{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-angr-hooking-en","result":{"data":{"markdownRemark":{"id":"c0240fc0-5ebc-536e-95e5-c17eddafe8a4","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-angr-hooking\">original page</a>.</p>\n</blockquote>\n<p>This article was written for <a href=\"https://adventar.org/calendars/9245\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">CTF Advent Calendar 2023</a>.</p>\n<p>The previous article was Edwow Math (N30Z30N)‘s ”<a href=\"https://m5453.hatenablog.com/entry/2023/12/22/062638\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Good CTFs, Bad CTFs, Ordinary CTFs (for CTF Advent Calendar 2023) - Learning cyber security by playing and enjoying CTFs</a>.”</p>\n<p>As for the next article… unfortunately, it looks like nobody is scheduled to write one at the moment, so I will skip that part.</p>\n<p>This time, I will try using angr to hook arbitrary symbol functions so that I can partially modify their behavior or override them entirely.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#using-the-hook_symbol-method-in-angr\">Using the hook_symbol Method in angr</a></p>\n<ul>\n<li><a href=\"#overriding-the-return-value-of-a-symbol-function-in-angr-to-recover-the-flag\">Overriding the Return Value of a Symbol Function in angr to Recover the Flag</a></li>\n<li><a href=\"#replacing-the-behavior-of-statically-linked-library-functions\">Replacing the Behavior of Statically Linked Library Functions</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#using-the-hook-method-in-angr\">Using the hook Method in angr</a></p>\n<ul>\n<li><a href=\"#rewriting-a-specific-register-with-the-hook-method\">Rewriting a Specific Register with the hook Method</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#solving-a-ctf-challenge-with-hook_symbol\">Solving a CTF Challenge with hook_symbol</a></p>\n<ul>\n<li><a href=\"#how-to-recover-the-sop-flag-with-angr\">How to Recover the SOP Flag with angr</a></li>\n<li><a href=\"#analyzing-the-binary\">Analyzing the Binary</a></li>\n<li><a href=\"#building-a-solver-with-hook_symbol\">Building a Solver with hook_symbol</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"using-the-hook_symbol-method-in-angr\" style=\"position:relative;\"><a href=\"#using-the-hook_symbol-method-in-angr\" aria-label=\"using the hook_symbol method in angr permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using the hook_symbol Method in angr</h2>\n<p>In angr, you can hook specific symbol functions by using the <code class=\"language-text\">hook_symbol</code> method.</p>\n<p>The basic way to override a symbol function with <code class=\"language-text\">hook_symbol</code> is to create any class that inherits from <code class=\"language-text\">angr.SimProcedure</code>, then call it while specifying the symbol name of the function you want to hook through its <code class=\"language-text\">run</code> method.</p>\n<p>At that time, you can also pass arbitrary arguments to the <code class=\"language-text\">run</code> method.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> angr <span class=\"token keyword\">import</span> Project<span class=\"token punctuation\">,</span> SimProcedure\nproject <span class=\"token operator\">=</span> Project<span class=\"token punctuation\">(</span><span class=\"token string\">'examples/fauxware/fauxware'</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">BugFree</span><span class=\"token punctuation\">(</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n   <span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> argc<span class=\"token punctuation\">,</span> argv<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n       <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">'Program running with argc=%s and argv=%s'</span> <span class=\"token operator\">%</span> <span class=\"token punctuation\">(</span>argc<span class=\"token punctuation\">,</span> argv<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n       <span class=\"token keyword\">return</span> <span class=\"token number\">0</span>\n\n<span class=\"token comment\"># this assumes we have symbols for the binary</span>\nproject<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">'main'</span><span class=\"token punctuation\">,</span> BugFree<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run a quick execution!</span>\nsimgr <span class=\"token operator\">=</span> project<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simulation_manager<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>run<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reference: <a href=\"https://docs.angr.io/en/latest/extending-angr/simprocedures.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Hooks and SimProcedures - angr documentation</a></p>\n<p>By using <code class=\"language-text\">SimProcedures</code> and <code class=\"language-text\">hook_symbol</code>, you can, for example, override the behavior of arbitrary functions or library functions and recover the Flag.</p>\n<h3 id=\"overriding-the-return-value-of-a-symbol-function-in-angr-to-recover-the-flag\" style=\"position:relative;\"><a href=\"#overriding-the-return-value-of-a-symbol-function-in-angr-to-recover-the-flag\" aria-label=\"overriding the return value of a symbol function in angr to recover the flag permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Overriding the Return Value of a Symbol Function in angr to Recover the Flag</h3>\n<p>First, I will use angr to analyze a binary built from the following C code and recover the Flag.</p>\n<p>The program compiled from the code below takes a string from standard input and prints <code class=\"language-text\">Success</code> only if the input is <code class=\"language-text\">Flag{angr}</code> and the value generated by the <code class=\"language-text\">rand()</code> function is exactly <code class=\"language-text\">0x12345</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// gcc sample1.c -o chal.bin</span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;string.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;time.h></span></span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">char</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">16</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%15s\"</span><span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">srand</span><span class=\"token punctuation\">(</span><span class=\"token function\">time</span><span class=\"token punctuation\">(</span><span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token function\">strcmp</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> <span class=\"token string\">\"Flag{angr}\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token punctuation\">(</span><span class=\"token function\">rand</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x12345</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Success\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Failed\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>If you run it normally, the return value of <code class=\"language-text\">rand()</code> will almost never be exactly <code class=\"language-text\">0x12345</code>, so the output is always <code class=\"language-text\">Failed</code>.</p>\n<p>In other words, unless the constraint “the return value of <code class=\"language-text\">rand()</code> is exactly <code class=\"language-text\">0x12345</code>” is satisfied, angr cannot identify the correct Flag.</p>\n<p>In a case like this, you can recover the Flag by using a script like the following to hook <code class=\"language-text\">rand</code> and override its return value to <code class=\"language-text\">0x12345</code>.</p>\n<p>In the example below, after setting the bitvector defined by the symbolic variable <code class=\"language-text\">flag</code> as standard input, I override the <code class=\"language-text\">rand</code> function with <code class=\"language-text\">hook_symbol</code>, which makes it easy to determine that the correct Flag is <code class=\"language-text\">Flag{angr}</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n<span class=\"token keyword\">import</span> claripy\n<span class=\"token keyword\">from</span> logging <span class=\"token keyword\">import</span> getLogger<span class=\"token punctuation\">,</span> WARN\n\ngetLogger<span class=\"token punctuation\">(</span><span class=\"token string\">\"angr\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>setLevel<span class=\"token punctuation\">(</span>WARN <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">OverrideFunction</span><span class=\"token punctuation\">(</span>angr<span class=\"token punctuation\">.</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> argc<span class=\"token punctuation\">,</span> argv<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        data <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0x12345</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>to_bytes<span class=\"token punctuation\">(</span><span class=\"token number\">4</span><span class=\"token punctuation\">,</span> byteorder<span class=\"token operator\">=</span><span class=\"token string\">'little'</span><span class=\"token punctuation\">)</span>\n        data <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">.</span>from_bytes<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">,</span> byteorder<span class=\"token operator\">=</span><span class=\"token string\">'big'</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">return</span> claripy<span class=\"token punctuation\">.