Last active
May 16, 2016 18:19
-
-
Save XMPPwocky/17ccbdc1578011964b909d8148da446f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # coding: utf-8 | |
| import angr, claripy, simuvex | |
| s=b.factory.blank_state(addr=0x401300) | |
| b=angr.project.Project("binari") | |
| p=b.factory.path(s);pg=b.factory.path_group(p, immutable=Tru | |
| e) | |
| p=b.factory.path(s);pg=b.factory.path_group(p, immutable=True) | |
| p=b.factory.path(s);pg=b.factory.path_group(p, immutable=True) | |
| s=b.factory.blank_state(addr=0x401300) | |
| p=b.factory.path(s);pg=b.factory.path_group(p, immutable=True) | |
| stackmem = claripy.BVS("stackmem" 4096*8) | |
| stackmem = claripy.BVS("stackmem" ,4096*8) | |
| s.mem.store(s.regs.rsp-2048, stackmem) | |
| s.memory.store(s.regs.rsp-2048, stackmem) | |
| mex = s.regs.rsi | |
| mey = s.regs.rdi | |
| mex = claripy.BVS("mex", 32*8) | |
| mey = claripy.BVS("mex", 32*8) | |
| s.regs.rsi = mex | |
| s.regs.rdi=mey | |
| pg | |
| p = b.factory.path(s); pg = b.factory.path_group(p) | |
| positions = [] | |
| for i in range(10): | |
| positions += [nex, ney] | |
| for i in range(10): | |
| nex = s.mem[0x6042c0+(0x18*i)].dword | |
| ney=s.mem[0x6042c4+(0x18*i)].dword | |
| positions += [nex, ney] | |
| for i in range(10): | |
| nex = s.mem[0x6042c0+(0x18*i)].dword | |
| ney=s.mem[0x6042c4+(0x18*i)].dword | |
| positions += [nex, ney] | |
| positions | |
| p = b.factory.path(s); pg = b.factory.path_group(p) | |
| pg.explore(find=0x401565,avoid=0x40153d) | |
| pg.explore(find=0x401565,avoid=0x40153d) | |
| items = claripy.BVS("steck", 0x18*8*10) | |
| stackmem | |
| pg.explore(find=0x401561,avoid=0x40153d) | |
| pg.explore(find=0x401561,avoid=0x40153d) | |
| p = b.factory.path(s); pg = b.factory.path_group(p) | |
| pg2 = pg.explore(find=0x401561,avoid=0x40153d) | |
| pg | |
| pg2 | |
| s = b.factory.entry_state() | |
| s=b.factory.blank_state(addr=0x401300) | |
| s.regs.rsi = mex | |
| s.regs.rdi=mey | |
| for i in range(10): | |
| nex = s.mem[0x6042c0+(0x18*i)].dword | |
| ney=s.mem[0x6042c4+(0x18*i)].dword | |
| positions += [nex, ney] | |
| s.memory.store(s.regs.rsp-2048, stackmem) | |
| p=b.factory.path(s);pg=b.factory.path_group(p, immutable=True) | |
| pg2 = pg.explore(find=0x401561,avoid=0x40153d) | |
| pg2 | |
| s=b.factory.blank_state(addr=0x401300) | |
| for i in range(10): | |
| nex = s.mem[0x6042c0+(0x18*i)].dword | |
| ney=s.mem[0x6042c4+(0x18*i)].dword | |
| positions += [nex, ney] | |
| p=b.factory.path(s);pg=b.factory.path_group(p, immutable=True) | |
| pg2 = pg.explore(find=0x401561,avoid=0x40153d) | |
| pg2 | |
| b = angr.project.Project("binari", load_options={"auto_load_libs": False}) | |
| s=b.factory.blank_state(addr=0x401300) | |
| p=b.factory.path(s);pg=b.factory.path_group(p, immutable=True) | |
| pg2 = pg.explore(find=0x401561,avoid=0x40153d) | |
| pg2 | |
| pg2 = pg.explore(find=0x401561) | |
| pg2 | |
| s=b.factory.blank_state(addr=0x401300) | |
| pg2 = pg.explore(find=0x401348) | |
| pg2 | |
| pg | |
| pg3 = pg2.explore(find=0x401550) | |
| pg2 | |
| pg3 | |
| help(pg2) | |
| pg2.move("found", "active") | |
| pg3 | |
| pg2 | |
| pg3 = pg2.move("found", "active").explore(find=0x401550) | |
| pg3 | |
| state.mem[0x402aa8]=poses | |
