Skip to content

Instantly share code, notes, and snippets.

@inaz2

inaz2/solve.py

Last active January 16, 2021 14:21
Show Gist options
  • Save inaz2/c812671841f97804c24ba6650b1b2500 to your computer and use it in GitHub Desktop.
Save inaz2/c812671841f97804c24ba6650b1b2500 to your computer and use it in GitHub Desktop.
Download ZIP
angr example of input handling
Raw
gistfile1.txt
$ gcc test.c
$ python solve.py
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior.
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages.
WARNING | 2019-05-06 19:54:00,018 | angr.state_plugins.symbolic_memory | Filling register r15 with 8 unconstrained bytes referenced from 0x810 (__libc_csu_init+0x0 in a.out (0x810))
WARNING | 2019-05-06 19:54:00,020 | angr.state_plugins.symbolic_memory | Filling register r14 with 8 unconstrained bytes referenced from 0x812 (__libc_csu_init+0x2 in a.out (0x812))
WARNING | 2019-05-06 19:54:00,022 | angr.state_plugins.symbolic_memory | Filling register r13 with 8 unconstrained bytes referenced from 0x817 (__libc_csu_init+0x7 in a.out (0x817))
WARNING | 2019-05-06 19:54:00,024 | angr.state_plugins.symbolic_memory | Filling register r12 with 8 unconstrained bytes referenced from 0x819 (__libc_csu_init+0x9 in a.out (0x819))
WARNING | 2019-05-06 19:54:00,028 | angr.state_plugins.symbolic_memory | Filling register rbx with 8 unconstrained bytes referenced from 0x82a (__libc_csu_init+0x1a in a.out (0x82a))
WARNING | 2019-05-06 19:54:00,078 | angr.state_plugins.symbolic_memory | Filling register cc_ndep with 8 unconstrained bytes referenced from 0x6f6 (register_tm_clones+0x26 in a.out (0x6f6))
WARNING | 2019-05-06 19:54:00,263 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffffffffff0000 with 184 unconstrained bytes referenced from 0x1000018 (strcmp+0x0 in extern-address space (0x18))
WARNING | 2019-05-06 19:54:00,365 | angr.state_plugins.symbolic_memory | Filling memory at 0x7fffffffffeff50 with 8 unconstrained bytes referenced from 0x1000018 (strcmp+0x0 in extern-address space (0x18))
len(simgr.found) = 1
argv[1] = b'argument\x00\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80'
stdin = b'standardinput\x00\x80\x00\x80\x80\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01'
$ ./a.out argument
standardinput
good job!
Raw
solve.py
import angr
import claripy
proj = angr.Project('./a.out', main_opts={'base_addr': 0}, auto_load_libs=False)
arg = claripy.BVS('arg', 8*0x20)
state = proj.factory.entry_state(args=['./a.out', arg])
simgr = proj.factory.simulation_manager(state)
simgr.explore(find=0x7d5, avoid=[0x7e3])
print("len(simgr.found) = {}".format(len(simgr.found)))
if len(simgr.found) > 0:
s = simgr.found[0]
print("argv[1] = {!r}".format(s.solver.eval(arg, cast_to=bytes)))
print("stdin = {!r}".format(s.posix.dumps(0)))
Raw
test.c
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buf[40];
scanf("%40s", buf);
if (strcmp(argv[1], "argument") == 0 && strcmp(buf, "standardinput") == 0) {
puts("good job!");
} else {
puts("wrong.");
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment