[PYTHON] Guess the password with klee

Introduction

I heard that there is something called klee, so I tried to identify the password, so I leave a memorandum. I don't understand the specifics at all, so I just moved.

Problem to solve

I targeted the check_password () function introduced in the Using symbolic environment of the klee tutorial. This function returns 1 when the password hello is entered, and 0 otherwise.

password.c


#include <stdio.h>

int check_password(char *buf) {
  if (buf[0] == 'h' && buf[1] == 'e' &&
      buf[2] == 'l' && buf[3] == 'l' &&
      buf[4] == 'o')
    return 1;
  return 0;
}

int main(int argc, char **argv) {
  if (argc < 2)
     return 1;
  
  if (check_password(argv[1])) {
    printf("Password found!\n");
    return 0;
  }

  return 1;
}

The tutorial explains how to generate a test case that includes command line arguments, but in this article we aimed to actually ask for a password.

Actually ask for a password

From here, the password is actually obtained by symbolic execution.

Code to execute

There are two klee functions used this time.

In the sample code, the command line argument char ** argv is taken, but this time it is rewritten tochar pass [6]as long as symbolic execution can be performed.

password.c


#include <stdio.h>
#include "klee/klee.h"

int check_password(char *buf) {
    if (buf[0] == 'h' && buf[1] == 'e' &&
        buf[2] == 'l' && buf[3] == 'l' &&
        buf[4] == 'o')
        return 1;
    return 0;
}

int main(void) {
    char pass[6];

    klee_make_symbolic(pass, sizeof(pass[0]) * 6, "pass");
    if (check_password(pass)) {
        printf("Password found!\n");
    	klee_assert(0);
        return 0;
    }
    return 1;
}

Execution method

Just hit the klee command after running clang. In the part of / home / klee / klee_src / include, specify the path of klee according to your environment. If you are using docker, you can leave the example below as it is.

$ clang -I /home/klee/klee_src/include -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone password.c
$ klee password.bc

Execution result and password

When executed, the following result will be obtained. image.png

From this content, you can see that the result was output to the directory klee-out-0, so take a look. image.png

Multiple files called .ktest are output, but each is a test case. Use the ktest-tool command to see this .ktest file.

In the code executed this time, if the passwords match, the process is interrupted with klee_assert. So, if you look at the test case where .assert.err exists (test000005.ktest), you can get the password. image.png

at the end

When I first heard it, I thought that klee was a tool that would analyze if I passed a binary like angr, but this method requires a procedure to add klee / klee.h etc. to the source code. It seems. I would like to find out if there is an easy way to use it even when I only have the binary.

Recommended Posts

Guess the password with klee
Password the PDF
Insert the debugger with nose
Kill the process with sudo kill -9
gethostbyaddr () communicates with the outside
scraping the Nikkei 225 with playwright-python
Check the code with flake8
Calibrate the model with PyCaret
Call the API with python3.
Password management with python: keyring
Play with the password mechanism of GitHub Webhook and Python
Decrypt the QR code with CNN
Extract the xz file with python
Extract the maximum value with pandas.
Color the integration interval with matplotlib.pyplot
Use the preview feature with aws-cli
Follow the file hierarchy with fts
Specifying the date with the Twitter API
The universe is dangerous with PyEphem
Pave the road with combinatorial optimization
Get the weather with Python requests
Get the weather with Python requests 2
Find the Levenshtein Distance with python
Explore the maze with reinforcement learning
Finding the simplest mistakes with OpenCV
Hit the Etherpad-lite API with Python
Install the Python plugin with Netbeans 8.0.2
Output the call graph with PyCallGraph
Install the data files with setup.py
Download the file deployed with appcfg.py
Debug the script with Sakura Editor
I liked the tweet with python. ..
Using cgo with the go command
[Python] Generate a password with Slackbot
Password generation in texto with python
Master the type with Python [Python 3.9 compatible]
Hit the top command with htop
Try blurring the image with opencv2
Validate the learning model with Pylearn2
Open the file with the default app
Prepare the development environment with anyenv