Loading a Binary - CLE and angr Projects
4 stars based on
Binary analysis frameworks provide you powerful ways of automating tasks that would be almost impossible to complete manually. In this blog, we'll have a look at Angra Python framework for analyzing binaries that is useful for both static and dynamic symbolic "concolic" analysis. Angr operates on the VEX intermediate language of Valgrind fame. Our target program is a simple license key validation program. In the late s, symbolic-execution based testing has gained popularity as a means of identifying security vulnerabilities.
Symbolic "execution" actually refers to the process of representing possible paths through a program as formulas in first-order logic, whereby variables are represented by symbolic values. By using SMT solvers to verify satisfyability and providing solutions to those formulas, we can obain the concrete values needed to reach any reachable point of execution. This was the reductionist loading a binary cle and angr projects - in reality things are a bit more complex. For each branch taken, the engine saves the contstraints imposed by the branch condition on the symbolic variable the branch depends on.
Pick your preferred path and solve the associated formula, and voila! You get the input variables required to cover that exact path.
Propositional logic is however insufficient for encoding all possible constraints occuring in our programs: After all, branch decisions could depend on pretty complex relations between symbolic values. SMT allows us to replace some of the binary variables in the SAT formula with predicates over a suitable set of non-binary variables. The output loading a binary cle and angr projects each predicate is a binary value.
Every path formula is represented as SMT problem. The SAT solver responsible for cracking the problem simply passes conjunctions of theory predicates to specialized solvers for the respective theoriessuch as linear arithmetic, nonlinear arithmetic, and bitvectors. I promise however that these are highly fascinating topics, and I'm including some links on mathematical logic and symbolic execution below.
Amongst many other things, symbolic execution is useful in cases where we need to find the right inputs for reaching a certain block of code. In the following example, we'll use Angr to solve a simple Android crackme in an automated fashion. The crackme takes the form of a native ELF binary that can be downloaded here:. Angr is written in Python 2 and available from Loading a binary cle and angr projects. It is recommended to create a dedicated virtual environment with Virtualenv as some of its dependencies contain forked versions Z3 and PyVEX that overwrite the original versions you may skip this step if you don't use these libraries for anything else - on the other hand, using Virtualenv is always a good idea.
Quite comprehensive documentation for angr is available on Gitbooksincluding an installation guide, tutorials and usage examples.
A complete API reference is also available. So far, so good, but we really know nothing about how a valid license key might look like. Where do we start? Let's fire up IDA Pro to get a first good look at what is happening. The loading a binary cle and angr projects function is located at address 0x in the disassembly note that this is a PIE-enabled binary, and IDA Pro chooses 0x0 as the image base address.
Function names have been stripped, but luckily we can see some references to debugging strings: So we're looking for a 16 character baseencoded string! The character base32 input string decodes to 10 bytes, so we know that the validation function expects a 10 byte binary string. Next, we have a look at the core validation function at 0x Even though this doesn't look like highly sophisticated stuff, we'd still need to do some more analysis to completely reverse this check and generate a license key that passes it.
But now comes the twist: By using dynamic symbolic execution, we don't actually have to do any further analysis! The symbolic execution engine can map a path between the first instruction of the license check 0x and the code printing the "Product activation passed" message 0x and determine the constraints on each byte of the input string.
The valid license key. We initialize the state with the first instruction of the serial validation function. This makes the task significantly easier and in this case, almost instant to solve, as we avoid symbolically executing the Base32 implementation. In this case, we want to find a path to the code responsible loading a binary cle and angr projects printing the "Product activation passed" message.
This block starts at 0x In this case, we're not interesting in any path that arrives at the block of code printing the "Incorrect serial" message, at 0x Note that Angr loader will load the PIE executable with a base address of 0x, so we have to add this to the addresses above.
The solution looks as follows. Symbolic execution is a great technique with many applications in vulnerability discovery, de-obfuscation and reverse engineering. Check the links below for more information. You can sign up here:. Also, check out the mobile crackmes we developed for the guide! Symbolic Execution In the late s, symbolic-execution based testing has gained popularity as a means of identifying security vulnerabilities. Very simply put, the process works as follows: A Usage Example Amongst many other things, symbolic execution is useful in cases where we need to find the right inputs for reaching a certain block of code.
The crackme takes loading a binary cle and angr projects form of a native ELF binary that can be downloaded here: Loading a binary cle and angr projects the executable on any Android device should give you the following output.
You're XOR-ing a byte with the byte next to it. We only need to provide several inputs to the symbolic execution engine: The binary is available for download on GitHub: This speeds things up a lot because we're bypassing the Baseencoder.
Running the script should return the following: It is being loaded with a base address of 0x Inputting this into the program should yield a success message.
You can sign up here: