Linear Obfuscation to Drive angr Angry

Linear Obfuscation to Drive angr Angry

Halvar Flake&PPPとローレイヤーな話をしよう (https://7bd76f3e7d0cf6c4962c0a8da8.doorkeeper.jp/events/43029) LT

5c6358240ec94522f70cf7b0e657f58f?s=128

Yuma Kurogome

April 27, 2016
Tweet

Transcript

  1. None
  2. • • • • •

  3. void congrats() { puts("congrats!"); } int main(int argc, char *argv[])

    { char username[256]; char password[256]; scanf("%s", username); scanf("%s", password); (strcmp(username, "admin") == 0 && strcmp(password, "l33t") == 0) ? congrats() : exit(1); return 0; }
  4. List of functions: [(4195592L, <Function _init (0x400508)>), (4195648L, <Function plt.puts

    (0x400540)>), (4195664L, <Function plt.__stack_chk_fail (0x400550)>), (4195680L, <Function plt.__libc_start_main (0x400560)>), (4195696L, <Function plt.strcmp (0x400570)>), (4195712L, <Function plt.__gmon_start__ (0x400580)>), (4195728L, <Function plt.__isoc99_scanf (0x400590)>), (4195744L, <Function plt.exit (0x4005a0)>), (4195760L, <Function _start (0x4005b0)>), (4195808L, <Function deregister_tm_clones (0x4005e0)>), (4195920L, <Function __do_global_dtors_aux (0x400650)>), (4195952L, <Function frame_dummy (0x400670)>), (4195997L, <Function congrats (0x40069d)>), (4196013L, <Function main (0x4006ad)>), (4196224L, <Function __libc_csu_init (0x400780)>), (67108864L, <Function puts (0x4000000)>), (67108880L, <Function __isoc99_scanf (0x4000010)>), (67108896L, <Function __libc_start_main (0x4000020)>), (67108912L, <Function __stack_chk_fail (0x4000030)>), (67108928L, <Function exit (0x4000040)>), (67108944L, <Function strcmp (0x4000050)>), (67108976L, <Function SimProcedureContinuation (0x4000070)>)] Dump stdin at congrats(): 'admin¥x00¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x0 1¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x0 1¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01l33t¥x00¥x00¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01 ¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01 ¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x00¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01 ¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x00¥x01¥x01¥x00' import angr b = angr.Project('./test') cfg = b.analyses.CFG() print "List of functions:" print [x for x in cfg.functions.iteritems()] addr_congrats = b.loader.main_bin.get_symbol("congrats").addr e = b.surveyors.Explorer(find = addr_congrats) e.run() if len(e.found) > 0: print "Dump stdin at congrats():" print "%r" % e.found[0].state.posix.dumps(0)
  5. int main(int argc, char *argv[]) { char username[256]; char password[256];

    srand((unsigned int)time(NULL)); int y = rand()%1000; scanf("%s", username); scanf("%s", password); while(y > 1) { if(y % 2 == 1) y = 3 * y + 1; else y = y / 2; (y == 1 && strcmp(username, "admin") == 0 && strcmp(password, "l33t") == 0) ? congrats() : exit(1); } return 0; }
  6. ERROR | 2016-04-27 05:40:51,491 | angr.analyses.cfg | Caught an AngrError

    during CFG recovery at 0xffffffffff600400 (No section) Traceback (most recent call last): File "/home/angr/angr-dev/angr/angr/analyses/cfg_accurate.py", line 2268, in _get_simrun sim_run = self.project.factory.sim_run(current_entry.state, jumpkind=jumpkind) File "/home/angr/angr-dev/angr/angr/factory.py", line 131, in sim_run r = self.sim_block(state, addr=addr, **block_opts) File "/home/angr/angr-dev/angr/angr/factory.py", line 71, in sim_block **block_opts) File "/home/angr/angr-dev/angr/angr/lifter.py", line 83, in lift raise AngrMemoryError("No bytes in memory for block starting at 0x%x." % addr) AngrMemoryError: No bytes in memory for block starting at 0xffffffffff600400. ERROR | 2016-04-27 05:40:51,674 | angr.analyses.cfg | Caught an AngrError during CFG recovery at 0xffffffffff600400 (No section) Traceback (most recent call last): File "/home/angr/angr-dev/angr/angr/analyses/cfg_accurate.py", line 2268, in _get_simrun sim_run = self.project.factory.sim_run(current_entry.state, jumpkind=jumpkind) File "/home/angr/angr-dev/angr/angr/factory.py", line 131, in sim_run r = self.sim_block(state, addr=addr, **block_opts) File "/home/angr/angr-dev/angr/angr/factory.py", line 71, in sim_block **block_opts) File "/home/angr/angr-dev/angr/angr/lifter.py", line 83, in lift raise AngrMemoryError("No bytes in memory for block starting at 0x%x." % addr) AngrMemoryError: No bytes in memory for block starting at 0xffffffffff600400. List of functions: [(4195752L, <Function _init (0x4005a8)>), (4195840L, <Function plt.__libc_start_main (0x400600)>), (4195888L, <Function plt.__gmon_start__ (0x400630)>), (4195904L, <Function plt.time (0x400640)>), (4195968L, <Function _start (0x400680)>), (4196016L, <Function deregister_tm_clones (0x4006b0)>), (4196128L, <Function __do_global_dtors_aux (0x400720)>), (4196160L, <Function frame_dummy (0x400740)>), (4196221L, <Function main (0x40077d)>), (4196608L, <Function __libc_csu_init (0x400900)>), (67108896L, <Function __libc_start_main (0x4000020)>), (67108976L, <Function SimProcedureContinuation (0x4000070)>), (67109072L, <Function IFuncResolver (0x40000d0)>), (18446744073699066880L, <Function sub_ffffffffff600400 (0xffffffffff600400)>)]
  7. None
  8. // srand((unsigned int)time(NULL)); // int y = rand()%1000; int y

    = 1000;