</span>BVV<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">correct</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">b\"Success\"</span> <span class=\"token keyword\">in</span> state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">failed</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">b\"Failed\"</span> <span class=\"token keyword\">in</span> state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\nflag <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">\"./chal.bin\"</span><span class=\"token punctuation\">,</span> load_options<span class=\"token operator\">=</span><span class=\"token punctuation\">{</span><span class=\"token string\">\"auto_load_libs\"</span><span class=\"token punctuation\">:</span> <span class=\"token boolean\">False</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span>stdin<span class=\"token operator\">=</span>flag<span class=\"token punctuation\">)</span>\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simulation_manager<span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>correct<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>failed<span class=\"token punctuation\">)</span>\n\nproj<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"rand\"</span><span class=\"token punctuation\">,</span> OverrideFunction<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n    found <span class=\"token operator\">=</span> simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n    <span class=\"token comment\"># print(found.posix.dumps(0))</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">bytes</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">except</span> IndexError<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Not Found\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reference: <a href=\"https://ptr-yudai.hatenablog.com/entry/2019/08/17/223044\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Trying Various Things with angr [yoshi-camp notes] - Let’s Do CTF</a></p>\n<p>Here, the <code class=\"language-text\">rand</code> function is replaced with the behavior defined in the <code class=\"language-text\">run</code> method of the <code class=\"language-text\">OverrideFunction</code> class.</p>\n<p>When returning an integer, it seemed necessary to create a bitvector whose bytes are effectively in big-endian order, so the code below first converts the integer <code class=\"language-text\">0x12345</code> into bytes and then reads those bytes back as a big-endian integer before constructing the bitvector.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">data <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0x12345</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>to_bytes<span class=\"token punctuation\">(</span><span class=\"token number\">4</span><span class=\"token punctuation\">,</span> byteorder<span class=\"token operator\">=</span><span class=\"token string\">'little'</span><span class=\"token punctuation\">)</span>\ndata <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">.</span>from_bytes<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">,</span> byteorder<span class=\"token operator\">=</span><span class=\"token string\">'big'</span><span class=\"token punctuation\">)</span>\nclaripy<span class=\"token punctuation\">.</span>BVV<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>When you run this, the symbolic variable <code class=\"language-text\">flag</code> at the moment <code class=\"language-text\">Success</code> is ultimately printed is dumped, and you can identify the correct Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 942px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7dfe0772dd51c8c24d1a1527959380a8/f1901/image-20231223053728661.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 5.416666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAIAAABR8BlyAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAN0lEQVQI12OwUTZ10LV10LRyVLGxU7a3V7Z1ULGzlLW0kjRykDGxkzZ2lDMzFdDS51Q24FJBQwBaegonOf84oAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7dfe0772dd51c8c24d1a1527959380a8/8ac56/image-20231223053728661.webp 240w,\n/static/7dfe0772dd51c8c24d1a1527959380a8/d3be9/image-20231223053728661.webp 480w,\n/static/7dfe0772dd51c8c24d1a1527959380a8/2fa1f/image-20231223053728661.webp 942w\"\n              sizes=\"(max-width: 942px) 100vw, 942px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7dfe0772dd51c8c24d1a1527959380a8/8ff5a/image-20231223053728661.png 240w,\n/static/7dfe0772dd51c8c24d1a1527959380a8/e85cb/image-20231223053728661.png 480w,\n/static/7dfe0772dd51c8c24d1a1527959380a8/f1901/image-20231223053728661.png 942w\"\n            sizes=\"(max-width: 942px) 100vw, 942px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7dfe0772dd51c8c24d1a1527959380a8/f1901/image-20231223053728661.png\"\n            alt=\"image-20231223053728661\"\n            title=\"image-20231223053728661\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"replacing-the-behavior-of-statically-linked-library-functions\" style=\"position:relative;\"><a href=\"#replacing-the-behavior-of-statically-linked-library-functions\" aria-label=\"replacing the behavior of statically linked library functions permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Replacing the Behavior of Statically Linked Library Functions</h3>\n<p>It seems that angr bundles replacement implementations of common library functions such as those in libc.</p>\n<p>According to the angr documentation, angr uses these replacements so that even dynamically linked programs can be analyzed correctly.</p>\n<p>Reference: <a href=\"https://docs.angr.io/en/latest/extending-angr/environment.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Extending the Environment Model - angr documentation</a></p>\n<p>Here, the blog post below mentions that when library functions are statically linked into a binary, angr analyzes those linked library functions too, which slows analysis down.</p>\n<p>In such cases, it seems possible to speed up analysis by binding library-function symbols to the replacement implementations bundled with angr, using the <code class=\"language-text\">hook_symbol</code> method as shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">p<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"__libc_start_main\"</span><span class=\"token punctuation\">,</span> angr<span class=\"token punctuation\">.</span>SIM_PROCEDURES<span class=\"token punctuation\">[</span><span class=\"token string\">\"glibc\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"__libc_start_main\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"printf\"</span><span class=\"token punctuation\">,</span> angr<span class=\"token punctuation\">.</span>procedures<span class=\"token punctuation\">.</span>libc<span class=\"token punctuation\">.</span>printf<span class=\"token punctuation\">.</span>printf<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"__isoc99_scanf\"</span><span class=\"token punctuation\">,</span> angr<span class=\"token punctuation\">.</span>procedures<span class=\"token punctuation\">.</span>libc<span class=\"token punctuation\">.</span>scanf<span class=\"token punctuation\">.</span>scanf<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"strcmp\"</span><span class=\"token punctuation\">,</span> angr<span class=\"token punctuation\">.</span>procedures<span class=\"token punctuation\">.</span>libc<span class=\"token punctuation\">.</span>strcmp<span class=\"token punctuation\">.</span>strcmp<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"puts\"</span><span class=\"token punctuation\">,</span> angr<span class=\"token punctuation\">.</span>procedures<span class=\"token punctuation\">.</span>libc<span class=\"token punctuation\">.</span>puts<span class=\"token punctuation\">.</span>puts<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reference: <a href=\"https://ptr-yudai.hatenablog.com/entry/2019/08/17/223044\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Trying Various Things with angr [yoshi-camp notes] - Let’s Do CTF</a></p>\n<h2 id=\"using-the-hook-method-in-angr\" style=\"position:relative;\"><a href=\"#using-the-hook-method-in-angr\" aria-label=\"using the hook method in angr permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using the hook Method in angr</h2>\n<p>When using the <code class=\"language-text\">SimProcedure</code> described above, it seems that the entire function is hooked during analysis.</p>\n<p>On the other hand, if you use a user hook, you can hook a specific location in the code and do things such as rewriting registers.</p>\n<p>Reference: <a href=\"https://docs.angr.io/en/latest/extending-angr/simprocedures.html#user-hooks\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Hooks and SimProcedures - angr documentation</a></p>\n<h3 id=\"rewriting-a-specific-register-with-the-hook-method\" style=\"position:relative;\"><a href=\"#rewriting-a-specific-register-with-the-hook-method\" aria-label=\"rewriting a specific register with the hook method permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Rewriting a Specific Register with the hook Method</h3>\n<p>Now I will actually try angr’s <code class=\"language-text\">hook</code> method on a binary compiled from the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// gcc sample2.c -o chal.bin</span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;time.h></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">func</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">int</span> v <span class=\"token operator\">=</span> <span class=\"token function\">func</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">char</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">16</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%15s\"</span><span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token function\">strcmp</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> <span class=\"token string\">\"Flag{angr}\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token punctuation\">(</span>v <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Success\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Failed\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The program above checks whether the input string is <code class=\"language-text\">Flag{angr}</code>, but if the value of <code class=\"language-text\">v</code> is anything other than <code class=\"language-text\">1</code>, <code class=\"language-text\">Success</code> will not be printed even when the correct Flag is entered.</p>\n<p>And the value of <code class=\"language-text\">v</code> is always <code class=\"language-text\">0</code> because of the <code class=\"language-text\">func</code> function.</p>\n<p>If you want to recover the Flag from a binary like this with angr, you could of course do it the same way as before by overriding <code class=\"language-text\">func</code> with the <code class=\"language-text\">hook_symbol</code> method.</p>\n<p>This time, however, I deliberately do not want to override the entire function, so I will try to recover the Flag by using the <code class=\"language-text\">hook</code> method to rewrite only the return-value register <code class=\"language-text\">eax</code>.</p>\n<p>First, use the <code class=\"language-text\">objdmp</code> command or similar in advance to check the address of the code that stores the return value of <code class=\"language-text\">func</code> into the variable <code class=\"language-text\">v</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">11d8:       e8 cc ff ff ff          call   11a9 <span class=\"token operator\">&lt;</span>func<span class=\"token operator\">></span>\n11dd:       <span class=\"token number\">89</span> <span class=\"token number\">45</span> <span class=\"token function\">dc</span>                mov    %eax,-0x24<span class=\"token punctuation\">(</span>%rbp<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Next, recover the Flag with the following script by using the <code class=\"language-text\">hook</code> method to rewrite only the return-value register <code class=\"language-text\">eax</code>.</p>\n<p>The code below is similar to the previous example, but it overrides 5 bytes of processing starting at address <code class=\"language-text\">0x4011d8</code>, where <code class=\"language-text\">func</code> is called, sets the value of the <code class=\"language-text\">eax</code> register to <code class=\"language-text\">1</code>, and then resumes execution from <code class=\"language-text\">0x4011dd</code> onward.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n<span class=\"token keyword\">import</span> claripy\n<span class=\"token keyword\">from</span> logging <span class=\"token keyword\">import</span> getLogger<span class=\"token punctuation\">,</span> WARN\n\ngetLogger<span class=\"token punctuation\">(</span><span class=\"token string\">\"angr\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>setLevel<span class=\"token punctuation\">(</span>WARN <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">correct</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">b\"Success\"</span> <span class=\"token keyword\">in</span> state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">failed</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">b\"Failed\"</span> <span class=\"token keyword\">in</span> state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\nflag <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">\"./chal.bin\"</span><span class=\"token punctuation\">,</span> load_options<span class=\"token operator\">=</span><span class=\"token punctuation\">{</span><span class=\"token string\">\"auto_load_libs\"</span><span class=\"token punctuation\">:</span> <span class=\"token boolean\">False</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token decorator annotation punctuation\">@proj<span class=\"token punctuation\">.</span>hook</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x4011d8</span><span class=\"token punctuation\">,</span> length<span class=\"token operator\">=</span><span class=\"token number\">5</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">set_eax</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    state<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>eax <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span>stdin<span class=\"token operator\">=</span>flag<span class=\"token punctuation\">)</span>\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simulation_manager<span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>correct<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>failed<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n    found <span class=\"token operator\">=</span> simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n    <span class=\"token comment\"># print(found.posix.dumps(0))</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">bytes</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">except</span> IndexError<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Not Found\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>By running this script, you can get past the <code class=\"language-text\">v == 1</code> check, so angr is able to recover the correct Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 614px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8a8746212af4464de374f358e9e2e9ec/e9131/image-20231223230810007.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 7.916666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAiklEQVQI1yXIwQqCQABFUX/AiCDIhNplKjTTjKIOFikEaZKJ5qL//4+b2OJwec9SQYTy9CzbRchNhtikSDdHOBnniXDMTG4N4Tqh8gve4s4Q1zwOF5qw4Jt3PIMbVm8axrylOpWM5sWQtrSq4mO6qTX9tP9fPVfaR66uptwnKNtDT+KlT7IK0QuPH203QXvAAUXuAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8a8746212af4464de374f358e9e2e9ec/8ac56/image-20231223230810007.webp 240w,\n/static/8a8746212af4464de374f358e9e2e9ec/d3be9/image-20231223230810007.webp 480w,\n/static/8a8746212af4464de374f358e9e2e9ec/5316f/image-20231223230810007.webp 614w\"\n              sizes=\"(max-width: 614px) 100vw, 614px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8a8746212af4464de374f358e9e2e9ec/8ff5a/image-20231223230810007.png 240w,\n/static/8a8746212af4464de374f358e9e2e9ec/e85cb/image-20231223230810007.png 480w,\n/static/8a8746212af4464de374f358e9e2e9ec/e9131/image-20231223230810007.png 614w\"\n            sizes=\"(max-width: 614px) 100vw, 614px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8a8746212af4464de374f358e9e2e9ec/e9131/image-20231223230810007.png\"\n            alt=\"image-20231223230810007\"\n            title=\"image-20231223230810007\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"solving-a-ctf-challenge-with-hook_symbol\" style=\"position:relative;\"><a href=\"#solving-a-ctf-challenge-with-hook_symbol\" aria-label=\"solving a ctf challenge with hook_symbol permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solving a CTF Challenge with hook_symbol</h2>\n<p>Finally, I will solve an actual CTF challenge using angr’s <code class=\"language-text\">hook_symbol</code> method.</p>\n<p>The challenge I will solve with angr this time is <code class=\"language-text\">SOP</code> from Gracier CTF 2023.</p>\n<p>Reference: <a href=\"/ctf-gracier-2023-en#soprev\">Gracier CTF 2023 Writeup SOP(Rev)</a></p>\n<p>The challenge itself is themed around SOP (probably Signal Oriented Programming or Sigreturn Oriented Programming). It begins by raising an exception at the end of the <code class=\"language-text\">main</code> function and then repeatedly calls handler functions defined with <code class=\"language-text\">signal</code> through the <code class=\"language-text\">raise</code> function.</p>\n<p>Because the program’s actual behavior (checking whether the input is the correct Flag) starts from the exception raised after <code class=\"language-text\">main</code> ends, normal dynamic analysis is not possible even with gdb, so this was a challenge where you needed to identify the Flag using a Frida hook or static analysis.</p>\n<p>This time, as an alternative solution, I will show how to recover the correct Flag by using angr’s <code class=\"language-text\">hook_symbol</code> to override the behavior of <code class=\"language-text\">signal</code> and <code class=\"language-text\">raise</code>, ignoring the binary’s actual behavior.</p>\n<h3 id=\"how-to-recover-the-sop-flag-with-angr\" style=\"position:relative;\"><a href=\"#how-to-recover-the-sop-flag-with-angr\" aria-label=\"how to recover the sop flag with angr permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>How to Recover the SOP Flag with angr</h3>\n<p>This binary is a program that checks whether the input string matches the correct Flag.</p>\n<p>For that reason, it is the kind of challenge that would normally be relatively easy to solve with angr’s <code class=\"language-text\">SimulationManager</code>.</p>\n<p>However, the Flag-verification logic in this binary starts from an exception after <code class=\"language-text\">main</code> finishes and is implemented by following the handler functions defined with <code class=\"language-text\">signal</code>, so you cannot solve it just by running <code class=\"language-text\">SimulationManager</code> as-is.</p>\n<p>Therefore, after analyzing the binary with Ghidra to identify the relationship between the signal numbers passed as arguments to <code class=\"language-text\">raise</code> and the handler functions defined in the binary, I use the <code class=\"language-text\">hook_symbol</code> method to override the program’s behavior so that <code class=\"language-text\">SimulationManager</code> can identify the Flag.</p>\n<p>This eliminates the need for angr to actually analyze the behavior of <code class=\"language-text\">signal</code> and <code class=\"language-text\">raise</code>, making it easy to identify the correct Flag.</p>\n<h3 id=\"analyzing-the-binary\" style=\"position:relative;\"><a href=\"#analyzing-the-binary\" aria-label=\"analyzing the binary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyzing the Binary</h3>\n<p>To create a solver with angr, I first use Ghidra to identify the information needed to recover the Flag.</p>\n<p>First, in the <code class=\"language-text\">main</code> function, you can see that the <code class=\"language-text\">read</code> function takes <code class=\"language-text\">0x44</code> bytes of input from standard input, and the function returns the result of comparing <code class=\"language-text\">DAT_001061c8 != 0x44</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">bool <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token class-name\">size_t</span> sVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">ssize_t</span> sVar2<span class=\"token punctuation\">;</span>\n  \n  sVar1 <span class=\"token operator\">=</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>DAT_001060f0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  DAT_001061c8 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>sVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>DAT_001061c8 <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    sVar2 <span class=\"token operator\">=</span> <span class=\"token function\">read</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>DAT_001060f0<span class=\"token punctuation\">,</span><span class=\"token number\">0x44</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    DAT_001061c8 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>sVar2<span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> DAT_001061c8 <span class=\"token operator\">!=</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>This <code class=\"language-text\">main</code> function is called from <code class=\"language-text\">__libc_start_main</code>, and the return value of <code class=\"language-text\">main</code> called by <code class=\"language-text\">__libc_start_main</code> is passed directly to the <code class=\"language-text\">exit</code> function.</p>\n<p>Reference: <a href=\"https://refspecs.linuxbase.org/LSB_3.1.1/LSB-Core-generic/LSB-Core-generic/baselib---libc-start-main-.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">_<em>libc</em>start_main</a></p>\n<p>In other words, when the result of the comparison <code class=\"language-text\">DAT_001061c8 != 0x44</code> becomes <code class=\"language-text\">False</code>, the program is regarded as having terminated abnormally, and the initial exception is triggered.</p>\n<p>Next, identify the relationship between signal numbers and handler functions.</p>\n<p>Looking through the decompilation results of the functions in Ghidra, you can confirm that the following <code class=\"language-text\">signal</code> definitions are present.</p>\n<p>For some reason there are multiple places that set a handler function for <code class=\"language-text\">SIGSEGV (0xb)</code>, which suggests that the handler function is changed dynamically here.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0xb</span><span class=\"token punctuation\">,</span>FUN_001011e0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0xb</span><span class=\"token punctuation\">,</span>FUN_00101bc0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0xb</span><span class=\"token punctuation\">,</span>FUN_00102e60<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0xe</span><span class=\"token punctuation\">,</span>FUN_00101bc0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x10</span><span class=\"token punctuation\">,</span>FUN_00101350<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x11</span><span class=\"token punctuation\">,</span>FUN_001014a0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x12</span><span class=\"token punctuation\">,</span>FUN_00102fb0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x15</span><span class=\"token punctuation\">,</span>FUN_00101550<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x16</span><span class=\"token punctuation\">,</span>FUN_00102520<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Next, identify the result when the correct Flag or an incorrect Flag is entered.</p>\n<p>This is easy to determine because if you just run the program with arbitrary input, it prints the string <code class=\"language-text\">FAIL</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 487px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/375a152cf38af44a74a1d68e29bc4bc6/7b439/image-20231224003011199.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 86.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACSUlEQVQ4y41Ua3ObMBD0//9xMcTT6ce2SWxssBB6P3hsF3AS2sRp5bk5CUk7e3sr78qihHQWlbeovceL9RCGa+fQ+IDKOrTOYzumacK9sTscDpA24GcTcOoIZFp0tsOz6nAk+ItxqLRByAEu+Tewe6C7sizQyYzv34CqMvDuiXFGLc/4pa84KYHWR+ho0Hn1H4CPB1gy6boG3gvOWxhvMA498pDQD/nDpS9LLh8f4VyGlAnjNHx6aLqBvAc2+T0WwP2+QN9nODtBqYQYJVJSiMHAMkQUiDluoO+PGXT3QMCU1rJUN+JyHtDIK476Cc/ihNOxgVM9xgT0YcJA7Dn6AIwZb+tx2DB8BQw8pHRPRmnhkt0EdwJiCyQ1IQjO5cT5nOf9NceOoDepd0VZIuW8lOP9wKYk5D7eU/KT+V8l74uCACxpGGkfAa01jHbo6MeRdcxdzuz46/1/N4UvJca4aHC5aGrocL0aglZke4SjlS6yhqCdhnH8wzafAhb72TaeOvY4V5oMJbWsCVaz6yfu1TC2WYze6Q4hxQ3Tj7F7eCgWY/e5JRhZGQKoI7x9QbBXfmvhov8vU9+6XMIYPivpIEQLqWo01qC1ArURUFZBmYY6W0rjGAE5m8WrIWhmzbVlQ93KcAYUQtNvfMuXiCdJ/6kGHWWweeBBdp1AmX8Oib5Kkc8x++VbIvOcuJfC0ocbYMFn52BnT1GfcaLwS9DEBjA/AF+vXqS0CNfVe3MmsXUtVpO/GVtKdpWXffC0yrRx2rTx3Nex/EjiN4vXKa1EiOnAAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/375a152cf38af44a74a1d68e29bc4bc6/8ac56/image-20231224003011199.webp 240w,\n/static/375a152cf38af44a74a1d68e29bc4bc6/d3be9/image-20231224003011199.webp 480w,\n/static/375a152cf38af44a74a1d68e29bc4bc6/9d50c/image-20231224003011199.webp 487w\"\n              sizes=\"(max-width: 487px) 100vw, 487px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/375a152cf38af44a74a1d68e29bc4bc6/8ff5a/image-20231224003011199.png 240w,\n/static/375a152cf38af44a74a1d68e29bc4bc6/e85cb/image-20231224003011199.png 480w,\n/static/375a152cf38af44a74a1d68e29bc4bc6/7b439/image-20231224003011199.png 487w\"\n            sizes=\"(max-width: 487px) 100vw, 487px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/375a152cf38af44a74a1d68e29bc4bc6/7b439/image-20231224003011199.png\"\n            alt=\"image-20231224003011199\"\n            title=\"image-20231224003011199\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span> </p>\n<p>As shown above, the output is <code class=\"language-text\">SUCCESS</code> when the Flag is correct and <code class=\"language-text\">FAIL</code> when the Flag is incorrect.</p>\n<p>Now let’s look more closely at the code where the Flag is verified.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0x40</span> <span class=\"token operator\">&lt;</span> DAT_001061c8<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    DAT_001061c8 <span class=\"token operator\">=</span> DAT_001061c8 <span class=\"token operator\">-</span> <span class=\"token number\">0x40</span><span class=\"token punctuation\">;</span>\n    DAT_00106210 <span class=\"token operator\">=</span> DAT_00106210 <span class=\"token operator\">+</span> <span class=\"token number\">0x40</span><span class=\"token punctuation\">;</span>\n    DAT_001061c0 <span class=\"token operator\">=</span> DAT_001061c0 <span class=\"token operator\">+</span> <span class=\"token number\">0x40</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">raise</span><span class=\"token punctuation\">(</span><span class=\"token number\">0xb</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>DAT_001061c8 <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x40</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span>DAT_001061cc <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> DAT_001061cc <span class=\"token operator\">&lt;</span> DAT_001061c8<span class=\"token punctuation\">;</span> DAT_001061cc <span class=\"token operator\">=</span> DAT_001061cc <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>undefined <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>DAT_00106138 <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span>DAT_001061cc<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> DAT_00106210<span class=\"token punctuation\">[</span>DAT_001061cc<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\nDAT_001060d0 <span class=\"token operator\">=</span> DAT_001061a4<span class=\"token punctuation\">;</span>\nDAT_001060d4 <span class=\"token operator\">=</span> DAT_001061ac<span class=\"token punctuation\">;</span>\n<span class=\"token function\">memcpy</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>DAT_00104050<span class=\"token punctuation\">,</span><span class=\"token number\">0x44</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">memset</span><span class=\"token punctuation\">(</span>local_168<span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x110</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nlocal_16c <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_16c <span class=\"token operator\">==</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"SUCCESS\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n        <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n      local_170 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">getrandom</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>local_170<span class=\"token punctuation\">,</span><span class=\"token number\">4</span><span class=\"token punctuation\">,</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      local_170 <span class=\"token operator\">=</span> local_170 <span class=\"token operator\">%</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>local_168<span class=\"token punctuation\">[</span>local_170<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    local_168<span class=\"token punctuation\">[</span>local_170<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    local_16c <span class=\"token operator\">=</span> local_16c <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>DAT_00106220<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span>local_170<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> local_58<span class=\"token punctuation\">[</span>local_170<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"FAIL\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Ignore the first half and focus on the part below.</p>\n<p>Here, after taking the random value obtained by the <code class=\"language-text\">getrandom</code> function modulo <code class=\"language-text\">0x44</code>, the result is used as an index to check whether some transformed value derived from the input matches a hard-coded byte sequence used for verification.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n<span class=\"token operator\">*</span><span class=\"token operator\">*</span>\n      local_170 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">getrandom</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>local_170<span class=\"token punctuation\">,</span><span class=\"token number\">4</span><span class=\"token punctuation\">,</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      local_170 <span class=\"token operator\">=</span> local_170 <span class=\"token operator\">%</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>local_168<span class=\"token punctuation\">[</span>local_170<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\nlocal_168<span class=\"token punctuation\">[</span>local_170<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\nlocal_16c <span class=\"token operator\">=</span> local_16c <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token operator\">*</span><span class=\"token operator\">*</span>\n\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>DAT_00106220<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span>local_170<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> local_58<span class=\"token punctuation\">[</span>local_170<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>This is probably part of the dynamic-analysis countermeasures, and it also becomes a factor that interferes with analysis in angr.</p>\n<p>Finally, use <code class=\"language-text\">strace -e trace=signal</code> to trace how the callback functions behave when you actually give the program a string of <code class=\"language-text\">0x44</code> bytes.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token builtin class-name\">echo</span> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span class=\"token operator\">|</span> <span class=\"token function\">strace</span> -e <span class=\"token assign-left variable\">trace</span><span class=\"token operator\">=</span>signal ./app\nrt_sigaction<span class=\"token punctuation\">(</span>SIGSEGV, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91ed1e0, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>SIG_DFL, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigaction<span class=\"token punctuation\">(</span>SIGSTKFLT, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91ed350, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>STKFLT<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>SIG_DFL, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigaction<span class=\"token punctuation\">(</span>SIGCHLD, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91ed4a0, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>CHLD<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>SIG_DFL, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigaction<span class=\"token punctuation\">(</span>SIGCONT, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91eefb0, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>CONT<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>SIG_DFL, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGSEGV <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGSEGV, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SEGV_MAPERR, <span class=\"token assign-left variable\">si_addr</span><span class=\"token operator\">=</span>0xe91ef160<span class=\"token punctuation\">}</span> ---\ntgkill<span class=\"token punctuation\">(</span><span class=\"token number\">29240</span>, <span class=\"token number\">29240</span>, SIGSTKFLT<span class=\"token punctuation\">)</span>         <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGSTKFLT <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGSTKFLT, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_TKILL, <span class=\"token assign-left variable\">si_pid</span><span class=\"token operator\">=</span><span class=\"token number\">29240</span>, <span class=\"token assign-left variable\">si_uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">}</span> ---\ntgkill<span class=\"token punctuation\">(</span><span class=\"token number\">29240</span>, <span class=\"token number\">29240</span>, SIGCHLD<span class=\"token punctuation\">)</span>           <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGCHLD <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGCHLD, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_TKILL, <span class=\"token assign-left variable\">si_pid</span><span class=\"token operator\">=</span><span class=\"token number\">29240</span>, <span class=\"token assign-left variable\">si_uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">}</span> ---\ntgkill<span class=\"token punctuation\">(</span><span class=\"token number\">29240</span>, <span class=\"token number\">29240</span>, SIGCONT<span class=\"token punctuation\">)</span>           <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGCONT <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGCONT, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_TKILL, <span class=\"token assign-left variable\">si_pid</span><span class=\"token operator\">=</span><span class=\"token number\">29240</span>, <span class=\"token assign-left variable\">si_uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">}</span> ---\nrt_sigaction<span class=\"token punctuation\">(</span>SIGSEGV, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91eee60, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91ed1e0, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\ntgkill<span class=\"token punctuation\">(</span><span class=\"token number\">29240</span>, <span class=\"token number\">29240</span>, SIGSEGV<span class=\"token punctuation\">)</span>           <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigreturn<span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>mask<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV STKFLT CHLD<span class=\"token punctuation\">]</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigreturn<span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>mask<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV STKFLT<span class=\"token punctuation\">]</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>      <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigreturn<span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>mask<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV<span class=\"token punctuation\">]</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>             <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigreturn<span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>mask<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>                 <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGSEGV <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGSEGV, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_TKILL, <span class=\"token assign-left variable\">si_pid</span><span class=\"token operator\">=</span><span class=\"token number\">29240</span>, <span class=\"token assign-left variable\">si_uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">}</span> ---\nrt_sigaction<span class=\"token punctuation\">(</span>SIGTTOU, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91ee520, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>TTOU<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>SIG_DFL, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigaction<span class=\"token punctuation\">(</span>SIGALRM, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91edbc0, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>ALRM<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>SIG_DFL, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigaction<span class=\"token punctuation\">(</span>SIGTTIN, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91ed550, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>TTIN<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>SIG_DFL, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGALRM <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGALRM, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_KERNEL<span class=\"token punctuation\">}</span> ---\nrt_sigaction<span class=\"token punctuation\">(</span>SIGSEGV, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91edbc0, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91eee60, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\ntgkill<span class=\"token punctuation\">(</span><span class=\"token number\">29240</span>, <span class=\"token number\">29240</span>, SIGTTIN<span class=\"token punctuation\">)</span>           <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGTTIN <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGTTIN, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_TKILL, <span class=\"token assign-left variable\">si_pid</span><span class=\"token operator\">=</span><span class=\"token number\">29240</span>, <span class=\"token assign-left variable\">si_uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">}</span> ---\ntgkill<span class=\"token punctuation\">(</span><span class=\"token number\">29240</span>, <span class=\"token number\">29240</span>, SIGTTOU<span class=\"token punctuation\">)</span>           <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGTTOU <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGTTOU, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_TKILL, <span class=\"token assign-left variable\">si_pid</span><span class=\"token operator\">=</span><span class=\"token number\">29240</span>, <span class=\"token assign-left variable\">si_uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">}</span> ---\ntgkill<span class=\"token punctuation\">(</span><span class=\"token number\">29240</span>, <span class=\"token number\">29240</span>, SIGSEGV<span class=\"token punctuation\">)</span>           <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigreturn<span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>mask<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV ALRM TTIN<span class=\"token punctuation\">]</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>   <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigreturn<span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>mask<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV ALRM<span class=\"token punctuation\">]</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>        <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrt_sigreturn<span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>mask<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV<span class=\"token punctuation\">]</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>             <span class=\"token operator\">=</span> -1 EINTR <span class=\"token punctuation\">(</span>Interrupted system call<span class=\"token punctuation\">)</span>\nrt_sigreturn<span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>mask<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>                 <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGSEGV <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGSEGV, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_TKILL, <span class=\"token assign-left variable\">si_pid</span><span class=\"token operator\">=</span><span class=\"token number\">29240</span>, <span class=\"token assign-left variable\">si_uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">}</span> ---\nrt_sigaction<span class=\"token punctuation\">(</span>SIGSEGV, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91edbc0, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token punctuation\">{</span>sa_handler<span class=\"token operator\">=</span>0x55a8e91edbc0, <span class=\"token assign-left variable\">sa_mask</span><span class=\"token operator\">=</span><span class=\"token punctuation\">[</span>SEGV<span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">sa_flags</span><span class=\"token operator\">=</span>SA_RESTORER<span class=\"token operator\">|</span>SA_RESTART, <span class=\"token assign-left variable\">sa_restorer</span><span class=\"token operator\">=</span>0x7f047a881520<span class=\"token punctuation\">}</span>, <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\ntgkill<span class=\"token punctuation\">(</span><span class=\"token number\">29240</span>, <span class=\"token number\">29240</span>, SIGTTIN<span class=\"token punctuation\">)</span>           <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGTTIN <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGTTIN, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_TKILL, <span class=\"token assign-left variable\">si_pid</span><span class=\"token operator\">=</span><span class=\"token number\">29240</span>, <span class=\"token assign-left variable\">si_uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">}</span> ---\ntgkill<span class=\"token punctuation\">(</span><span class=\"token number\">29240</span>, <span class=\"token number\">29240</span>, SIGTTOU<span class=\"token punctuation\">)</span>           <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n--- SIGTTOU <span class=\"token punctuation\">{</span>si_signo<span class=\"token operator\">=</span>SIGTTOU, <span class=\"token assign-left variable\">si_code</span><span class=\"token operator\">=</span>SI_TKILL, <span class=\"token assign-left variable\">si_pid</span><span class=\"token operator\">=</span><span class=\"token number\">29240</span>, <span class=\"token assign-left variable\">si_uid</span><span class=\"token operator\">=</span><span class=\"token number\">1000</span><span class=\"token punctuation\">}</span> ---\nFAIL\n+++ exited with <span class=\"token number\">1</span> +++</code></pre></div>\n<p>From this result, you can see that <code class=\"language-text\">SIGSEGV (0xb)</code> is called first when the <code class=\"language-text\">main</code> function finishes, and the RVA at that time is <code class=\"language-text\">0x11e0</code>.</p>\n<p>After that, processing continues through <code class=\"language-text\">SIGSTKFLT (0x10)</code>, <code class=\"language-text\">SIGCHLD (0x11)</code>, and <code class=\"language-text\">SIGCONT (0x12)</code>.</p>\n<p>The signals called throughout the whole process were the following.</p>\n<p>This matches the signals for which handler functions were defined in the <code class=\"language-text\">signal</code> calls checked earlier. (Only the handler function for <code class=\"language-text\">SIGSEGV</code> is reconfigured dynamically.)</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">SIGSEGV<span class=\"token punctuation\">(</span>0xb<span class=\"token punctuation\">)</span>\nSIGALRM<span class=\"token punctuation\">(</span>0xe<span class=\"token punctuation\">)</span>\nSIGSTKFLT<span class=\"token punctuation\">(</span>0x10<span class=\"token punctuation\">)</span>\nSIGCHLD<span class=\"token punctuation\">(</span>0x11<span class=\"token punctuation\">)</span>\nSIGCONT<span class=\"token punctuation\">(</span>0x12<span class=\"token punctuation\">)</span>\nSIGTTIN<span class=\"token punctuation\">(</span>0x15<span class=\"token punctuation\">)</span>\nSIGTTOU<span class=\"token punctuation\">(</span>0x16<span class=\"token punctuation\">)</span></code></pre></div>\n<p>One thing worth noticing here is that <code class=\"language-text\">SIGALRM</code>, which is not triggered by <code class=\"language-text\">raise</code>, is still being called.</p>\n<p>It is a slightly tricky implementation, but by placing <code class=\"language-text\">sleep(2)</code> immediately after <code class=\"language-text\">alarm(1)</code>, it seems to force <code class=\"language-text\">SIGALRM</code> to occur at that timing.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x16</span><span class=\"token punctuation\">,</span>FUN_00102520<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0xe</span><span class=\"token punctuation\">,</span>FUN_00101bc0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">signal</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x15</span><span class=\"token punctuation\">,</span>FUN_00101550<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">alarm</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">sleep</span><span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>In analysis that uses symbolic execution like angr, it may be difficult to track time-based state changes such as <code class=\"language-text\">alarm</code> and <code class=\"language-text\">sleep</code> accurately.</p>\n<p>For that reason, on the solver side we need to override the <code class=\"language-text\">sleep</code> function and replace it with processing that forcibly calls the <code class=\"language-text\">SIGALRM</code> callback function.</p>\n<h3 id=\"building-a-solver-with-hook_symbol\" style=\"position:relative;\"><a href=\"#building-a-solver-with-hook_symbol\" aria-label=\"building a solver with hook_symbol permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Building a Solver with hook_symbol</h3>\n<p>Now that we have gathered all the necessary information, it is finally time to build a solver to obtain the Flag.</p>\n<p>This challenge can be solved with the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n<span class=\"token keyword\">import</span> claripy\n<span class=\"token keyword\">from</span> logging <span class=\"token keyword\">import</span> getLogger<span class=\"token punctuation\">,</span> WARN\n\ngetLogger<span class=\"token punctuation\">(</span><span class=\"token string\">\"angr\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>setLevel<span class=\"token punctuation\">(</span>WARN <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">\"app\"</span><span class=\"token punctuation\">)</span>\nflag <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">\"flag\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x44</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span>stdin<span class=\"token operator\">=</span>flag<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x44</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span>get_byte<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">>=</span> <span class=\"token number\">0x21</span><span class=\"token punctuation\">)</span>\n    state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span>get_byte<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">correct</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">b\"SUCCESS\"</span> <span class=\"token keyword\">in</span> state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">failed</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">b\"FAIL\"</span> <span class=\"token keyword\">in</span> state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">OverrideSignal</span><span class=\"token punctuation\">(</span>angr<span class=\"token punctuation\">.</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> sigid<span class=\"token punctuation\">,</span> handler<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nsigid <span class=\"token operator\">=</span> sigid<span class=\"token punctuation\">.</span>concrete_value\nhandler <span class=\"token operator\">=</span> handler<span class=\"token punctuation\">.</span>concrete_value\nself<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>copy<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nself<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>sigid<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> handler\n<span class=\"token keyword\">return</span> <span class=\"token number\">0</span>\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">OverrideRaise</span><span class=\"token punctuation\">(</span>angr<span class=\"token punctuation\">.</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> sigid<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nsigid <span class=\"token operator\">=</span> sigid<span class=\"token punctuation\">.</span>concrete_value\nself<span class=\"token punctuation\">.</span>call<span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>sigid<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>sigid<span class=\"token punctuation\">,</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xFFFFFFFF</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">OverrideSleep</span><span class=\"token punctuation\">(</span>angr<span class=\"token punctuation\">.</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> sigid<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nsigid <span class=\"token operator\">=</span> <span class=\"token number\">14</span>\nself<span class=\"token punctuation\">.</span>call<span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>sigid<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>sigid<span class=\"token punctuation\">,</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xFFFFFFFF</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">OverrideGetRandom</span><span class=\"token punctuation\">(</span>angr<span class=\"token punctuation\">.</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> val<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nres <span class=\"token operator\">=</span> self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"i\"</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">if</span> res <span class=\"token operator\">==</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\nself<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"i\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\nself<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span>mem<span class=\"token punctuation\">[</span>val<span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">int</span> <span class=\"token operator\">=</span> res\n<span class=\"token keyword\">return</span> <span class=\"token number\">0</span>\n\n<span class=\"token decorator annotation punctuation\">@proj<span class=\"token punctuation\">.</span>hook</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x4031F2</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">first_sigsegv</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nstate<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rsp <span class=\"token operator\">-=</span> <span class=\"token number\">8</span>\nstate<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rip <span class=\"token operator\">=</span> state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">11</span><span class=\"token punctuation\">]</span>\nstate<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rdi <span class=\"token operator\">=</span> <span class=\"token number\">11</span>\n\nstate<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n<span class=\"token number\">11</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x4011E0</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">14</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x401bc0</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">16</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x401350</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">17</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x4014A0</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">18</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x402FB0</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">21</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x401550</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">22</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x402520</span>\n<span class=\"token punctuation\">}</span>\n\nstate<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"i\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nproj<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"signal\"</span><span class=\"token punctuation\">,</span> OverrideSignal<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> replace<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nproj<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"raise\"</span><span class=\"token punctuation\">,</span> OverrideRaise<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> replace<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nproj<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"sleep\"</span><span class=\"token punctuation\">,</span> OverrideSleep<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> replace<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nproj<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"getrandom\"</span><span class=\"token punctuation\">,</span> OverrideGetRandom<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> replace<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simulation_manager<span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">while</span> simgr<span class=\"token punctuation\">.</span>active<span class=\"token punctuation\">:</span>\n    simgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>correct<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>failed<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">bytes</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">break</span></code></pre></div>\n<p>The implementation looks complicated at first glance, but it is made up of the same things used up to this point.</p>\n<p>First, in the opening section of code below, as usual I define the <code class=\"language-text\">Project</code>, declare the symbolic variable <code class=\"language-text\">flag</code>, and define the expected output results for the cases where the input is correct and incorrect.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n<span class=\"token keyword\">import</span> claripy\n<span class=\"token keyword\">from</span> logging <span class=\"token keyword\">import</span> getLogger<span class=\"token punctuation\">,</span> WARN\n\ngetLogger<span class=\"token punctuation\">(</span><span class=\"token string\">\"angr\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>setLevel<span class=\"token punctuation\">(</span>WARN <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">\"app\"</span><span class=\"token punctuation\">)</span>\nflag <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">\"flag\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x44</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span>stdin<span class=\"token operator\">=</span>flag<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x44</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span>get_byte<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">>=</span> <span class=\"token number\">0x21</span><span class=\"token punctuation\">)</span>\n    state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span>get_byte<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">correct</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">b\"SUCCESS\"</span> <span class=\"token keyword\">in</span> state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">failed</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">b\"FAIL\"</span> <span class=\"token keyword\">in</span> state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span></code></pre></div>\n<p>In the next part, I define classes for the four functions that will be overridden with <code class=\"language-text\">SimProcedure</code>.</p>\n<p>This time, I override the <code class=\"language-text\">signal</code>, <code class=\"language-text\">raise</code>, <code class=\"language-text\">sleep</code>, and <code class=\"language-text\">getrandom</code> functions.</p>\n<p>Overriding <code class=\"language-text\">signal</code> would be unnecessary if all handler functions were fixed, but because the callback function for <code class=\"language-text\">SIGSEGV</code> is implemented so that it changes dynamically, I override it as well and add the handler function to the dictionary called <code class=\"language-text\">handlers</code>, which defines the mapping between handler functions and signal numbers.</p>\n<p>Also, the randomization of indices by <code class=\"language-text\">getrandom</code>, which was likely implemented as a dynamic-analysis countermeasure, is overridden so that it returns values incremented by 1 from the beginning, changing the comparison to check the correct Flag from the start in order.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">class</span> <span class=\"token class-name\">OverrideSignal</span><span class=\"token punctuation\">(</span>angr<span class=\"token punctuation\">.</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> sigid<span class=\"token punctuation\">,</span> handler<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nsigid <span class=\"token operator\">=</span> sigid<span class=\"token punctuation\">.</span>concrete_value\nhandler <span class=\"token operator\">=</span> handler<span class=\"token punctuation\">.</span>concrete_value\nself<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>copy<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nself<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>sigid<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> handler\n<span class=\"token keyword\">return</span> <span class=\"token number\">0</span>\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">OverrideRaise</span><span class=\"token punctuation\">(</span>angr<span class=\"token punctuation\">.</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> sigid<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nsigid <span class=\"token operator\">=</span> sigid<span class=\"token punctuation\">.</span>concrete_value\nself<span class=\"token punctuation\">.</span>call<span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>sigid<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>sigid<span class=\"token punctuation\">,</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xFFFFFFFF</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">OverrideSleep</span><span class=\"token punctuation\">(</span>angr<span class=\"token punctuation\">.</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> sigid<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nsigid <span class=\"token operator\">=</span> <span class=\"token number\">14</span>\nself<span class=\"token punctuation\">.</span>call<span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>sigid<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span>sigid<span class=\"token punctuation\">,</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xFFFFFFFF</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">class</span> <span class=\"token class-name\">OverrideGetRandom</span><span class=\"token punctuation\">(</span>angr<span class=\"token punctuation\">.</span>SimProcedure<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">run</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">,</span> val<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nres <span class=\"token operator\">=</span> self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"i\"</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">if</span> res <span class=\"token operator\">==</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">:</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>self<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\nself<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"i\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\nself<span class=\"token punctuation\">.</span>state<span class=\"token punctuation\">.</span>mem<span class=\"token punctuation\">[</span>val<span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">int</span> <span class=\"token operator\">=</span> res\n<span class=\"token keyword\">return</span> <span class=\"token number\">0</span></code></pre></div>\n<p>The section below uses a user hook to override the <code class=\"language-text\">ret</code> of the <code class=\"language-text\">main</code> function so that <code class=\"language-text\">SIGSEGV</code> can be caught.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token decorator annotation punctuation\">@proj<span class=\"token punctuation\">.</span>hook</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x4031F2</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">first_sigsegv</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\nstate<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rsp <span class=\"token operator\">-=</span> <span class=\"token number\">8</span>\nstate<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rip <span class=\"token operator\">=</span> state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">11</span><span class=\"token punctuation\">]</span>\nstate<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rdi <span class=\"token operator\">=</span> <span class=\"token number\">11</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 787px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5124c83621974206a69e1b15003b7150/e619b/image-20231224130612969.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 32.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHElEQVQY002Q25LbIBBE/f+fmIds1VqysK4GiZvAOumwu6mAmi7B1KGHmxkMZtiYJogRXq8gr9RyYOaJzXsuzZ9xv98xz4UzQwg6ua523ly6PfqB4bE0YAhfwPN8cxwOYzr5xuF3nHVYd9J1nYAre3iT0oIo/D9uOWUBikQDOZcELpRSlDSRc1Qa1aRCUlHf90zzTEwn/ogEeaqVpPqWcFa0abRYi268GEelcVkte9ZtVkKviwJVwJprAz6MYQk75pUZFsfiVkJOX8CPT8PH58rqwCvlOAfBE7vSbT7i8/VP8bxay0+9oU0HT+sZ153ZWfYUcNq7ZbVb6oW+5jH8bb+2/7dUtRSpfqvrBh79L474G5tPDslHT8y+veEfGtHP3UL1148AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5124c83621974206a69e1b15003b7150/8ac56/image-20231224130612969.webp 240w,\n/static/5124c83621974206a69e1b15003b7150/d3be9/image-20231224130612969.webp 480w,\n/static/5124c83621974206a69e1b15003b7150/32ee1/image-20231224130612969.webp 787w\"\n              sizes=\"(max-width: 787px) 100vw, 787px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5124c83621974206a69e1b15003b7150/8ff5a/image-20231224130612969.png 240w,\n/static/5124c83621974206a69e1b15003b7150/e85cb/image-20231224130612969.png 480w,\n/static/5124c83621974206a69e1b15003b7150/e619b/image-20231224130612969.png 787w\"\n            sizes=\"(max-width: 787px) 100vw, 787px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5124c83621974206a69e1b15003b7150/e619b/image-20231224130612969.png\"\n            alt=\"image-20231224130612969\"\n            title=\"image-20231224130612969\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Here, besides modifying registers such as the stack pointer, I let execution continue while bypassing the exception by setting <code class=\"language-text\">rip</code> to the <code class=\"language-text\">SIGSEGV</code> handler function.</p>\n<p>In the following code, I turn the initial values of the handler functions confirmed from the lines that use the <code class=\"language-text\">signal</code> function into a table.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"handlers\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n<span class=\"token number\">11</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x4011E0</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">14</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x401bc0</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">16</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x401350</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">17</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x4014A0</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">18</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x402FB0</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">21</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x401550</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">22</span><span class=\"token punctuation\">:</span> <span class=\"token number\">0x402520</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Finally, I hook each symbol function and run analysis with <code class=\"language-text\">SimulationManager</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">state<span class=\"token punctuation\">.</span><span class=\"token builtin\">globals</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"i\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nproj<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"signal\"</span><span class=\"token punctuation\">,</span> OverrideSignal<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> replace<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nproj<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"raise\"</span><span class=\"token punctuation\">,</span> OverrideRaise<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> replace<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nproj<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"sleep\"</span><span class=\"token punctuation\">,</span> OverrideSleep<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> replace<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nproj<span class=\"token punctuation\">.</span>hook_symbol<span class=\"token punctuation\">(</span><span class=\"token string\">\"getrandom\"</span><span class=\"token punctuation\">,</span> OverrideGetRandom<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> replace<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simulation_manager<span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">while</span> simgr<span class=\"token punctuation\">.</span>active<span class=\"token punctuation\">:</span>\n    simgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>correct<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>failed<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">bytes</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">break</span></code></pre></div>\n<p>When you run this, angr can identify the correct Flag without analyzing most of the implementation inside each handler function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 734px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5784b66a44a2df6cc701c2074f4272c2/c6d67/image-20231224131017306.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 5.833333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAVklEQVQI1w3ISwqAIAAA0Q7QKYKgLxXUIgRLM82FES2r+19jcjHwmER1EjMb9KQxo8L3DjcEdOvZKovto2uHyBa25mCPfy0t5xj45M0be8SFLxaGNOcHYQcijwQOMEkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5784b66a44a2df6cc701c2074f4272c2/8ac56/image-20231224131017306.webp 240w,\n/static/5784b66a44a2df6cc701c2074f4272c2/d3be9/image-20231224131017306.webp 480w,\n/static/5784b66a44a2df6cc701c2074f4272c2/a242a/image-20231224131017306.webp 734w\"\n              sizes=\"(max-width: 734px) 100vw, 734px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5784b66a44a2df6cc701c2074f4272c2/8ff5a/image-20231224131017306.png 240w,\n/static/5784b66a44a2df6cc701c2074f4272c2/e85cb/image-20231224131017306.png 480w,\n/static/5784b66a44a2df6cc701c2074f4272c2/c6d67/image-20231224131017306.png 734w\"\n            sizes=\"(max-width: 734px) 100vw, 734px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5784b66a44a2df6cc701c2074f4272c2/c6d67/image-20231224131017306.png\"\n            alt=\"image-20231224131017306\"\n            title=\"image-20231224131017306\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>About a year ago, I wrote an article called “We Don’t Know angr Yet,” but this experience made me keenly realize that I still hardly understand angr even now.</p>\n<p>I think it can be an extremely powerful analysis tool if used well, so I want to keep studying it.</p>\n<p>Reference: <a href=\"/ctf-angr-tutorial-en\">We Don’t Know angr Yet (Z3py Notes Being Added)</a></p>","fields":{"slug":"/ctf-angr-hooking-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2023-12-23","description":"By overriding behavior with angr's hooking features, we can bypass dynamic-analysis countermeasures and recover the Flag.","tags":["CTF (en)","Rev (en)","English"],"title":"Using angr's Hooking Features to Grab the Flag with an Unintended Solution on X'mas Eve","socialImage":{"publicURL":"/static/6d14aee85f354f54bee0c17ff2ad6c62/ctf-angr-hooking.png"}}}},"pageContext":{"slug":"/ctf-angr-hooking-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}