To help you get started with angr, we've created several examples. These mostly stem from CTF problems solved with angr by Shellphish. Enjoy!
Author: Fish Wang (github: @ltfish)
Script runtime: 5.5 sec
A Windows binary that takes a flag as argument, and tells you if the flag is correct or not.
I have to patch out some checks that are difficult for angr to solve (e.g. it uses some bytes of the flag to decrypt some data, and see if those data are legit Windows APIs). Other than that, angr works really well for solving this challenge.
The binary and the script. Enjoy!
Author: Fish Wang (github: @ltfish)
Script runtime: 5.5 sec
This is a painful challenge to solve with angr. I should have done things in a smarter way.
Here is the binary and the script.
Author: Fish Wang (github: @ltfish)
Script runtime: 1 min 57 sec
The solution is pretty straight-forward.
Author: Fish Wang (github: @ltfish)
Script runtime: 3.6 sec
This is a good example that showcases the following:
- Create a custom file, and load it during symbolic execution.
- Create an inline call to SimProcedure
strlen, and use it to determine the length of a string in memory - even if the string may not be null-terminated. LAZY_SOLVESshould be disabled sometimes to avoid creating too many paths.
Here are the binary and the script.
Author: Fish Wang (github: @ltfish)
Angr solves this challenge with almost zero user-interference.
See the script and the binary.
Author: Fish Wang (github: @ltfish)
Angr solves this challenge with almost zero user-interference. Veritesting is required to retrieve the flag promptly.
The script and the binary. It takes a few minutes to run on my laptop.
Author: Andrew Dutcher (github: @rhelmot)
We solved this simple reversing challenge with angr, since we were too lazy to reverse it or run it in Windows. The resulting script shows how we grabbed the flag out of the DLL.
Author: Chris Salls (github: @salls)
This crackme is 95% solveable with angr, but we did have to overcome some difficulties. The script describes the difficulties that were encountered and how we worked around them. The binary can be found here.
Author: Fish Wang (github: @ltfish)
angr acts as a binary loader and an emulator in solving this challenge. I didn’t have to load the driver onto my Windows box.
The script demonstrates how to hook at arbitrary program points without affecting the intended bytes to be executed (a zero-length hook). It also shows how to read bytes out of memory and decode as a string.
By the way, here is the link to the intended solution from FireEye.
Author: Chris Salls (github: @salls)
This reversing challenge is simple to solve almost entirely with angr, and a lot faster than trying to reverse the password checking function. The script is here
Author: Fish Wang (github: @ltfish)
We solved this crackme with angr’s help. (Fish: This is my first time solving a reversing challenge without understanding what’s going on.) The challenge binary is here, and the solving script here.
The solving script demonstrates the following:
- How to load a Windows binary (no difference than an ELF).
- How to use hook to replace arbitrary code in a loaded program.
- How to use Explorer to perform a symbolic exploration (although everyone else thinks PathGroup is the future).
- How to enable Veritesting, and why it is useful.
Author: Yan Shoshitaishvili (github: @Zardus)
We solved this crackme with angr's help. The resulting script will help you understand how angr can be used for crackme assistance. You can find this script here and the binary here.
Author: Andrew Dutcher (github: @rhelmot)
Angr can outright solve this challenge with very little assistance from the user. The script to do so is here and the binary is here.
Author: Andrew Dutcher (github: @rhelmot)
Angr cannot currently solve this problem naively, as the problem is too complex for z3 to solve. Formatting the constraints to z3 a little differently allows z3 to come up with an answer relatively quickly. (I was asleep while it was solving, so I don't know exactly how long!) The script for this is here and the binary is here.