuzzing-as-aservice" to help developers find security bugs

Project Springfield, Microsoft's "million-dollar bug detector" now available in cloud.





#### Z3 in the Real World

- + HACL\* in Mozilla Firefox https://www.youtube.com/watch?v=xrZTVRICpSs
- + AWS Security
  <a href="https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/">https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/</a>



# Outline

- 1. What the Hell is a SMT Solver?
- 2. z3-python
- 3. Lab Cheating at Logic Challenges
- 4. Lab Encoding CPU Instructions
- 5. Z3 in the Real World
- 6. Angr!
- 7. Lab Using Angr in Anger
- 8. Wrap-up



# Angr!





#### ++

# Angr!

http://angr.horse

https://github.com/angr/angr-doc/blob/master/docs/examples.md







Angr!

Components



#### Shoulders of Giants...



VEX



Unicorn Engine



Capstone Engine



H MWR Labs



++ Angr!



http://angr.io/blog/throwing\_a\_tantrum\_part\_1/



# Angr!

#### Features:

- + Binary Loading
- + Static Analysis
- + Symbolic Execution







# OS Knowledge

| advapi32        | Add prototypes and MS 64-bit CC (#925)                                | 6 months ago  |
|-----------------|-----------------------------------------------------------------------|---------------|
| cgc cgc         | Remove IS_SYSCALL and set is_syscall when it actually matters         | 13 days ago   |
| definitions     | Add stub for sigaction                                                | 13 days ago   |
| <b>glibc</b>    | Remove deprecated names, including .se, god rest their soul           | a month ago   |
| libc            | Implement syslog simprocedure                                         | 13 days ago   |
| linux_kernel    | Remove IS_SYSCALL and set is_syscall when it actually matters         | 13 days ago   |
| linux_loader    | Remove deprecated names, including .se, god rest their soul           | a month ago   |
| msvcr           | Remove deprecated names, including .se, god rest their soul           | a month ago   |
| ntdll           | Add inhibit_autoret to simprocedures, set it whenever the user perfor | 11 months ago |
| posix           | Clean up after myself, like an adult, I guess                         | 13 days ago   |
| stubs           | Remove IS_SYSCALL and set is_syscall when it actually matters         | 13 days ago   |
| testing testing | A little better. things import, but SimLibraries aren't hooked up and | a year ago    |
| tracer          | Remove IS_SYSCALL and set is_syscall when it actually matters         | 13 days ago   |
| uclibc uclibc   | A little better. things import, but SimLibraries aren't hooked up and | a year ago    |
| mwin32          | Remove deprecated names, including .se, god rest their soul           | a month ago   |
|                 |                                                                       |               |

https://github.com/angr/angr/tree/master/angr/procedures





## OS Knowledge

```
import angr
     from angr.sim_type import SimTypeString
     class strdup(angr.SimProcedure):
         #pylint:disable=arguments-differ
         def run(self, s):
             self.argument_types = {0: self.ty_ptr(SimTypeString())}
             self.return_type = self.ty_ptr(SimTypeString())
10
             strlen = angr.SIM_PROCEDURES['libc']['strlen']
             strncpy = angr.SIM_PROCEDURES['libc']['strncpy']
             malloc = angr.SIM_PROCEDURES['libc']['malloc']
             src_len = self.inline_call(strlen, s).ret_expr
             new_s = self.inline_call(malloc, src_len+1).ret_expr
             self.inline_call(strncpy, new_s, s, src_len+1, src_len=src_len)
             return new_s
```



#### ++

## Angr 8!

New features:

- + All Python 3
- Byte strings everywhere
- + Simuvex fully integrated/deprecated
- + Big speed ups in CFG recovery

http://angr.io/blog/moving\_to\_angr\_8/



#### ++

## Binary Loading

- + CLE (CLE Loads Everything)
  <a href="https://github.com/angr/cle">https://github.com/angr/cle</a> (ELF, IdaBIn, PE, Mach-O, Blob)
- + Capstone/VEX x86, mips, arm, ppc
- + Archinfo <a href="https://github.com/angr/archinfo">https://github.com/angr/archinfo</a>





#### + IR from Valgrind

The following ARM instruction:

```
subs R2, R2, #8
```

Becomes this VEX IR:

```
1 t0 = GET:I32(16)
2 t1 = 0x8:I32
3 t3 = Sub32(t0,t1)
4 PUT(16) = t3
5 PUT(68) = 0x59FC8:I32
```

https://docs.angr.io/advanced-topics/ir







## Static Analysis

- + Control Flow Graphs
- Data Flow Graphs
- Value Set Analysis

'VSA is a combined numeric-analysis and pointer analysis algorithm that determines a safe approximation of the set of numeric values or addresses that each register and aloc holds at each program point'

<a href="http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.">http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.</a>

1.76.637&rep=rep1&type=pdf





# Symbolic Execution

- + Execute binary using 'symbolic values'
- + Pass constraints for each path to a constraint solver to get inputs that will reach 'x' point

```
MWR Labs
```



# Symbolic Execution

```
unsigned int a = read_int();
unsigned int b = read int(); <
if(a > 1){
    if(b < 20) {
        if(a * b > 30){
            func one();
        } else {
            func two();
      else {
        func_three();
} else {
    func_four();
```

```
a = X
b = Y
```



# Symbolic Execution

```
unsigned int a = read int();
unsigned int b = read int();
if(a > 1){
    if(b < 20) {
        if(a * b > 30){
            func_one();
        } else {
            func_two();
      else {
        func_three();
} else {
    func_four();
```

```
X > 1 \text{ and } Y < 20
X > 1 \text{ and } Y < 20
         and
    X \times Y > 30
 X > 1 \text{ and } Y < 20
          and
     X * Y < 30
```





