Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
TEEMO KNOWS BINARY
TDOH x TAIWAN TECH 2015/11/29
aaaddress1
SELF INTRODUCTION
➤ 馬聖豪 (aaaddress1)
➤ 義守大學資訊工程二年級
➤ Reverse Engineering Skills
➤ Windows / Mac OS /Android
➤ TDoHacker Co...
SELF INTRODUCTION
➤ Hack BOT
➤ CrackShield / MapleHack
➤ Tower Of Savior
➤ FaceBook: Adr’s FB
➤ Isu Hack
➤ 競時通防爆PING
➤ CSh...
OUTLINE
➤ main() is not the really main
➤ OllyDBG:Baby First (Exam)
➤ Return-oriented Programming
➤ Overflow: Revo Wolf(Ex...
SWEET REMINDER
Tool
https://goo.gl/4sJRtB
Exam
https://goo.gl/xUYkoz
REALLYMAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
_Start
REALLY MAIN
REALLY MAIN
Parameter
Data
REALLY MAIN
➤ Label “_start” is really main.
➤ CRTStartUp is loaded in label “_start”.
(To init RTC/new/delete/arg…etc)
➤ ...
DEMO
Olly Debugger:Really Main
EXAM
Olly Debugger: Baby First
&
Take a break!
ROPReturn-oriented-Programming
WE NEED TO
KNOW MORE
BEFORE ROP
X86 CALLING
COVENTION
&
STACK FRAMES
ROP
ROP
ROP
ROP
ROP
ROP
[EBP+0 ] = Pointer to old EBP
[EBP+4 ] = Return Address
[EBP+8 ] = First Parameter
[EBP+C ] = Second Parameter
[EBP+10...
ROP
VOID
FUNC()
{
INT A =
0;
INT B =
1;
INT C =
2;
[EBP - 4] =0
[EBP - 8] =1
[EBP - C] =2
push EBP
mov
EBP,ESP
SUB ESP,
LEN
ROP
VOID FUNC(){
NFUNC(ARG1,ARG2,AR
G3…)
}
push ebp
mov ebp,esp
.
.
push arg3
push arg2
push arg1
call nFunc
ROP
ROP
ROP
ROP
WHY?
ROP
Stack
ESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
ROP
Stack
ESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP
ROP
Stack
EBP + 0
=ESP
Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP
ROP
Stack
EBP - 8
=ESP
Buffer
EBP - 4 Buffer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP
ROP
Stack
EBP - 8
=ESP
1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP
ROP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
ROP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
ROP
Stack
EBP - 8
=ESP
EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buffer
EBP + 8 Buffer
EBP + C Old EBP
_______EIP
ROP
Stack
EBP + 0
=ESP
EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
ROP
Stack
EBP + 0
=ESP
EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
ROP
_______EIP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
ROP
_______EIP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
ROP
Stack
EBP - 4
=ESP
1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP
ROP
Stack
EBP + 0
= ESP
Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP
LET’S PLAY
WITH
BEEF
OVERFLOW
BOFOVERFLOW AND RIP…
BUFFER OVERFLOW
➤ We just can see , cannot modify the application.
➤ For Exploit?
➤ Overflow local variables. (EBP+N are g...
BUFFER OVERFLOW
[EBP-8]
[EBP-10]
BUFFER OVERFLOW
BUFFER OVERFLOW
BUFFER OVERFLOW
BUFFER OVERFLOW
BUFFER OVERFLOW
BUFFER OVERFLOW
How to let data ==
“admin”?
BUFFER OVERFLOW
[EBP-8]
[EBP-10]
BUFFER OVERFLOW
Stack
BUFFER OVERFLOW
Stack
ESP Old EBP
_______EIP
BUFFER OVERFLOW
Stack
EBP
=ESP
Old EBP
_______EIP
BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old E...
BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old E...
BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old E...
BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old E...
BUFFER OVERFLOW
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old E...
BUFFER OVERFLOW
Stack
EBP - 10 aaaa
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP...
BUFFER OVERFLOW
Stack
EBP - 10 aaaa
EBP - C BBBB
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP__...
BUFFER OVERFLOW
Stack
EBP - 10 REVO
EBP - C WOLF
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP__...
IF WE INPUT MORE
WORDS…?
MAGIC!
BUFFER OVERFLOW
Stack
EBP - 10 REVO
EBP - C WOLF
EBP - 8 revo
EBP - 4 wolf
EBP
=ESP
Old EBP_______EIP
If you input
“OVERFL...
BUFFER OVERFLOW
Stack
EBP - 10 AAAA
EBP - C AAAA
EBP - 8 imda
EBP - 4 x00x00x00n
EBP
=ESP
Old EBP_______EIP
SO, We can inp...
BUFFER OVERFLOW
DANGER FUNCTION
#include <iostream>
printf, fprintf, snprintf, vprintf, …etc
DEMO
Overflow
EXAM
Overflow: Revo wolf
&
Take a break!
EXAM
Overflow: 7$BUY TICKETS
&
Take a break!
EXAM
Overflow: Lee Sin can Read
&
Take a break!
FUZZING
Fuzzing the key with
Z3.py
“ Fuzz testing or fuzzing is a software testing technique,
often automated or semi-automated, that involves
providing inva...
When we need to
fuzz?A. Prove that something is always true
B. Fuzzing for something unexpected
C.Fuckinnnnnnnnnnnnng Cryp...
FUZZING FOR
WHAT?
Your said :
Get the key is easy?
YOU THINK
REVERSING IS:
SOLVING
PROBLEMS?
BRAIN FUCKING (O)
FUZZING
FUZZING
Key= adr
‘a’ = 0x61,’d’ = 0x64, r =
0x72
FUZZING
FUZZING
Key= adr
0x00726461
= x00x72x64x61
= x00adr
FUZZING
FUZZING
How to find the key
matching the factors?
MAKE A MINI
FUZZER
IN C PLUS PLUS
Check Current Temp Key
0x20 to 0x7E,
Visible ASCII Char Range
Display to us.
BUT…
IF LENGT OF THE KEY
ISN’T JUST 3 WORDS?
Z3Prove Tool
Z3 BEGIN
➤Get and Install Python2.7
✴ Z3.py script environment
✴ www.python.org
➤You can use python basically
➤Get Z3.py f...
猜謎
➤ 無腦
➤ 很軟
➤ 手有毒
FUZZING(Z3)
Include Z3 function to your python script
like you use #include <iostream> in C++
FUZZING(Z3)
BitVec(“Name” , BitCount)
For example:
1.char a => a = BitVec(“a”, 8)
2.short b => b = BitVec(“b”, 16)
3.int c...
FUZZING(Z3)
Solve(All rules ), Z3 will auto fuzz all variables,
and find a result(JUST ONE RESULT!).
Then, print all resul...
FUZZING(Z3)
If you have a looooot of rules,
you can use Solver().
Solver.add() can remember
all rules you requested.
FUZZING(Z3)
If you want to check current
whether rules can come true,
you just use: Solver.check()
FUZZING(Z3)
If Z3 cannot find any result,
check() will reply you “unsat”.
FUZZING(Z3)
If Z3 can find any result,
check() will reply you “sat”.
FUZZING(Z3)
Finally, if you get “sat”,
you can use: Solver.model()
It will save a result in it.
Use model[Variable Name],
...
FUZZING(Z3)
So,How to fuzz the key with z3?
DEMO
Fuzzing with z3.py
EXAM
Fuzzing: ShacoBuysCrusts
&
Take a Break!
EXAM
Fuzzing:
AIS3 Final Exam Binary
Q&A
aaaddress1@gmail.com
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Prochain SlideShare
Chargement dans…5
×

NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練

3 939 vues

Publié le

簡易入門基礎逆向需要的觀念
入門解析ROP、Buffer Overflow、CRT、Fuzzing

Slide中的練習題目&Source Code:
https://github.com/aaaddress1/NTUSTxTDOH-Reversing-Game

Publié dans : Formation

NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練

  1. 1. TEEMO KNOWS BINARY TDOH x TAIWAN TECH 2015/11/29 aaaddress1
  2. 2. SELF INTRODUCTION ➤ 馬聖豪 (aaaddress1) ➤ 義守大學資訊工程二年級 ➤ Reverse Engineering Skills ➤ Windows / Mac OS /Android ➤ TDoHacker Core Member ➤ HITCON 2015 CMT: ➤ AIDS ➤ x86靜態手花詐欺術 ➤ Wooyun WhiteHat: x86手花詐欺 ➤ 逢甲2015行動計算研討會: AIDS ➤ 成功大學2015行動APP競賽
  3. 3. SELF INTRODUCTION ➤ Hack BOT ➤ CrackShield / MapleHack ➤ Tower Of Savior ➤ FaceBook: Adr’s FB ➤ Isu Hack ➤ 競時通防爆PING ➤ CSharp,VB,C/CPlus, x86,Python,Smali,Swift
  4. 4. OUTLINE ➤ main() is not the really main ➤ OllyDBG:Baby First (Exam) ➤ Return-oriented Programming ➤ Overflow: Revo Wolf(Exam) ➤ Fuzzing ➤ Make a fuzzer in C++ ➤ How to fuzzing with Z3
  5. 5. SWEET REMINDER Tool https://goo.gl/4sJRtB Exam https://goo.gl/xUYkoz
  6. 6. REALLYMAIN
  7. 7. REALLY MAIN
  8. 8. REALLY MAIN
  9. 9. REALLY MAIN
  10. 10. REALLY MAIN
  11. 11. REALLY MAIN
  12. 12. REALLY MAIN
  13. 13. REALLY MAIN _Start
  14. 14. REALLY MAIN
  15. 15. REALLY MAIN Parameter Data
  16. 16. REALLY MAIN ➤ Label “_start” is really main. ➤ CRTStartUp is loaded in label “_start”. (To init RTC/new/delete/arg…etc) ➤ Find programmer’s main (normal c plus compile) ➤ Find the address calling GetCommandLine ➤ Find the address calling exit() or cexit() ➤ Programmer’s main function is between them.
  17. 17. DEMO Olly Debugger:Really Main
  18. 18. EXAM Olly Debugger: Baby First & Take a break!
  19. 19. ROPReturn-oriented-Programming
  20. 20. WE NEED TO KNOW MORE BEFORE ROP
  21. 21. X86 CALLING COVENTION & STACK FRAMES
  22. 22. ROP
  23. 23. ROP
  24. 24. ROP
  25. 25. ROP
  26. 26. ROP
  27. 27. ROP [EBP+0 ] = Pointer to old EBP [EBP+4 ] = Return Address [EBP+8 ] = First Parameter [EBP+C ] = Second Parameter [EBP+10 ] = Third Parameter …etc [EBP+8 + 4*index] = Parameter[index]
  28. 28. ROP VOID FUNC() { INT A = 0; INT B = 1; INT C = 2; [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP SUB ESP, LEN
  29. 29. ROP VOID FUNC(){ NFUNC(ARG1,ARG2,AR G3…) } push ebp mov ebp,esp . . push arg3 push arg2 push arg1 call nFunc
  30. 30. ROP
  31. 31. ROP
  32. 32. ROP
  33. 33. ROP
  34. 34. WHY?
  35. 35. ROP Stack ESP + 0 ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14
  36. 36. ROP Stack ESP + 0 Old EBP ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14 _______EIP
  37. 37. ROP Stack EBP + 0 =ESP Old EBP EBP + 4 EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP
  38. 38. ROP Stack EBP - 8 =ESP Buffer EBP - 4 Buffer EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP
  39. 39. ROP Stack EBP - 8 =ESP 1 EBP - 4 Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  40. 40. ROP Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  41. 41. ROP Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  42. 42. ROP Stack EBP - 8 =ESP EBP EBP - 4 return Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP
  43. 43. ROP Stack EBP + 0 =ESP EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  44. 44. ROP Stack EBP + 0 =ESP EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  45. 45. ROP _______EIP Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  46. 46. ROP _______EIP Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  47. 47. ROP Stack EBP - 4 =ESP 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP
  48. 48. ROP Stack EBP + 0 = ESP Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP
  49. 49. LET’S PLAY WITH BEEF OVERFLOW
  50. 50. BOFOVERFLOW AND RIP…
  51. 51. BUFFER OVERFLOW ➤ We just can see , cannot modify the application. ➤ For Exploit? ➤ Overflow local variables. (EBP+N are good friend to us) ➤ Do something for get control EIP/RIP.
  52. 52. BUFFER OVERFLOW [EBP-8] [EBP-10]
  53. 53. BUFFER OVERFLOW
  54. 54. BUFFER OVERFLOW
  55. 55. BUFFER OVERFLOW
  56. 56. BUFFER OVERFLOW
  57. 57. BUFFER OVERFLOW
  58. 58. BUFFER OVERFLOW How to let data == “admin”?
  59. 59. BUFFER OVERFLOW [EBP-8] [EBP-10]
  60. 60. BUFFER OVERFLOW Stack
  61. 61. BUFFER OVERFLOW Stack ESP Old EBP _______EIP
  62. 62. BUFFER OVERFLOW Stack EBP =ESP Old EBP _______EIP
  63. 63. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP
  64. 64. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP Variable “name”
  65. 65. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP Variable “data”
  66. 66. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP_______EIP
  67. 67. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP_______EIP If you input “aaaa”
  68. 68. BUFFER OVERFLOW Stack EBP - 10 aaaa EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP_______EIP If you input “aaaa”
  69. 69. BUFFER OVERFLOW Stack EBP - 10 aaaa EBP - C BBBB EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP_______EIP If you input “aaaaBBBB”
  70. 70. BUFFER OVERFLOW Stack EBP - 10 REVO EBP - C WOLF EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP_______EIP If you input “OVERFLOW”
  71. 71. IF WE INPUT MORE WORDS…? MAGIC!
  72. 72. BUFFER OVERFLOW Stack EBP - 10 REVO EBP - C WOLF EBP - 8 revo EBP - 4 wolf EBP =ESP Old EBP_______EIP If you input “OVERFLOWoverflow”
  73. 73. BUFFER OVERFLOW Stack EBP - 10 AAAA EBP - C AAAA EBP - 8 imda EBP - 4 x00x00x00n EBP =ESP Old EBP_______EIP SO, We can input “AAAAAAAAadmin”
  74. 74. BUFFER OVERFLOW
  75. 75. DANGER FUNCTION #include <iostream> printf, fprintf, snprintf, vprintf, …etc
  76. 76. DEMO Overflow
  77. 77. EXAM Overflow: Revo wolf & Take a break!
  78. 78. EXAM Overflow: 7$BUY TICKETS & Take a break!
  79. 79. EXAM Overflow: Lee Sin can Read & Take a break!
  80. 80. FUZZING Fuzzing the key with Z3.py
  81. 81. “ Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software. From Wikipedia WHAT IS FUZZING?
  82. 82. When we need to fuzz?A. Prove that something is always true B. Fuzzing for something unexpected C.Fuckinnnnnnnnnnnnng Crypto D.A lot of choice, find one is correct
  83. 83. FUZZING FOR WHAT?
  84. 84. Your said : Get the key is easy?
  85. 85. YOU THINK REVERSING IS: SOLVING PROBLEMS? BRAIN FUCKING (O)
  86. 86. FUZZING
  87. 87. FUZZING Key= adr ‘a’ = 0x61,’d’ = 0x64, r = 0x72
  88. 88. FUZZING
  89. 89. FUZZING Key= adr 0x00726461 = x00x72x64x61 = x00adr
  90. 90. FUZZING
  91. 91. FUZZING How to find the key matching the factors?
  92. 92. MAKE A MINI FUZZER IN C PLUS PLUS
  93. 93. Check Current Temp Key
  94. 94. 0x20 to 0x7E, Visible ASCII Char Range
  95. 95. Display to us.
  96. 96. BUT… IF LENGT OF THE KEY ISN’T JUST 3 WORDS?
  97. 97. Z3Prove Tool
  98. 98. Z3 BEGIN ➤Get and Install Python2.7 ✴ Z3.py script environment ✴ www.python.org ➤You can use python basically ➤Get Z3.py for Windows ✴ Prove tool ✴ github.com/Z3Prover/z3/wiki/Using-Z3Py-on-Windows
  99. 99. 猜謎 ➤ 無腦 ➤ 很軟 ➤ 手有毒
  100. 100. FUZZING(Z3) Include Z3 function to your python script like you use #include <iostream> in C++
  101. 101. FUZZING(Z3) BitVec(“Name” , BitCount) For example: 1.char a => a = BitVec(“a”, 8) 2.short b => b = BitVec(“b”, 16) 3.int c => c = BitVec(“C”, 32) => Int(“c”) 4.bool e => e = BitVec(‘e’, 8)
  102. 102. FUZZING(Z3) Solve(All rules ), Z3 will auto fuzz all variables, and find a result(JUST ONE RESULT!). Then, print all results of variables.
  103. 103. FUZZING(Z3) If you have a looooot of rules, you can use Solver(). Solver.add() can remember all rules you requested.
  104. 104. FUZZING(Z3) If you want to check current whether rules can come true, you just use: Solver.check()
  105. 105. FUZZING(Z3) If Z3 cannot find any result, check() will reply you “unsat”.
  106. 106. FUZZING(Z3) If Z3 can find any result, check() will reply you “sat”.
  107. 107. FUZZING(Z3) Finally, if you get “sat”, you can use: Solver.model() It will save a result in it. Use model[Variable Name], and get the answer by String
  108. 108. FUZZING(Z3) So,How to fuzz the key with z3?
  109. 109. DEMO Fuzzing with z3.py
  110. 110. EXAM Fuzzing: ShacoBuysCrusts & Take a Break!
  111. 111. EXAM Fuzzing: AIS3 Final Exam Binary
  112. 112. Q&A aaaddress1@gmail.com

×