angr is very often used in CTFs. These are example scripts resulting from that use, mostly from Shellphish but also from many others.
Script author: Stanislas Lejay (github: @P1kachu)
Script runtime: ~31 minutes
Here is the binary and the script
Script author: chuckleberryfinn (github: @chuckleberryfinn)
Script runtime: ~20 seconds
A simple reverse me that takes a key as a command line argument and checks it against 14 checks. Possible to solve the challenge using angr without reversing any of the checks.
Here is the binary and the script
-
Script 0
author: David Manouchehri (github: @Manouchehri)
Script runtime: 8 minutes
-
Script 1
author: Stanislas Lejay (github: @P1kachu)
Script runtime: 11 sec
Here is the binary and the scripts:
Script 0 author: David Manouchehri (github: @Manouchehri)
Script runtime: 4.5 sec
Script 1 author: Adam Van Prooyen (github: @docileninja)
Script runtime: 6.7 sec
A Linux binary that takes a key as a command line argument and checks it against a series of constraints.
Challenge Description:
We need help activating this product -- we've lost our license key :(
You're our only hope!
Here are the binary and scripts: script 0, script_1
Author: Adam Van Prooyen (github: @docileninja)
Script runtime: 29 sec
A Linux binary that takes a team name as input and checks it against a series of constraints.
Challenge Description:
Hundreds of conditions to be meet, will you be able to surpass them?
Both sample binaries and the script are located here and additional information be found at the author's write-up.
Author: Fish Wang (github: @ltfish)
Script runtime: 5.5 sec
A Windows binary that takes a flag as argument, and tells you if the flag is correct or not.
"I have to patch out some checks that are difficult for angr to solve (e.g., it uses some bytes of the flag to decrypt some data, and see if those data are legit Windows APIs). Other than that, angr works really well for solving this challenge."
Author: Fish Wang (github: @ltfish)
Script runtime: 5.5 sec
This is a painful challenge to solve with angr. I should have done things in a smarter way.
Here is the binary and the script.
Author: Fish Wang (github: @ltfish)
Script runtime: 1 min 57 sec
The solution is pretty straight-forward.
Author: Fish Wang (github: @ltfish)
angr solves this challenge with almost zero user-interference.
See the script and the binary.
Author: Fish Wang (github: @ltfish)
angr solves this challenge with almost zero user-interference. Veritesting is required to retrieve the flag promptly.
The script and the binary. It takes a few minutes to run on my laptop.
Author: Audrey Dutcher (github: @rhelmot)
We solved this simple reversing challenge with angr, since we were too lazy to reverse it or run it in Windows. The resulting script shows how we grabbed the flag out of the DLL.
Author: Chris Salls (github: @salls)
This crackme is 95% solvable with angr, but we did have to overcome some difficulties. The script describes the difficulties that were encountered and how we worked around them. The binary can be found here.
Author: Fish Wang (github: @ltfish)
angr acts as a binary loader and an emulator in solving this challenge. I didn’t have to load the driver onto my Windows box.
The script demonstrates how to hook at arbitrary program points without affecting the intended bytes to be executed (a zero-length hook). It also shows how to read bytes out of memory and decode as a string.
By the way, here is the link to the intended solution from FireEye.
Author: Chris Salls (github: @salls)
This reversing challenge is simple to solve almost entirely with angr, and a lot faster than trying to reverse the password checking function. The script is here
Author: Fish Wang (github: @ltfish), ocean (github: @ocean1)
This challenge is a movfuscated binary. To find the correct password after exploring the binary with Qira it is possible to understand how to find the places in the binary where every character is checked using capstone and using angr to load the binary and brute-force the single characters of the flag. Be aware that the script is really slow. Runtime: > 1 hour.
Author: Audrey Dutcher (github: @rhelmot)
angr cannot currently solve this problem natively, as the problem is too complex for z3 to solve. Formatting the constraints to z3 a little differently allows z3 to come up with an answer relatively quickly. (I was asleep while it was solving, so I don't know exactly how long!) The script for this is here and the binary is here.
Author: Antonio Bianchi, Tyler Nighswander
ais3_crackme has been developed by Tyler Nighswander (tylerni7) for ais3 summer school. It is an easy crackme challenge, checking its command line argument.
Author: David Manouchehri (GitHub @Manouchehri)
This folder contains scripts used to solve some of the challenges with angr. At the moment it only contains the examples from the IOLI crackme suite, but eventually other solutions will be added.
Author: Bernhard Mueller (GitHub @b-mueller)
A native binary for Android/ARM that validates a license key passed as a command line argument. It was created for the symbolic execution tutorial in the OWASP Mobile Testing Guide.