Angr
Sehemu ya karatasi hii ya kufanya udanganyifu imejengwa kwa msingi wa hati ya angr.
Usanidi
Hatua za Msingi
Introduction
In this section, we will cover some basic actions that can be performed using the angr framework. These actions include loading a binary, exploring its control flow, and analyzing its functions.
Loading a Binary
To load a binary into an angr project, you can use the angr.Project()
function. This function takes the path to the binary as an argument and returns a project object that represents the binary.
Exploring Control Flow
Once the binary is loaded, you can explore its control flow by creating a state object and stepping through the program. The project.factory.entry_state()
function creates an initial state at the entry point of the binary.
Analyzing Functions
To analyze the functions in a binary, you can use the project.kb.functions
attribute. This attribute contains a dictionary where the keys are the addresses of the functions and the values are angr.knowledge_plugins.Function
objects.
Conclusion
These are some of the basic actions that can be performed using the angr framework. By loading a binary, exploring its control flow, and analyzing its functions, you can gain a better understanding of its behavior and potentially discover vulnerabilities or other interesting information.
Data iliyopakiwa
The loaded data refers to the information that has been loaded into the memory during the execution of a program. This can include variables, functions, libraries, and other resources that are necessary for the program to run.
Data iliyopakiwa inahusu habari ambayo imepakiwa kwenye kumbukumbu wakati wa utekelezaji wa programu. Hii inaweza kujumuisha pembejeo, kazi, maktaba, na rasilimali zingine ambazo ni muhimu kwa programu kuendesha.
Main Object
The main object is the entry point of a program. It is the first object that is executed when the program starts running. The main object typically contains the main function, which is responsible for controlling the flow of the program.
Kipengele kikuu ni sehemu ya kuingia ya programu. Ni kipengele cha kwanza kinachotekelezwa wakati programu inaanza kukimbia. Kipengele kikuu kawaida kina kazi kuu, ambayo inahusika na kudhibiti mtiririko wa programu.
Kusudi Kuu
The main objective of this document is to provide an introduction to the angr framework and its basic methods for reverse engineering. The angr framework is a powerful tool used for binary analysis and symbolic execution. By understanding the basic methods of angr, you will be able to effectively analyze and reverse engineer binary files. This document will cover the installation process of angr, as well as the basic usage of its key components such as the Project, State, and Explorer. Additionally, it will explain how to perform symbolic execution and solve constraints using angr. By the end of this document, you will have a solid understanding of the angr framework and its basic methods for reverse engineering.
Ishara na Uhamishaji
Ishara na uhamishaji ni sehemu muhimu katika mchakato wa kurekebisha programu. Ishara ni alama za kipekee zinazowakilisha anwani za kumbukumbu au vitendo vya programu. Uhamishaji, kwa upande mwingine, ni mchakato wa kubadilisha anwani za kumbukumbu au vitendo vya programu ili kuzifanya ziwe sahihi kwa mazingira fulani.
Katika muktadha wa uharibifu, kuelewa ishara na uhamishaji ni muhimu kwa sababu inaweza kusaidia kubadilisha anwani za kumbukumbu au vitendo vya programu ili kufikia malengo ya uharibifu. Kwa mfano, unaweza kutumia uhamishaji ili kubadilisha anwani ya kumbukumbu ya kazi ya programu ili kufikia sehemu zilizohifadhiwa za kumbukumbu na kusababisha matokeo yasiyotarajiwa.
Kuna njia mbili za kufanya ishara na uhamishaji: ishara ya wakati wa kutekelezwa (runtime) na ishara ya wakati wa kubuni (compile-time). Ishara ya wakati wa kutekelezwa inahusisha kubadilisha anwani za kumbukumbu au vitendo vya programu wakati programu inatekelezwa. Ishara ya wakati wa kubuni, kwa upande mwingine, inahusisha kubadilisha anwani za kumbukumbu au vitendo vya programu wakati wa mchakato wa kubuni programu.
Kwa kufahamu ishara na uhamishaji, unaweza kuwa na uwezo wa kubadilisha programu kwa njia ambayo inafaa kwa malengo yako ya uharibifu. Hii inaweza kuhusisha kubadilisha anwani za kumbukumbu, kubadilisha vitendo vya programu, au hata kubadilisha njia ya kutekeleza programu.
Vitengo
Blocks ni sehemu muhimu katika programu ya angr. Kwa kifupi, block ni kipande cha msimbo ambacho kinaweza kutekelezwa bila kuingiliwa. Kila block ina anwani ya kuanzia na anwani ya mwisho, na inaweza kuwa na maagizo kadhaa ya kutekelezwa.
Katika angr, unaweza kutumia Blocks kufanya uchambuzi wa msimbo na kufanya operesheni kama vile kutafuta njia za kufikia sehemu maalum ya msimbo, kuchunguza maagizo yaliyotekelezwa, na kugundua mifumo ya kudhibiti.
Kuna njia kadhaa za kupata Blocks katika angr. Moja ya njia hizo ni kutumia project.factory.block()
ambapo unaweza kutoa anwani ya kuanzia ya block unayotaka kupata. Pia, unaweza kutumia project.factory.simgr.explore()
ili kugundua Blocks zote zinazopatikana katika programu.
Kwa kifupi, Blocks ni sehemu muhimu katika uchambuzi wa msimbo na angr inatoa njia mbalimbali za kupata na kutumia Blocks hizo.
Meneja wa Uigaji, Hali
Meneja wa Uigaji ni kipengele muhimu katika zana ya angr ambayo inaruhusu uchambuzi wa kina wa programu. Inafanya kazi kwa kuchukua programu na kuigiza hali tofauti za kutekelezwa. Kwa kufanya hivyo, inawezesha uchunguzi wa tabia ya programu katika mazingira tofauti.
Meneja wa Uigaji hutumia hali za angr, ambazo ni maelezo ya hali ya kumbukumbu na hali ya usanidi wa programu wakati wa utekelezaji. Kwa kubadilisha hali hizi, meneja wa uigaji anaweza kuchunguza matokeo tofauti ya programu na kugundua maelezo muhimu kama vile maeneo ya kumbukumbu yanayobadilika na matokeo ya kawaida.
Kwa kutumia meneja wa uigaji, unaweza kufanya uchambuzi wa kina wa programu na kugundua maelezo muhimu ambayo yanaweza kusaidia katika kubaini kasoro au kufanya marekebisho ya programu.
Kuita kazi
Unaweza kupitisha orodha ya hoja kupitia
args
na kamusi ya mazingira kupitiaenv
ndani yaentry_state
nafull_init_state
. Thamani katika muundo huu inaweza kuwa herufi au bitvectors, na itaandikwa kwenye hali kama hoja na mazingira kwa utekelezaji ulioigwa.args
ya chaguo-msingi ni orodha tupu, kwa hivyo ikiwa programu unayochambua inatarajia kupata angalauargv[0]
, unapaswa kutoa hiyo kila wakati!Ikiwa ungependa kuwa na
argc
kuwa ishara, unaweza kupitisha bitvector ishara kamaargc
kwa waundaji waentry_state
nafull_init_state
. Lakini kuwa mwangalifu: ikiwa utafanya hivi, unapaswa pia kuongeza kizuizi kwenye hali inayopatikana kwamba thamani yako ya argc haiwezi kuwa kubwa kuliko idadi ya hoja uliyoipitisha kwenyeargs
.Ili kutumia hali ya wito, unapaswa kuipiga na
.call_state(addr, arg1, arg2, ...)
, ambapoaddr
ni anwani ya kazi unayotaka kuita naargN
ni hoja ya Nth kwa kazi hiyo, iwe kama nambari ya python, herufi, au safu, au bitvector. Ikiwa unataka kuwa na kumbukumbu iliyotengwa na kwa kweli upitishe kidole kwa kitu, unapaswa kuifunga kwenye PointerWrapper, yaaniangr.PointerWrapper("point to me!")
. Matokeo ya API hii yanaweza kuwa kidogo yasiyotabirika, lakini tunafanya kazi juu yake.
BitVectors
Alama za BitVectors za Kihisabati na Vizuizi
Angr uses symbolic execution to analyze and understand the behavior of binary programs. One of the key components of symbolic execution is the use of symbolic BitVectors and constraints.
Angr represents program variables as symbolic BitVectors, which are essentially mathematical representations of binary data. These BitVectors can have a fixed size, such as 32 bits or 64 bits, and can be manipulated using various operations like addition, subtraction, and bitwise operations.
Constraints are logical expressions that define relationships between symbolic BitVectors. These expressions can include conditions like equality, inequality, and arithmetic operations. Constraints are used to model the program's behavior and to guide the symbolic execution process.
During symbolic execution, Angr collects constraints based on the program's control flow and the operations performed on symbolic BitVectors. These constraints are then solved using constraint solvers to determine the possible values of the symbolic BitVectors at different program points.
By analyzing the constraints and the possible values of symbolic BitVectors, Angr can reason about the program's behavior, identify vulnerabilities, and explore different execution paths.
Overall, symbolic BitVectors and constraints are fundamental concepts in Angr's symbolic execution engine, enabling powerful analysis and exploration of binary programs.
Kufunga Kitanzi
Hooking ni mbinu ya kuingilia kati na kubadilisha tabia ya programu ili kufuatilia au kubadilisha data inayopita kupitia programu hiyo. Kwa kufunga kitanzi, tunaweza kuchunguza na kubadilisha matokeo ya programu bila kuhitaji kubadilisha msimbo wake wa asili.
Kuna aina mbili za kufunga kitanzi: kufunga kitanzi cha kuingilia na kufunga kitanzi cha kurejelea.
Kufunga Kitanzi cha Kuingilia (Inline Hooking)
Kufunga kitanzi cha kuingilia kunahusisha kuingilia kati katika msimbo wa programu na kubadilisha sehemu fulani ya msimbo ili kufanya kitendo maalum. Hii inaweza kufanyika kwa kubadilisha maagizo ya kikusanyaji au kwa kuongeza maagizo mapya.
Kufunga kitanzi cha kuingilia kunaweza kutumika kwa madhumuni mbalimbali, kama vile kufuatilia matokeo ya programu, kurekodi shughuli za mtumiaji, au kubadilisha matokeo ya programu.
Kufunga Kitanzi cha Kurejelea (API Hooking)
Kufunga kitanzi cha kurejelea kunahusisha kubadilisha kumbukumbu ya kurejelea ya programu ili kuelekeza wito wa kazi fulani kwa kazi nyingine. Hii inaruhusu kudhibiti jinsi programu inavyotumia kazi fulani na inaweza kutumika kwa madhumuni kama vile kufuatilia shughuli za mtumiaji au kurekodi matokeo ya programu.
Kufunga kitanzi cha kurejelea inaweza kufanywa kwa njia mbalimbali, kama vile kubadilisha kumbukumbu ya kurejelea moja kwa moja au kwa kutumia teknolojia kama vile DLL injection.
Kwa kufunga kitanzi, tunaweza kuchunguza na kubadilisha tabia ya programu kwa njia isiyo ya kawaida na yenye nguvu. Hii inaweza kuwa na manufaa katika uchunguzi wa usalama, upimaji wa programu, au kufanya mabadiliko maalum katika programu.
Zaidi ya hayo, unaweza kutumia proj.hook_symbol(name, hook)
kwa kutoa jina la ishara kama hoja ya kwanza, ili kufunga anwani ambapo ishara inapatikana.
Mifano
Last updated