Clever Geek Handbook

The Taming of Gorynych 2, or Symbolic performance in Ghidra



We are pleased and even proud to publish this article. First, because the author is a member of our Summ3r of h4ck program, Nalen98 . And secondly, because this is a research work with a continuation, which is doubly interesting. Link to the first part .



Good afternoon!



Digital Security , . «Summer of Hack 2020» « Ghidra». , Ghidra. , , ? , , . .



- , , Kao’s Toy Project Triton. – .



, .





, , . , / . . SMT-. , , « » (satisfied) « » (unsatisfied). , . , .



, (SSE, emulated) (DSE, concolic). , . CPU, , . , , .



DSE, SSE, , , , ( – "Practical Binary Analysis" by Dennis Andriesse").



, – , .





Triton. . SSE, DSE. (x86, x86-64, ARM32, Arch64), , API Ghidr-. Triton .



KLEE. , , , - . llvm-. , KLEE clang- llvm- (.bc) . llvm- ( ), , KLEE . Pcode llvm, Ghidra-to-LLVM. . , 32- , .ll-, llvm- llvm-as llvm- KLEE . KLEE , .



S2E. QEMU TCG TCG LLVM. , Python3. , , Ghidra Jython 2.x, , , Ghidr-. , , Python3, . S2E , Ghidr- .



SymCC. , C-. : , , KLEE clang-, SymCC. . , . , Ghidr- , , .



angr. , API, . , , Python3 , Ghidra , angr- , , Ghidr-. .



. «».



: , JSON-, « angr-», , .



Ghidra GUI, , . , Ghidra stdin stdout , DecompileProcess DecompInterface. Ghidra.



. , , angr-a ctf-. , . Ghidra, Java, IDE Eclipse.



GUI 4 :



  • AngryGhidraPlugin.java – .
  • AngryGhidraProvider.java – , ; , , .
  • AngryGhidraPopupMenu.java – Ghidr-. , angr-.
  • HookCreation.java – .


, .



  • Auto load libs – . , .
  • Find Address – , (, «License key is validated!»).
  • Blank State – , . , . , angr-a.
  • Avoid addresses – /, . angr «avoid» . , angr ( ).
  • Arguments – , (argv[1], argv[2] ..). , , (-) .
  • Hooks – . , , Kao’s Toy Project.
  • Store symbolic vector – , , , . , .


  • Write to memory – , . , Kao’s Toy Project, Installation ID, 0x4093a8. Ghidr-, , AngryGhidraPlugin -> Apply patched bytes.
  • Registers – , . .


«» , .





, Kao’s Toy Project AngryGhidra.





, – toyproject.exe , Installation ID.





0x4093a8, Installation ID.





, Ghidra , angr ( PyVEX SimEngine). , Installation ID , . – Ghidra.



0x4093a8 Installation ID, AngryGhidraPlugin -> ApplyPatchedBytes:





– , .



Congratulations! Now write a keygen and tutorial! , . 0x40123b, Find Address , , AngryGhidraPlugin -> Set -> Find Address. .



That is just wrong. Try harder! , 0x401250 Avoid Address. .



(Blank State) , . 0x4010ec. Blank State Address, .



:





. 0x4010ec , .





, . , EDX EBX . ? .



, 0x40109d:





, 4 , xor- .



AngryGhidraPlugin 0x4010ff, EDX EBX 4 .





, Run !





, , .





:





! ! AngryGhidra .



Digital Security , , — (@e13fter) (@dura_lex), (dukebarman)!



Github: AngryGhidra.



More articles:


All Articles