angr学习笔记——0x01

可能上次的是0x00,暂且从官方的examples和docs下手,先捡软柿子捏

Analyses

所有的分析方式都位于project.analyses

Name Description
CFGFast Constructs a fast Control Flow Graph of the program
CFGEmulated Constructs an accurate Control Flow Graph of the program
VFG Performs VSA on every function of the program, creating a Value Flow Graph and detecting stack variables
DDG Calculates a Data Dependency Graph, allowing one to determine what statements a given value depends on
BackwardSlice Computes a Backward Slice of a program with respect to a certain target
Identifier Identifies common library functions in CGC binaries
More! angr has quite a few analyses, most of which work! If you’d like to know how to use one, please submit an issue requesting documentation.

examples/CSCI-4968-MBE/challenges/crackme0x04

本身是一个非常简单的题,尤其是crackme0x00~crackme0x03

check():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
int __cdecl check(char *s)
{
  size_t v1; // eax
  char v3; // [esp+1Bh] [ebp-Dh]
  unsigned int i; // [esp+1Ch] [ebp-Ch]
  int v5; // [esp+20h] [ebp-8h]
  int v6; // [esp+24h] [ebp-4h]

  v5 = 0;
  for ( i = 0; ; ++i )
  {
    v1 = strlen(s);
    if ( i >= v1 )
      break;
    v3 = s[i];
    sscanf(&v3, "%d", &v6);
    v5 += v6;
    if ( v5 == 15 )
    {
      printf("Password OK!\n");
      exit(0);
    }
  }
  return printf("Password Incorrect!\n");
}

本身逻辑很简单,将输入的字符串s按位转化为数字,相加得15,则正确,回显"Password OK!",所以说这一题本身是有无数多解的,包括且不限于"69","78","555"

官方自带的solve.py选择使用CFG去获取FIND_ADDR,这是我的关注点

1
2
cfg = proj.analyses.CFG()
FIND_ADDR = cfg.kb.functions.function(name="exit").addr

实际使用过程大同小异,就是通过CFG去寻找一个地址,而不是人工寻找地址。

一个疑问

虽说作为符号执行是不涉及具体值的,但是还是不太理解为什么angr执行结果会存在唯一的found,而且还是第一个匹配上FIND_ADDR的结果

CFG

angr-doc中写道的CFG只有两类:CFGFastCFGEmulated,大概这是稍过时的文档。

当前的angr中能看到有四类CFG:

1557385634582
1557385634582

在此姑且先研究一下CFG

help(cfg)中可以首先看到如下一段描述:

CFG is just a wrapper around CFGFast for compatibility issues. It will be fully replaced by CFGFast in future releases. Feel free to use CFG if you intend to use CFGFast. Please use CFGEmulated if you have to use the old, slow, dynamically-generated version of CFG.
For multiple historical reasons, angr’s CFG is accurate but slow, which does not meet what most people expect. We developed CFGFast for light-speed CFG recovery, and renamed the old CFG class to CFGEmulated. For compability concerns, CFG was kept as an alias to CFGEmulated.
However, so many new users of angr would load up a binary and generate a CFG immediately after running “pip install angr”, and draw the conclusion that “angr’s CFG is so slow - angr must be unusable!” Therefore, we made the hard decision: CFG will be an alias to CFGFast, instead of CFGEmulated.

也就是说:

  1. angr一直致力于优化CFGFast,而将老版本的CFG重命名为CFGEmulated
  2. 曾经的CFG是作为CFGEmulated的别称存在的
  3. 很多用户都是直接安装angr后就开始使用CFG而不是CFGFast,这使得很多用户错误地认为angr的CFG相当的慢
  4. 出于无奈,angr选择将CFG改为CFGFast的别名

所以,目前版本CFG=CFGFast

至于kb,似乎什么都没有讲,文档里只能看到cfg.kb.functions