Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Linear Obfuscation to Drive angr Angry

Yuma Kurogome
April 27, 2016
Technology
4
760

Linear Obfuscation to Drive angr Angry

Halvar Flake&PPPとローレイヤーな話をしよう (https://7bd76f3e7d0cf6c4962c0a8da8.doorkeeper.jp/events/43029) LT

Yuma Kurogome

April 27, 2016
Tweet

More Decks by Yuma Kurogome

See All by Yuma Kurogome
The Art of De-obfuscation
ntddk
16
26k
死にゆくアンチウイルスへの祈り
ntddk
55
38k
Windows Subsystem for Linux Internals
ntddk
10
2.6k
なぜマルウェア解析は自動化できないのか
ntddk
6
3.8k
CAPTCHAとボットの共進化
ntddk
2
970
マルウェアを機械学習する前に
ntddk
3
1.4k
Peeling Onions
ntddk
7
3.2k
仮想化技術を用いたマルウェア解析
ntddk
8
27k
An Introduction to Drawbridge(ja)
ntddk
11
2.9k

Other Decks in Technology

See All in Technology
これからのJavaのとっかかりを掴む
irof
0
3.3k
Amazon CodeCatalyst と Amazon CodeWhisperer で開発を加速しよう!
twingob
1
110
OCI Data Integration技術情報 / ocidi_technical_jp
oracle4engineer
PRO
0
460
GO TechTalk #19 タクシーアプリ『GO』事業成長を支えるデータ分析基盤の継続的改善!
mot_techtalk
2
1.1k
Oracle Exadata Database Service on [email protected] X9M ([email protected]) 技術詳細
oracle4engineer
PRO
0
1.5k
Oracle Exadata Database Service on [email protected] ([email protected]) - UI スクリーン・キャプチャ集
oracle4engineer
PRO
0
440
copilot-cli(Fargate)でRailsを運用するためのTips / JAWS-UG Okayama 2023
interu
1
360
NAB Show 2023 動画技術関連レポート / NAB Show 2023 Report
cyberagentdevelopers
PRO
1
160
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
0
150
しつこくじわじわパフォーマンスチューニング
netmarkjp
0
490
過去事例から見るモニタリングの大切さ #techfeed_live
whywaita
PRO
1
660
dx_osarai_about_connection
hatahata021
0
450

Featured

See All Featured
Building Effective Engineering Teams - LeadDev
addyosmani
5
610
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
29k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
Intergalactic Javascript Robots from Outer Space
tanoku
263
26k
Practical Orchestrator
shlominoach
179
9.2k
Three Pipe Problems
jasonvnalue
89
9.1k
The Invisible Customer
myddelton
113
12k
Mobile First: as difficult as doing things right
swwweet
213
8k
Product Roadmaps are Hard
iamctodd
39
8.2k
Being A Developer After 40
akosma
50
580k

Transcript

  1. View Slide






  2. View Slide

  3. void congrats()
    {
    puts("congrats!");
    }
    int main(int argc, char *argv[])
    {
    char username[256];
    char password[256];
    scanf("%s", username);
    scanf("%s", password);
    (strcmp(username, "admin") == 0 && strcmp(password, "l33t") == 0) ? congrats() : exit(1);
    return 0;
    }

    View Slide

  4. List of functions:
    [(4195592L, ), (4195648L, ), (4195664L, ), (4195680L, ), (4195696L,
    ), (4195712L, ), (4195728L, ), (4195744L, ), (4195760L, _start (0x4005b0)>), (4195808L, ), (4195920L, ), (4195952L, ), (4195997L, congrats (0x40069d)>), (4196013L, ), (4196224L, ), (67108864L, ), (67108880L, ),
    (67108896L, ), (67108912L, ), (67108928L, ), (67108944L, ), (67108976L,
    )]
    Dump stdin at congrats():
    'admin¥x00¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x0
    1¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x0
    1¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01l33t¥x00¥x00¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01
    ¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01
    ¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x00¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01
    ¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x01¥x00¥x01¥x01¥x00'
    import angr
    b = angr.Project('./test')
    cfg = b.analyses.CFG()
    print "List of functions:"
    print [x for x in cfg.functions.iteritems()]
    addr_congrats = b.loader.main_bin.get_symbol("congrats").addr
    e = b.surveyors.Explorer(find = addr_congrats)
    e.run()
    if len(e.found) > 0:
    print "Dump stdin at congrats():"
    print "%r" % e.found[0].state.posix.dumps(0)

    View Slide

  5. int main(int argc, char *argv[])
    {
    char username[256];
    char password[256];
    srand((unsigned int)time(NULL));
    int y = rand()%1000;
    scanf("%s", username);
    scanf("%s", password);
    while(y > 1)
    {
    if(y % 2 == 1)
    y = 3 * y + 1;
    else
    y = y / 2;
    (y == 1 && strcmp(username, "admin") == 0 && strcmp(password, "l33t") == 0) ? congrats() : exit(1);
    }
    return 0;
    }

    View Slide

  6. ERROR | 2016-04-27 05:40:51,491 | angr.analyses.cfg | Caught an AngrError during CFG recovery at
    0xffffffffff600400 (No section)
    Traceback (most recent call last):
    File "/home/angr/angr-dev/angr/angr/analyses/cfg_accurate.py", line 2268, in _get_simrun sim_run =
    self.project.factory.sim_run(current_entry.state, jumpkind=jumpkind)
    File "/home/angr/angr-dev/angr/angr/factory.py", line 131, in sim_run r = self.sim_block(state,
    addr=addr, **block_opts)
    File "/home/angr/angr-dev/angr/angr/factory.py", line 71, in sim_block **block_opts) File
    "/home/angr/angr-dev/angr/angr/lifter.py", line 83, in lift raise AngrMemoryError("No bytes in
    memory for block starting at 0x%x." % addr)
    AngrMemoryError: No bytes in memory for block starting at 0xffffffffff600400.
    ERROR | 2016-04-27 05:40:51,674 | angr.analyses.cfg | Caught an AngrError during CFG recovery at
    0xffffffffff600400 (No section)
    Traceback (most recent call last):
    File "/home/angr/angr-dev/angr/angr/analyses/cfg_accurate.py", line 2268, in _get_simrun sim_run =
    self.project.factory.sim_run(current_entry.state, jumpkind=jumpkind)
    File "/home/angr/angr-dev/angr/angr/factory.py", line 131, in sim_run r = self.sim_block(state,
    addr=addr, **block_opts)
    File "/home/angr/angr-dev/angr/angr/factory.py", line 71, in sim_block **block_opts) File
    "/home/angr/angr-dev/angr/angr/lifter.py", line 83, in lift raise AngrMemoryError("No bytes in
    memory for block starting at 0x%x." % addr)
    AngrMemoryError: No bytes in memory for block starting at 0xffffffffff600400.
    List of functions:
    [(4195752L, ), (4195840L, ),
    (4195888L, ), (4195904L, ),
    (4195968L, ), (4196016L, ),
    (4196128L, ), (4196160L, (0x400740)>), (4196221L, ), (4196608L, (0x400900)>), (67108896L, ), (67108976L, SimProcedureContinuation (0x4000070)>), (67109072L, ),
    (18446744073699066880L, )]

    View Slide

  7. View Slide

  8. // srand((unsigned int)time(NULL));
    // int y = rand()%1000;
    int y = 1000;

    View Slide