Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

how to use angr to solve ctf problem while the target elf has PIE?

See original GitHub issue

I try to solve this ctf challenage with angr,but find it has PIE with checksec,I try to solve it with below code,but it does not give me the answer,can you help me?

import angr

main = 0xe04
find = (0x10c8,)
avoid = (0x10bc,)

p = angr.Project('./my_secret')
#state = p.factory.entry_state()
state= p.factory.blank_state(addr=main)
state.posix.files[0].read_from(30)
pg = p.factory.simgr(state, threads=8)
ex = pg.explore(find=find, avoid=avoid)
#ex=pg.explore(find=lambda s:"it is my secret" in s.posix.dumps(1))

output = ex.found[0].posix.dumps(1)
print(output)
inp = ex.found[0].posix.files[0].all_bytes()  
print ex.found[0].solver.eval(inp,cast_to = str)

Issue Analytics

State:
Created 6 years ago
Comments:8 (6 by maintainers)

Top GitHub Comments

7reactions

ltfishcommented, Nov 16, 2017

angr automatically loads PIE binaries at 0x400000. angr has no trouble dealing with PIE binaries.

3reactions

rhelmotcommented, Nov 15, 2017

I think the more pressing issue after “angr cannot just solve this binary outright” is that you’re using addresses copied from IDA - in the case of PIEs, IDA will load the binary at a base address of 0 while angr will load it at a base address of 0x400000. You see a warning about this when loading a PIE in angr.