CTF Reverse Angr

CTF SCIST write-up
Reverse
Publish Date:   2022-05-13
Word Count:   177
Read Times:   1 Min
Read Count:  
作者: Gunjyo

起手式

from angr import *

p = Project('./00_angr_find', auto_load_libs=False)

st = p.factory.entry_state()

sm = p.factory.simgr(st)

sm.explore(find=0x????? , avoid = 0x?????)

for s in sm.found:
        print(s.posix.dumps(0))

00_angr_find

開 IDA Pro ,看到輸出 “Good Job” 的 address 是 0x08048678,所以 find = 0x08048678 就可以了

from angr import *

p = Project('./00_angr_find', auto_load_libs=False)

st = p.factory.entry_state()

sm = p.factory.simgr(st)

sm.explore(find=0x08048678)

for s in sm.found:
        print(s.posix.dumps(0))

Flag JXWVXRKX

01

因為字太多了沒辦法顯示 psuedocode,在 function name 可以看到有一個 maybe good 以及 avoid me,進去maybe good可以看到有Good Job,很直觀的分別對應到 findavoid

from angr import *

p = Project('./01_angr_avoid', auto_load_libs = False)

st = p.factory.entry_state()

sm = p.factory.simgr(st)

sm.explore(find = 0x080485E0, avoid = 0x080585A8)

for s in sm.found:
        print(s.posix.dumps(0))

Flag HUJOZMYS

Author: Gunjyo
Link: https://gunjyo0817.github.io/2022/05/13/CTF-Reverse-Angr/
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source Gunjyo !
CTF SCIST write-up
  TOC