| items = claripy.BVS("steck", 0x18*8*10) | |
| s = b.factory.blank_state(addr=0x401300) | |
| s.mem | |
| type | |
| type(s.mem) | |
| type(s.memory) | |
| s.memory[0x6042c0] | |
| s.memory | |
| help(s.memory) | |
| for i in range(10): | |
| posl = claripy.BVS("POSL"+i, 64) | |
| s.memory.store(0x6042c0+(0x18*i), posl) | |
| for i in range(10): | |
| posl = claripy.BVS("POSL"+str(i), 64) | |
| s.memory.store(0x6042c0+(0x18*i), posl) | |
| positions += [posl] | |
| positions = [] | |
| s = b.factory.blank_state(addr=0x401300) | |
| for i in range(10): | |
| posl = claripy.BVS("POSL"+str(i), 64) | |
| s.memory.store(0x6042c0+(0x18*i), posl) | |
| positions += [posl] | |
| s.regs.rsi = mex | |
| s.regs.rdi = mey | |
| s.memory.store(s.regs.rsp-2048, stackmem) | |
| p = b.factory.path(s); pg = b.factory.path_group(p) | |
| pg2 = pg.explore(find=0x401348) | |
| pg2 | |
| pg3 = pg2.move("found", "active").explore(find=0x401550) | |
| pg3 | |
| pg4 = pg3.move("found", "active").explore(find=0x401561) | |
| pg4 = pg3.move("found", "active").explore(find=0x401561, avoid=0x40153d) | |
| pg4 | |
| pg5 = pg4.move("found", "active").explore(find=0x401565, avoid=0x40153d) | |
| pg5 | |
| pg5.deadended | |
| pg5.deadended | |
| pg5.pruned | |
| pg5.pruned.state.se.any_str(positions[0]) | |
| pg5.pruned[0].state.se.any_str(positions[0]) | |
| pg5.pruned[0].state.se.any_str(positions[0]) | |
| s = b.factory.blank_state(addr=0x401300) | |
| positions = [] | |
| for i in range(10): | |
| posl = claripy.BVS("POSL"+str(i), 64) | |
| s.memory.store(0x6042c0+(0x18*i), posl) | |
| positions += [posl] | |
| pg = p.factory.path_group(s, immutable=False); q = pg.explore() | |
| s.regs.rdi = mey | |
| s.regs.rsi = mex | |
| p = b.factory.path(s); pg = b.factory.path_group(p) | |
| pg2 = pg.explore(find=0x401348) | |
| pg2 | |
| pg4 = pg3.move("found", "active").explore(find=0x401561, avoid=0x40153d) | |
| pg4 | |
| pg3 = pg2.move("found", "active").explore(find=0x401550) | |
| pg3 | |
| pg4 = pg3.move("found", "active").explore(find=0x401561, avoid=0x40153d) | |
| pg4 | |
| pg4.found[0].state.se.any_str(posl) | |
| pg5 = pg4.move("found", "active").explore(find=0x401565, avoid=0x40153d) | |
| pg5 | |
| pg4.found[0].state.se.any_str(posl) | |
| pg4 | |
| pg3 | |
| p = b.factory.path(s); pg = b.factory.path_group(p) | |
| pg2 = pg.explore(find=0x401348) | |
| pg3 = pg2.move("found", "active").explore(find=0x401550) | |
| pg4 = pg3.move("found", "active").explore(find=0x401561, avoid=0x40153d) | |
| pg4 | |
| pg4.found[0].state.se.any_str(posl) | |
| pg4.found[0].state.se.any_str(positions[0]) | |
| pg4.found[0].state.se.any_str(positions[1]) | |
| pg4.found[0].state.se.any_str(positions[2]) | |
| pg4.found[0].state.se.any_str(positions[3]) | |
| pg4.found[0].state.se.any_str(positions[4]) | |
| pg4.found[0].state.se.any_str(positions[5]) | |
| pg4.found[0].state.se.any_str(positions[6]) | |
| pg4.found[0].state.se.any_str(positions[7]) | |
| pg4.found[0].state.se.any_str(positions[8]) | |
| s = b.factory.blank_state(addr=0x401300) | |
| positions = [] | |
| for i in range(10): | |
| posl = claripy.BVS("POSL"+str(i), 64) | |
| s.memory.store(0x6042c0+(0x18*i), posl) | |
| positions += [posl] | |
