\n\nThis page has been machine-translated from the original page.
\n
I participated in WaniCTF’21-spring the other day.
\nSince I competed solo this time, I also solved some problems outside Reversing for the first time in a while.
\nIn the end, I only cleared Rev and Misc, and finished in 56th place.\nIt looks like I still have a long way to go before I outgrow the beginner stage.
\nimport angr\nproj = angr.Project('licence.exe')The next important concept is the loader.
\nThe loader refers to the CLE module used to lay out the binary file in a virtual address space (I think), and you can use it through the .loader property.
When you actually use it on the challenge binary, you get the following output.
\n>>> proj.loader\n<Loaded licence.exe, maps [0x400000:0x807fff]>\n>>> proj.loader.min_addr\n0x400000\n>>> proj.loader.max_addr\n0x807fff\n>>> proj.loader.main_object \n<ELF Object licence.exe, maps [0x400000:0x408017]>Here, the loader (the CLE module) is responsible for loading the binary file in a form suitable for later processing by angr.
\nMore concretely, it is the module that obtains the executable program and libraries loaded as a Project and creates the address space into which the program is loaded so it can run.
\nThe binaries loaded by the loader are read by cle.Backend class modules corresponding to their format (ELF and so on) and expanded into a single memory space.
The following documentation is helpful for the options available in the CLE module, though it seems extremely feature-rich and I have not managed to read all of it.
\n\nThis time, in order to recover the flag, I wanted to determine what value the key must have in order to reach the output produced when the correct key is entered.
\nFor that, I use Simulation Managers.
\nI would like to write a proper explanation of what Simulation Managers are, but unfortunately my understanding does not go much beyond “some amazing thing that can identify input values by symbolic execution,” so I will skip that part.
\nFor now, let’s use Simulation Managers with the Project we created from the challenge binary.
\n>>> init_state = proj.factory.entry_state(args = ['licence.exe', 'key.dat'])\n>>> simgr = proj.factory.simgr(init_state)\n>>> simgr.active\n[<SimState @ 0x401100>].factory.entry_state is a state constructor that performs the initialization for symbolic execution.
There are several variants, but entry_state seems to construct a state in which execution can begin from the binary’s entry point.
If you want to perform symbolic execution while supplying runtime arguments, define those arguments here.
\nAt this point, you need to remember that the first argument must include the invocation of the binary itself.\nThe idea is that you provide the same arguments the program would receive when launched from the console with command-line arguments.
\nWith that, the symbolic-execution setup for recovering the flag is complete.
\nNow it is finally time to get the flag.
\nTo recover the flag, I analyzed the challenge binary.
\nThere are a lot of branches inside the main function, and most of them lead to the fail function.
Unbelievably, the decompiled result contained 2,581 lines of conditional branches, and it was a function that failed if even one of them matched!
\nIf we were looking for a flag that had to match all of the conditions, we might be able to find it with enough grit and determination, but when the goal is to find a string that does not match them, it seems essentially impossible to do by hand.
\nSo from here on, the goal is to use angr to get past this check function.
As we saw earlier, angr can determine what value the key must have in order to reach the output produced when the correct key is entered.
\nTherefore, to recover the flag, we need to give angr the following information.
\nYou can identify both of these from the disassembly results.
\nFirst, when the correct key is entered, execution reaches the output at 0x5e57.
With that, by passing the correct address to find and the failure address to avoid in the Simulation Manager and calling the explore function, I was able to obtain the symbolic data needed to reach 0x5e57.
>>> simgr.explore(find=(0x405e57), avoid=(0x405e86))\n・・・\n<SimulationManager with 3 active, 390 deadended, 1 found>\n\n>>> simgr.found[0].posix.dumps(3)\nb'-----BEGIN LICENCE KEY-----\\nFLAG{4n6r_15_4_5up3r_p0w3rfu1_5ymb0l1c_xxxxxxx_xxxxxxxx}\\n-----END LICENCE KEY-----\\n'Through the WaniCTF Reversing challenge “licence,” I looked back on what I learned about using angr, the tool that analyzes complex processing through symbolic execution.
\nI am glad I was able to learn about a tool that will be extremely useful as I continue solving reversing challenges.
\nAt the same time, there are still many things I do not fully understand, so I plan to keep studying.\nIf there is anything inaccurate in this article, I would appreciate it if you point it out.
\nOnce again, thanks to the people who ran such a worthwhile CTF and to the players who competed with me.
\nNext time I want to place higher…
\nimport angr\nimport monkeyhex\n\nproj = angr.Project(\"licence.exe\", auto_load_libs=False)\n\n\"\"\"\npipenv shell\npip install angr\n\"\"\"\n\n# create project\nproj = angr.Project('licence.exe')\n\n# initial_state at the entry point of the binary\ninit_state = proj.factory.entry_state(args = ['licence.exe', 'key.dat'])\n\n# create simulation\nsimgr = proj.factory.simgr(init_state)\n\nsimgr.explore(find=(0x405e57), avoid=(0x405e86))\nif len(simgr.found) > 0:\n print(simgr.found[0].posix.dumps(3))