Last active
January 10, 2019 18:54
-
-
Save ChrisTheCoolHut/a460d90dc7d080bc62b0d1e5c96d0e87 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import angr | |
import claripy | |
import argparse | |
#angr logging is way too verbose | |
import logging | |
log_things = ["angr", "pyvex", "claripy", "cle"] | |
for log in log_things: | |
logger = logging.getLogger(log) | |
logger.disabled = True | |
logger.propagate = False | |
def main(): | |
#file_name = "/home/chris/----/binaries/crackme/crackme0x04" | |
#Download crackme file from https://github.com/angr/angr-doc/raw/master/examples/CSCI-4968-MBE/challenges/crackme0x04/crackme0x04 | |
parser = argparse.ArgumentParser() | |
parser.add_argument("File") | |
args = parser.parse_args() | |
file_name = args.File | |
crack_me_good_addr = 0x80484dc | |
function_name = "check" | |
p = angr.Project(file_name) | |
#Populates project knowledge base... | |
#CFG no longer needed | |
CFG = p.analyses.CFGEmulated() | |
#Look at all my functions! | |
find_func = None | |
for func in p.kb.functions.values(): | |
#print(func.name) | |
if function_name in func.name: | |
find_func = func | |
print("[+] Function {}, found at {}".format(find_func.name, hex(find_func.addr))) | |
#Build function prototype | |
charstar = angr.sim_type.SimTypePointer(angr.sim_type.SimTypeChar()) | |
prototype = angr.sim_type.SimTypeFunction((charstar,), angr.sim_type.SimTypeInt(False)) | |
#Calling convention | |
cc = p.factory.cc(func_ty=prototype) | |
check_func = p.factory.callable(find_func.addr, concrete_only=False, cc=cc) | |
my_sym_arg = claripy.BVS('my_arg', 10*8) #10 byte long str | |
my_args = ["abcd", "96", "87", "55", "qqqq"] | |
print("[+] Running angr callable with concrete arguments") | |
#Solution is "96"... or "87" | |
for arg in my_args: | |
ret_val = check_func(arg) | |
stdout = check_func.result_state.posix.dumps(1) | |
print("Input : {}".format(arg)) | |
print("Stdout : {}".format(stdout)) | |
#The callable waits till ALL paths finish... | |
#The below code will take FOREVER, since it keeps | |
#Forking off new paths | |
''' | |
ret_val = check_func(my_sym_arg) | |
stdout = check_func.result_state.posix.dumps(1) | |
print("Stdout : {}".format(stdout)) | |
''' | |
print("[+] Running modified angr callable with symbolic arguments") | |
#Instead try this | |
#Build a callable state using that calling convention we defined earlier | |
state = p.factory.call_state(find_func.addr, my_sym_arg, cc=cc) | |
simgr = p.factory.simgr(state) | |
simgr.explore(find=crack_me_good_addr) | |
if len(simgr.found): | |
found_state = simgr.found[0] | |
my_input = found_state.se.eval(my_sym_arg, cast_to=bytes).decode("utf-8", "ignore") | |
print("One solution : {}".format(my_input)) | |
solutions = found_state.se.eval_upto(my_sym_arg, 20, cast_to=bytes) | |
for soln in solutions: | |
print("Many solutions : {}".format(soln.decode('utf-8', 'ignore'))) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment