zoukankan      html  css  js  c++  java
  • angr进阶(6)绕过反调试

    angr绕过反调试,一个是通过之前的方式,使用从特定位置开始测试的方法,还有一种通过hook进行反调试的方法。

    其原理就在于angr能够符号化表示函数tumctf2016_zwiebe

    p.hook_symbol('ptrace', angr.SIM_PROCEDURES['stubs']['ReturnUnconstrained'](return_value=0))

    另外,对于代码自修改程序,需要使用如下的方式

    p = angr.Project("zwiebe", support_selfmodifying_code=True) 

    另外,也可以hook到一些关键函数上,达到控制效果。

    比如控制scanf就可以达到和控制返回值类似的效果。

     1     flag_chars = [claripy.BVS('flag_%d' % i, 32) for i in range(13)]
     2     class my_scanf(angr.SimProcedure):
     3         def run(self, fmt, ptr): # pylint: disable=arguments-differ,unused-argument
     4             self.state.mem[ptr].dword = flag_chars[self.state.globals['scanf_count']]
     5             self.state.globals['scanf_count'] += 1
     6 
     7     proj.hook_symbol('__isoc99_scanf', my_scanf(), replace=True)
     8 
     9     sm = proj.factory.simulation_manager()
    10     sm.one_active.options.add(angr.options.LAZY_SOLVES)
    11     sm.one_active.globals['scanf_count'] = 0
    12 
    13     # search for just before the printf("%c%c...")
    14     # If we get to 0x402941, "Wrong" is going to be printed out, so definitely avoid that.
    15     sm.explore(find=0x4028E9, avoid=0x402941)
    16 
    17     # evaluate each of the flag chars against the constraints on the found state to construct the flag
    18     flag = ''.join(chr(sm.one_found.solver.eval(c)) for c in flag_chars)
    19     return flag
  • 相关阅读:
    java_oop_方法2
    POJ 3276 Face The Right Way(反转)
    POJ 3276 Face The Right Way(反转)
    POJ 2566 Bound Found(尺取法,前缀和)
    POJ 2566 Bound Found(尺取法,前缀和)
    POJ 3320 Jessica's Reading Problem(尺取法)
    POJ 3320 Jessica's Reading Problem(尺取法)
    POJ 3061 Subsequence(尺取法)
    POJ 3061 Subsequence(尺取法)
    HDU 1222 Wolf and Rabbit(欧几里得)
  • 原文地址:https://www.cnblogs.com/61355ing/p/10525569.html
Copyright © 2011-2022 走看看