#### More!

(State of) The Art of War: Offensive Techniques in Binary Analysis <a href="https://www.cs.ucsb.edu/~vigna/publications/2016\_SP\_angrSoK.pdf">https://www.cs.ucsb.edu/~vigna/publications/2016\_SP\_angrSoK.pdf</a>



# Outline

- 1. What the Hell is a SMT Solver?
- 2. z3-python
- 3. Lab Cheating at Logic Challenges
- 4. Lab Encoding CPU Instructions
- 5. Z3 in the Real World
- 6. Angr!
- 7. Lab Using Angr in Anger
- 8. Wrap-up



#### ++

### Using Angr in Anger

Lots of crackme/CTF examples:

https://github.com/angr/angr-doc/tree/master/examples







### Using Angr in Anger

#### Opaque predicates, easy mode

A nice work on malware deobfuscation, in which Capstone disassembler + Z3 are used to remove opaque predicates: zubcic.re/blog/experimen ... 6:45 AM - 19 Aug 2016 31 Retweets 44 Likes 💮 🚳 🚳 🚳 🍪 🦸 💿 €7 31 Triton DBA framework @qb\_triton · 20 Aug 2016 Replying to @capstone\_engine fun blog post. Here our solution in Python (using Capstone + Z3) of his examples Triton is a Dynamic Binary Analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a Taint Engine, AST represen... github.com

https://twitter.com/capstone\_engine/status/766632168260972547





# Opaque Predicates

angr/opaque\_predicates

Step through example code







## Dumping IOCTL Codes

'I/O control codes (IOCTLs) are used for communication between user-mode applications and drivers, or for communication internally among drivers in a stack.'

https://docs.microsoft.com/en-us/windowshardware/drivers/kernel/defining-i-o-control-codes

| C o m Device Type O n | 31          | 30 29 | 28 27 | 26 25 | 24 2 | 23 22 | 21 2 | 0 19 | 18 17 | 16 | 15 | 14 | 13               | 12 | 11 | 10 9 | 98  | 7 6 | 5 4 | 3 2 | 2 1 | 0 |  |
|-----------------------|-------------|-------|-------|-------|------|-------|------|------|-------|----|----|----|------------------|----|----|------|-----|-----|-----|-----|-----|---|--|
|                       | o<br>m<br>m |       |       | D     | evic | е Тур | рe   |      |       |    | -  |    | u<br>s<br>t<br>o |    | F  | ınc  | tio | n C | ode |     |     |   |  |





# Dumping IOCTL Codes

- + Consist structure and values
- + Complex dispatch functions



https://github.com/hacksysteam/HackSysExtremeVulnerableDriver







## Dumping IOCTL Codes

- + Step through instruction by instruction
- + Save all evaluable register values
- + Process them to find potential IOCTL codes
- + Device code must match
- + Function codes should be in a set range





# Dumping IOCTL Codes

angr/ioctls



++

## Using Angr in Anger

Used in

https://github.com/mwrlabs/win\_driver\_plugin



#### ++

### Hello World!

```
workon angr
angr/hello_world
objdump -d serial.o > disas.txt
```

```
generate_serial_skeleton.py Makefile serial.c serial.o
generate_serial_solution.py README.md serial.h
```





#### Hello World!

- + Library validates serial codes
- + Several routines with harsher constraints
- + Let's walk through the examples!

Note: Step through generate\_serial\_skeleton.py and try to fill the second function, then step through the full solutions.



### Calling Conventions – AMD64

- + Arguments are passed in Right-to-Left
- + Return values are returned in rax
- + First six arguments passed in registers: rdi, rsi, rdx, rcx, r8, r9
- + Any other arguments passed on the stack



### Passing arguments

```
arg = state.solver.BVS('serial', 8 * 128)
# Place the symbolic variable at a specific address
rand_addr = 0x00000000041414141
state.memory.store(rand_addr, arg)
# And then make rdi hold a pointer to it as the first argument
state.add_constraints(state.regs.rdi == rand_addr)
```





# Evaluating symbolic variables

```
sm = p.factory.simulation_manager(state)
sm.explore(find=base + 0x870, avoid=base + 0xaf5)
found = sm.found[0]
answer = found.solver.eval(arg, cast_to=str)
```





### Bomb lab! DIY!

```
workon angr
angr/bomb lab
```

bomb bomb.c bomb.h Makefile README.md skeleton.py solution.py

```
MWR Labs
```



# Bomb Lab

- + objdump -d bomb > disas.txt
- + Note: kaboom and phase defused

```
#pragma once
void phase_defused(void);
void kaboom(void);
void phase_one(char *);
void phase_two(char *, char *, char *);
void phase_three(int, int, int, int);
void phase_four(unsigned int *);
void phase_five(unsigned int *);
void phase_six(char *);
```



#### ++

## Cool Angr Projects

- + CGC entry: <a href="https://github.com/mechaphish">https://github.com/mechaphish</a>
- + AFL + Angr for fuzzing: https://github.com/shellphish/driller
- + Heap analysis: https://github.com/angr/heaphopper



# Outline

- 1. What the Hell is a SMT Solver?
- 2. z3-python
- 3. Lab Cheating at Logic Challenges
- 4. Lab Encoding CPU Instructions
- 5. Z3 in the Real World
- 6. Angr!
- 7. Lab Using Angr in Anger
- 8. Wrap-up





## Wrap-up

Credits, people that did the hard work:

- + Dennis Yurichev
- + The angr team
- + Tomislav Zubcic
- + Sean Heelan





# Further Reading

Great resource:

https://yurichev.com/writings/SAT\_SMT\_draft-EN.pdf

Great paper:

http://openwall.info/wiki/\_media/people/jvanegue/files/woot12.pdf