| for pos in positions: s.add_constraints(pos[0:4].dword < 256) | |
| for pos in positions: s.add_constraints(pos[0:4] < 256) | |
| for pos in positions: s.add_constraints(pos[1]=0x00) | |
| for pos in positions: s.add_constraints(pos[1]==0x00) | |
| for pos in positions: s.add_constraints(pos[2]==0x00) | |
| for pos in positions: s.add_constraints(pos[3]==0x00) | |
| for pos in positions: s.add_constraints(pos[5]==0x00) | |
| for pos in positions: s.add_constraints(pos[6]==0x00) | |
| for pos in positions: s.add_constraints(pos[7]==0x00) | |
| s.regs.rsi = mex | |
| s.regs.rdi = mey | |
| p = b.factory.path(s); pg = b.factory.path_group(p) | |
| pg2 = pg.explore(find=0x401550,avoid=0x40153d) | |
| pg2 | |
| pg3 = pg2.move("found", "active").explore(find=0x401550) | |
| pg3 | |
| pg4 = pg3.move("found", "active").explore(find=0x401561, avoid=0x40153d) | |
| pg4 | |
| pg4.found[0].state.se.any_str(positions[8]) | |
| pg4.found[0].state.se.any_str(positions[0]) | |
| pg4.found[0].state.se.any_str(positions[90]) | |
| pg4.found[0].state.se.any_str(positions[10]) | |
| pg4.found[0].state.se.any_str(positions[9]) | |
| pg4.found[0].state.se.any_str(positions[1]) | |
| pg5 = pg4.move("found", "active").explore(find=0x401565, avoid=0x40153d) | |
| pg5 | |
| pg5.found[0] | |
| pg6 = pg5.move("found", "active").explore(find=0x401575, avoid=0x40153d) | |
| pg6 | |
| pg6.found[0].state.se.any_int(posl[0]) | |
| pg6.found[0].state.se.any_int(posl[1]) | |
| pg6.found[0].state.se.any_int(posl[2]) | |
| pg6.found[0].state.se.any_int(posl[4]) | |
| pg6.found[0].state.se.any_int(posl[5]) | |
| pg6.found[0].state.se.any_int(positions[0]) | |
| pg6.found[0].state.se.any_str(positions[0]) | |
| pg6.found[0].state.se.any_str(positions[12]) | |
| pg6.found[0].state.se.any_str(positions[10]) | |
| pg6.found[0].state.se.any_str(positions[9]) | |
| pg6.found[0].state.se.any_str(positions[0]) | |
| pg6.found[0].state.se.any_str(posi) | |
| import struct | |
| for posi in positions: | |
| x = pg6.found[0].state.se.any_str(posi) | |
| print struct.unpack("<ii", x) | |
| mex | |
| x.pg6.found[0].state.se.any_int(mex) | |
| pg6.found[0].state.se.any_int(mex) | |
| pg6.found[0].state.se.any_int(mey) | |
| c | |
| get_ipython().magic(u'save angr_re500_tuctf') | |
| get_ipython().magic(u'save 0-193 angr_re500_tuctf') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| In [186]: for posi in positions: | |
| x = pg6.found[0].state.se.any_str(posi) | |
| print struct.unpack("<ii", x) | |
| .....: | |
| (21, 35) | |
| (19, 31) | |
| (20, 34) | |
| (17, 35) | |
| (21, 39) | |
| (21, 37) | |
| (17, 41) | |
| (21, 41) | |
| (20, 42) | |
| (19, 43) | |
| In [187]: mex | |
| Out[187]: <BV256 mex_20_256> | |
| In [188]: x.pg6.found[0].state.se.any_int(mex) | |
| --------------------------------------------------------------------------- | |
| AttributeError Traceback (most recent call last) | |
| <ipython-input-188-7db86f7d8fcf> in <module>() | |
| ----> 1 x.pg6.found[0].state.se.any_int(mex) | |
| AttributeError: 'str' object has no attribute 'pg6' | |
| In [189]: pg6.found[0].state.se.any_int(mex) | |
| Out[189]: 38L | |
| In [190]: pg6.found[0].state.se.any_int(mey) | |
| Out[190]: 19L |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment