Merge pull request #193 from Kyle-Kyle/example

update examples
angr · Jun 5, 2018 · ca30ac0 · ca30ac0
2 parents ac6b74b + 75caeaf
commit ca30ac0
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 81 deletions.
diff --git a/examples/asisctffinals2015_fake/solve.py b/examples/asisctffinals2015_fake/solve.py
@@ -1,59 +1,43 @@
 import angr
 
-unconstrained_number = None
-
-def strtol(state):
-    # We return an unconstrained number here
-    global unconstrained_number
-    unconstrained_number = state.solver.BVS('strtol', 64)
-    # Store it to rax
-    state.regs.rax = unconstrained_number
-
 def main():
-    p = angr.Project("fake", load_options={'auto_load_libs': False})
-    p.hook(0x4004a7, strtol, length=5)
+    p = angr.Project("fake", auto_load_libs=False)
+
+    state = p.factory.blank_state(addr=0x4004AC)
+    inp = state.solver.BVS('inp', 8*8)
+    state.regs.rax = inp
 
-    state = p.factory.entry_state(
-        args=['fake', '123'], # Specify an arbitrary number so that we can bypass 
-                              # the check of argc in program
-        env={"HOME": "/home/angr"}
-    )
-    ex = p.surveyors.Explorer(find=(0x400450, ),
-                              start=state
-                              )
-    ex.run()
+    simgr= p.factory.simulation_manager(state)
+    simgr.explore(find=0x400684)
+    found = simgr.found[0]
 
-    found = ex.found[0]
     # We know the flag starts with "ASIS{"
-    flag_addr = found.regs.rsp + 0x8 + 0x38 - 0x38
+    flag_addr = found.regs.rdi
     found.add_constraints(found.memory.load(flag_addr, 5) == int("ASIS{".encode("hex"), 16))
 
     # More constraints: the whole flag should be printable
-    for i in xrange(0, 32):
-        cond_0 = found.memory.load(flag_addr + 5 + i, 1) >= ord('0')
-        cond_1 = found.memory.load(flag_addr + 5 + i, 1) <= ord('9')
-        cond_2 = found.memory.load(flag_addr + 5 + i, 1) >= ord('a')
-        cond_3 = found.memory.load(flag_addr + 5 + i, 1) <= ord('f')
-        found.add_constraints(
-            found.solver.Or(
-                found.solver.And(cond_0, cond_1),
-                found.solver.And(cond_2, cond_3)
-            )
-        )
+    flag = found.memory.load(flag_addr, 40)
+    for i in xrange(5, 5+32):
+        cond_0 = flag.get_byte(i) >= ord('0')
+        cond_1 = flag.get_byte(i) <= ord('9')
+        cond_2 = flag.get_byte(i) >= ord('a')
+        cond_3 = flag.get_byte(i) <= ord('f')
+        cond_4 = found.solver.And(cond_0, cond_1)
+        cond_5 = found.solver.And(cond_2, cond_3)
+        found.add_constraints(found.solver.Or(cond_4, cond_5))
 
     # And it ends with a '}'
-    found.add_constraints(found.memory.load(flag_addr + 5 + 32, 1) ==
-                                ord('}'))
+    found.add_constraints(flag.get_byte(32+5) == ord('}'))
 
     # In fact, putting less constraints (for example, only constraining the first 
     # several characters) is enough to get the final flag, and Z3 runs much faster 
     # if there are less constraints. I added all constraints just to stay on the 
     # safe side.
 
-    flag = found.solver.eval(found.memory.load(flag_addr, 8 * 5))
-    return hex(flag)[2:-1].decode("hex").strip('\0')
+    flag_str = found.solver.eval(flag, cast_to=str)
+    return flag_str.rstrip('\0')
 
-    #print "The number to input: ", found.solver.eval(unconstrained_number)
+    #print "The number to input: ", found.solver.eval(inp)
     #print "Flag:", flag
 
     # The number to input:  25313971399
@@ -64,4 +48,6 @@ def test():
     assert a == 'ASIS{f5f7af556bd6973bd6f2687280a243d9}'
 
 if __name__ == '__main__':
+    import logging
+    logging.getLogger('angr.sim_manager').setLevel(logging.DEBUG)
     print main()
diff --git a/examples/asisctffinals2015_license/solve.py b/examples/asisctffinals2015_license/solve.py
@@ -30,16 +30,16 @@ def main():
     license_file = angr.storage.file.SimFile(license_name, bytestring)
     state.fs.insert(license_name, license_file)
 
-    ex = p.surveyors.Explorer(
-                            start=state,
-                            find=(0x400e93, ),
-                            avoid=(0x400bb1, 0x400b8f, 0x400b6d, 0x400a85,
-                                   0x400ebf, 0x400a59)
-                            )
-    ex.run()
+    simgr = p.factory.simulation_manager(state)
+
+    simgr.explore(
+                find=(0x400e93, ),
+                avoid=(0x400bb1, 0x400b8f, 0x400b6d, 0x400a85,
+                       0x400ebf, 0x400a59)
+            )
 
     # One path will be found
-    found = ex.found[0]
+    found = simgr.found[0]
     rsp = found.regs.rsp
     flag_addr = rsp + 0x278 - 0xd8 # Ripped from IDA
     # Perform an inline call to strlen() in order to determine the length of the 

diff --git a/examples/csgames2018/solve.py b/examples/csgames2018/solve.py
@@ -38,7 +38,7 @@ def wrong(state):
 
 	state = project.factory.entry_state(args=["./KeygenMe", input_key], add_options=angr.options.unicorn) # Unicorn Engine is not needed, but will speed up the process
 
-	simulation_manager = project.factory.simgr(state)
+	simulation_manager = project.factory.simulation_manager(state)
 
 	# (•_•) ( •_•)>⌐■-■ (⌐■_■)
 	simulation_manager.explore(find=correct, avoid=wrong) # We could alternatively use addresses here, like find=0x400000 + 0x8f3.

diff --git a/examples/hackcon2016_angry-reverser/solve.py b/examples/hackcon2016_angry-reverser/solve.py
@@ -1,48 +1,47 @@
 import angr
-import sys
-import logging
+import claripy
 
 # HackCon 2016 - angry-reverser
-# @author: P1kachu
-# @contact: p1kachu@lse.epita.fr
-# Execution time: ~31 minutes - Intel Core i7-3770 CPU @ 3.40GHz (8 CPUs)
-
+# @author: P1kachu, Kyle ZENG
+# @contact: p1kachu@lse.epita.fr, jkjh1jkjh1@gmail.com
+# Execution time: ~1 minute
 
 def main():
-    p = angr.Project('yolomolo')
-
-    main        = 0x405a6f # Fail message to be printed
-    find        = 0x405aee # Win message printed
-    avoid       = (0x405af0, 0x405ab4) # First two ways to fail from main
-    crazy       = 0x400646 # Entry point of Crazy function
+    flag    = claripy.BVS('flag', 20*8, explicit_name=True)# symbolized flag, we know the length by looking at the assembly code
+    buf     = 0x606000# buffer to store flag
+    crazy   = 0x400646# entry point of crazy function
+    find    = 0x405a6e# end of crazy function
 
-    # Offset (from IDA) of 'FAIL' blocks in Crazy
-    fails = [0x2619, 0x288C, 0x2AF9, 0x2D68, 0x2FD5, 0x3245, 0x34B2,
-             0x3724, 0x3996, 0x3C04, 0x3E73, 0x40E7, 0x4355, 0x45C9,
-             0x4836, 0x4AA4, 0x4D15, 0x4F86, 0x51D1, 0x5408]
+    # Offset of 'FAIL' blocks in Crazy(from pwntools--e.search(asm('mov ecx, 0')))
+    avoids = [0x402c3c, 0x402eaf, 0x40311c, 0x40338b, 0x4035f8, 0x403868,
+              0x403ad5, 0x403d47, 0x403fb9, 0x404227, 0x404496, 0x40470a,
+              0x404978, 0x404bec, 0x404e59, 0x4050c7, 0x405338, 0x4055a9,
+              0x4057f4, 0x405a2b]
 
-    # Create blank state with $pc at &main
-    init = p.factory.blank_state(addr=main, add_options={angr.options.LAZY_SOLVES})
 
-    # Avoid blocks
-    avoid = list(avoid)
-    avoid += [(crazy + offst) for offst in fails] # Let's save RAM
+    proj = angr.Project('./yolomolo')
+    # Create blank state starting from crazy function
+    # LAZY_SOLVES is very important here because we are actually collecting constraints for an equation Ax=b, where A is 20 by 20, x and b are 20 by 1
+    state = proj.factory.blank_state(addr=crazy, add_options={angr.options.LAZY_SOLVES})
+    # insert flag into memory by hand
+    state.memory.store(buf, flag, endness='Iend_BE')
+    state.regs.rdi = buf
 
-    print("Launching exploration")
-    sm = p.factory.simulation_manager(init)
-    angr.manager.l.setLevel(logging.DEBUG)
-    ex = sm.explore(find=find, avoid=avoid)
+    # each character of flag should be between 0x30 and 0x7f
+    for i in range(19):
+        state.solver.add(flag.get_byte(i) >= 0x30)
+        state.solver.add(flag.get_byte(i) <= 0x7f)
 
-    # Get stdout
-    final = ex.found[0]
-    flag = final.posix.dumps(1)
-    print("Flag: {0}".format(final.posix.dumps(1)))
+    simgr = proj.factory.simgr(state)
 
-    return flag[7:27]
+    simgr.explore(find=find, avoid=avoids)
+    found = simgr.found[0]
+    return found.solver.eval(flag, cast_to=str)
 
 def test():
-    flag = main()
-    assert flag == "HACKCON{VVhYS04ngrY}"
+    assert main() == "HACKCON{VVhYS04ngrY}"
 
 if __name__ in '__main__':
+    import logging
+    logging.getLogger('angr.sim_manager').setLevel(logging.DEBUG)
     print main()
diff --git a/tests/test_examples.py b/tests/test_examples.py
@@ -75,8 +75,7 @@ def test_csci_5(): exampletest_single('CSCI-4968-MBE/challenges/crackme0x05')
 def test_insomnihack_aeg(): exampletest_single('insomnihack_aeg')
 def test_android_license(): exampletest_single('android_arm_license_validation')
 def test_sym_write(): exampletest_single('sym-write')
-@attr(speed='slow')
-def test_angry_reverser(): exampletest_single('hackcon2016_angry-reverser') # 10m
+def test_angry_reverser(): exampletest_single('hackcon2016_angry-reverser')
 def test_sharif7(): exampletest_single('sharif7_rev50')
 def test_angrybird(): exampletest_single('codegate_2017-angrybird')
 @attr(speed='slow')