Intro to Binary Analysis with Z3 and angr

Sam Brown

hack.lu 2018
++

whoami

+ Sam Brown – @_samdb_
+ Consultant, Research team @ MWR (now F–Secure)
+ Worky worky – Secure Dev, Code Review, Product Teardowns
+ Research/home time – poking at Windows internals, browser security, playing with angr and Z3
++

Code

+ Code and setup instructions at: https://github.com/mwrlabs/z3_and_angr_binary_analysis_workshop

+ All paths in the slides are relative from the repo base
++

Schedule

13:30 - 15:15    Background & Z3
15:15 - 15:30    Break/Extra exercise time
15:30 - End       angr
Outline

1. What the Hell is Z3?
2. Z3-python
3. Lab - Cheating at Logic Challenges
4. Lab - Encoding CPU Instructions
5. Z3 in the Real World
6. angr!
7. Lab - Using angr in Anger
8. Wrap-up
What the Hell is Z3?

- Z3 is an SMT solver
- what
++

What the Hell is a SMT Solver?

+ Satisfiability Modulo Theories (SMT) solvers
+ what
What the Hell is a SMT Solver?

+ Built on top of SAT solvers..
+ ‘satisfiability’
+ Boolean formula in $\Rightarrow$ Can it be satisfied?
+ If so give me example values
What the Hell is a SAT Solver?

Input:

\[(a \land b) \lor (a \land \neg b)\]

\[(a \text{ AND } b) \text{ OR } (a \text{ AND } \neg b)\]
++

**CNF?**

- Conjunctive Normal Form
- an AND of ORs
- AND, OR, NOT only
- Used because any propositional logic can be converted to CNF in linear time

\[(a \land b) \lor (a \land \neg b)\]
What the Hell is a SAT Solver?

<table>
<thead>
<tr>
<th>$a$</th>
<th>$b$</th>
<th>$(a \land b) \lor (a \land \neg b)$</th>
</tr>
</thead>
<tbody>
<tr>
<td>T</td>
<td>T</td>
<td>T</td>
</tr>
<tr>
<td>T</td>
<td>F</td>
<td>T</td>
</tr>
<tr>
<td>T</td>
<td>F</td>
<td>T</td>
</tr>
<tr>
<td>F</td>
<td>T</td>
<td>F</td>
</tr>
<tr>
<td>F</td>
<td>F</td>
<td>F</td>
</tr>
</tbody>
</table>
What the Hell is a SMT Solver?

+ SMT builds on this

+ Converts constraints on integers, vectors, strings etc into forms SAT solvers can work with

+ Referred to as ‘theories’
What the Hell is a SMT Solver?

- Algebraic Datatype Solver
- Arithmetic Solver
- BitVector Solver
- Array Solver
- SAT Solver
A Peek Inside SAT Solvers – Jon Smock

https://www.youtube.com/watch?v=d76e4hV1iJY
Outline

1. What the Hell is a SMT Solver?

2. Z3-python

3. Lab - Cheating at Logic Challenges

4. Lab - Encoding CPU Instructions

5. Z3 in the Real World

6. angr!

7. Lab - Using angr in Anger

8. Wrap-up
Theorem prover from Microsoft Research

- High performance
- Well engineered
- Open source: [https://github.com/Z3Prover/z3](https://github.com/Z3Prover/z3)
Declare an integer constant ‘a’

Declare a function ‘f’ ‘int f(int, bool);’

‘a’ > 10

f(a, true) -> ret < 100

Is this possible?
If so, what might everything look like?

```
1 (declare-const a Int)
2 (declare-fun f (Int Bool) Int)
3 (assert (> a 10))
4 (assert (< (f a true) 100))
5 (check-sat)
6 (get-model)
```
A = 11

Function Definition

Ite = if then else

If arg1 == 11 and arg2 == true
Theories:
+ Functions
+ Arithmetic
+ Bit-Vectors
+ Algebraic Data Types
+ Arrays
+ Polynomial Arithmetic

Z3
Lists, trees, enums, etc
Exponentials, sine, cosine, etc
In browser tutorial: https://rise4fun.com/z3/tutorial
Z3-python


+ `pip install z3`

+ Secretly a DSL

```python
Z3_var_one and Z3_var_two != And(Z3_var_one, Z3_var_two)
```
Z3-python

>>> from z3 import *
>>> a = Int('x')
>>> b = Int('y')
>>> s = Solver()
>>> s.add(a * 15 == b)
>>> s.check()
sat
>>> s.model()
[x = 0, y = 0]
>>> s.add(a != 0)
>>> s.check()
sat
>>> s.model()
[y = 15, x = 1]
>>>
+ Z3-python

+ And(condition_one, condition_two)

+ Or(condition_one, condition_two)

+ Not(boolean_expression)
Z3-pythons

- Distinct($list) – set constraint all items in list must be unique
- BitVec('name', size) – create a bit vector of size bits
- Bool('name'), Real('name') – Boolean and real symbolic variables
- If(condition, true_result, false_result) – decision logic in Z3!
Color = Datatype('Color')
Color.declare('red')
Color.declare('green')
Color.declare('blue')
Color = Color.create()

Color, (red, green, blue) = EnumSort('Color', ('red', 'green', 'blue'))
Z3–python

Good tutorials:

+ http://ericpony.github.io/z3py-tutorial/guide-examples.htm

+ http://ericpony.github.io/z3py-tutorial/advanced-examples.htm
Outline

1. What the Hell is a SMT Solver?
2. Z3-python
3. Lab - Cheating at Logic Challenges
4. Lab - Encoding CPU Instructions
5. Z3 in the Real World
6. angr!
7. Lab - Using angr in Anger
8. Wrap-up
Cheating at Logic Challenges – N–Queens

How can N queens be placed on an NxN chessboard so that no two of them attack each other? /z3/n_queens

Cheating at Logic Challenges – N–Queens

How can N queens be placed on an NxN chessboard so that no two of them attack each other?

columns = [Int('col_%d' % i) for i in range(n)]
rows = [Int('row_%d' % i) for i in range(n)]
s = Solver()
Cheating at Logic Challenges – N-Queens

How can N queens be placed on an NxN chessboard so that no two of them attack each other?

```python
for i in range(n):
    s.add(columns[i] >= 0, columns[i] < n, rows[i] >= 0, rows[i] < n)

s.add(Distinct(rows))
s.add(Distinct(columns))
for i in range(n - 1):
    for j in range(i + 1, n):
        s.add(abs(columns[i] - columns[j]) != abs(rows[i] - rows[j]))
```
Cheating at Logic Challenges – N–Queens

How can N queens be placed on an NxN chessboard so that no two of them attack each other?

```python
if s.check() == sat:
    m = s.model()
```
++

Cheating at Logic Challenges – N-Queens

How can N queens be placed on an Nxn chessboard so that no two of them attack each other?

```
(anser) user@workshop:-/smt-workshop/z3/n_queens$ python solution.py 4
Solving N Queens for a 4 by 4 chess board
```

```
Q Q
Q Q
```
Cheating at Logic Challenges – Hackvent 15

We've captured a strange message. It looks like it is encrypted somehow ...

iw, hu, fv, lu, dv, cy, og, lc, gy, fq, od, lo, fq, is, ig, gu, hs, hi, ds, cy, oo, os, iu, fs, gu, lh, dq, lv, gu, iw, hv, gu, di, hs, cy, oc, iw, gc

We've also intercepted what seems to be a hint to the key:
bytwycju + yzvyjdy ^ vugljtyen + ugdznwv | xbfazioy = bzuwtwol
^ ^ ^ ^ ^
wwnnqbw - uclfqvd & oncycbxh | oqcnwbsd ^ cgyoyfjd = vyhyjivb
& & & &
yzdgotby | oigsjgoj | ttligxut - dhcqxtfw & szblgodf = sfgsoxxd + + + + + +
yjjowdgh & niiqztgs + ctvtwysu & diffhnl - thhwohn = xsvuojtx
= = = = =
nttuhnq ^ oqbcrlzh - nshtztns ^ htwizwi + uuluvhc = syhjizjq
= = = = =
fjivucti zoljwdfl sugvqgww uxziywn jqxizzzq

https://www.hacking-lab.com
~/smt-workshop/z3/hackvent_15
Cheating at Logic Challenges – Hackvent 15

See `z3/hackvent_15/README.md` for details
Cheating at Logic Challenges – DIY Sudoku

z3/sudoku

$ workon angr

$ python skeleton.py tests.txt

Files:

+ skeleton.py => Your solution

+ solution.py => My solution

+ tests.txt => Random puzzles from http://magictour.free.fr/top100
++

Cheating at Logic Challenges – DIY Sudoku

Steps:

1. **puzzle** is a string with 81 chars, . for unknowns, ints for known values

2. Create a 9*9 grid of symbolic variables

3. Add baseline value constraints on every square

4. Add constraints for known int values to hold

5. Add unique constraints on rows/columns/squares
Cheating at Logic Challenges

DIY (If time) Java RNG seed recovery

z3/rng

Recover the seed from Java’s default insecure Random Number Generator!

See: README.md
Outline

1. What the Hell is a SMT Solver?
2. Z3-python
3. Lab - Cheating at Logic Challenges
4. Lab - Encoding CPU Instructions
5. Z3 in the Real World
6. angr!
7. Lab - Using angr in Anger
8. Wrap-up
++ Encoding CPU Instructions

+ Automatically analyse assembly
+ Transform instructions into constraints on registers, flags
+ Answer Q’s about sequences of instructions

z3/x86
++

Encoding CPU Instructions

+ Use a simplified example
+ No stack, memory, function support
Encoding CPU Instructions

registers.py

```python
from m3 import *

class Registers:
    def __init__(self):
        self.eax = BitVec('eax', 32)
        selfebx = BitVec('ebx', 32)
        self.ecx = BitVec('ecx', 32)
        selfedx = BitVec('edx', 32)
        self.edi = BitVec('edi', 32)
        self.esi = BitVec('esi', 32)
        self.ebp = BitVec('ebp', 32)
        self.esp = BitVec('esp', 32)
        self.eip = BitVec('eip', 32)
```
Encoding CPU Instructions

```python
from numpy import *

class Registers:
    def __init__(self):
        self.eax = BitVec('eax', 32)
        self ebx = BitVec('ebx', 32)
        self ecx = BitVec('ecx', 32)
        self edx = BitVec('edx', 32)
        self edi = BitVec('edi', 32)
        self esi = BitVec('esi', 32)
        self ebp = BitVec('ebp', 32)
        self esp = BitVec('esp', 32)
        self.eip = BitVec('eip', 32)
        self.cf = Bool('cf')
        self zf = Bool('zf')
        self.sf = Bool('sf')
        self.of = Bool('of')
```

- Carry
- Zero
- Sign
- Overflow
Encoding CPU Instructions

Xor: example - xor.py

Performs a bitwise exclusive OR (XOR) operation on the destination (first) and source (second) operands and stores the result in the destination operand location. The source operand can be an immediate, a register, or a memory location; the destination operand can be a register or a memory location. (However, two memory operands cannot be used in one instruction.) Each bit of the result is 1 if the corresponding bits of the operands are different; each bit is 0 if the corresponding bits are the same.

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. The state of the AF flag is undefined.

https://c9x.me/x86/html/file_module_x86_id_330.html
Encoding CPU Instructions

Add: example – add.py

Adds the first operand (destination operand) and the second operand (source operand) and stores the result in the destination operand. The destination operand can be a register or a memory location; the source operand can be an immediate, a register, or a memory location. (However, two memory operands cannot be used in one instruction.) When an immediate value is used as an operand, it is sign-extended to the length of the destination operand format.

The ADD instruction performs integer addition. It evaluates the result for both signed and unsigned integer operands and sets the OF and CF flags to indicate a carry (overflow) in the signed or unsigned result, respectively. The SF flag indicates the sign of the signed result.

The OF, SF, ZF, AF, CF, and PF flags are set according to the result.

https://c9x.me/x86/html/file_module_x86_id_5.html
Encoding CPU Instructions

Or – DIY / Skeleton: or.py My solution: or_solution.py

Performs a bitwise inclusive OR operation between the destination (first) and source (second) operands and stores the result in the destination operand location. The source operand can be an immediate, a register, or a memory location; the destination operand can be a register or a memory location. (However, two memory operands cannot be used in one instruction.) Each bit of the result of the OR instruction is set to 0 if both corresponding bits of the first and second operands are 0; otherwise, each bit is set to 1.

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. The state of the AF flag is undefined.

https://c9x.me/x86/html/file_module_x86_id_219.html
Encoding CPU Instructions

sub - DIY / Skeleton: sub.py, My solution: sub_solution.py

Subtracts the second operand (source operand) from the first operand (destination operand) and stores the result in the destination operand. The destination operand can be a register or a memory location; the source operand can be an immediate, register, or memory location.

(However, two memory operands cannot be used in one instruction.) When an immediate value is used as an operand, it is sign-extended to the length of the destination operand format.

The SUB instruction performs integer subtraction. It evaluates the result for both signed and unsigned integer operands and sets the OF and CF flags to indicate an overflow in the signed or unsigned result, respectively. The SF flag indicates the sign of the signed result.

The OF, SF, ZF, AF, PF, and CF flags are set according to the result.

https://c9x.me/x86/html/file_module_x86_id_308.html
Encoding CPU Instructions

Jmp: example – jmp.py

Fake this – just goes directly to operand address
### Encoding CPU Instructions

**Jnz: example - jnz.py**

<table>
<thead>
<tr>
<th>Instruction</th>
<th>Description</th>
<th>signed-ness</th>
<th>Flags</th>
<th>short jump opcodes</th>
<th>near jump opcodes</th>
</tr>
</thead>
<tbody>
<tr>
<td>JNE</td>
<td>Jump if not equal</td>
<td></td>
<td>ZF = 0</td>
<td>75</td>
<td>0F 85</td>
</tr>
<tr>
<td>JNZ</td>
<td>Jump if not zero</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

[http://unixwiz.net/techtips/x86-jumps.html](http://unixwiz.net/techtips/x86-jumps.html)
## Encoding CPU Instructions

jg - DIY, Skeleton: `jg.py`, My solution: `jg_solution.py`

<table>
<thead>
<tr>
<th>Instruction</th>
<th>Description</th>
<th>signed-ness</th>
<th>Flags</th>
<th>short jump opcodes</th>
<th>near jump opcodes</th>
</tr>
</thead>
<tbody>
<tr>
<td>JG, JNLE</td>
<td>Jump if greater</td>
<td>signed</td>
<td>ZF = 0 and SF = OF</td>
<td>7F</td>
<td>0F 8F</td>
</tr>
<tr>
<td></td>
<td>Jump if not less or equal</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

http://unixwiz.net/techtips/x86-jumps.html
++

Encoding CPU Instructions – Equivalents

Given two sequences of assembly instructions – do they have the exact same effect?

z3/equivalence_checking

http://zubcic.re/blog/experimenting-with-z3-dead-code-elimination
Encoding CPU Instructions – Opaque Predicates

- Opaque Predicate: A conditional jump which is always taken or not taken
- Code Obfuscation
- Can we auto detect them to remove them?

z3/opaque_predicates

http://zubcic.re/blog/experimenting-with-z3-proving-opaque-predicates
Real World

- Memory, stack, full flags, oddities make this harder
- ‘Lift’ instructions to a simpler (to a program!) representation
- Write constraints for the ‘simpler’ representation
Outline

1. What the Hell is a SMT Solver?
2. Z3-python
3. Lab – Cheating at Logic Challenges
4. Lab – Encoding CPU Instructions
5. Z3 in the Real World
6. angr!
7. Lab – Using angr in Anger
8. Wrap-up
Z3 in the Real World

Bond Allocations

Microsoft Sage/Microsoft Security Risk Detection

angr

**MSR’s Project Everest**

*Goal: verified HTTPS replacement*

---

**CLOUDY, WITH A CHANCE OF EXPLOITS —**

Microsoft launches “fuzzing-as-a-service” to help developers find security bugs

Project Springfield, Microsoft's "million-dollar bug detector" now available in cloud.
Z3 in the Real World

+ HACL* in Mozilla Firefox
  https://www.youtube.com/watch?v=xrZTVRICpSs

+ AWS Security
Outline

1. What the Hell is a SMT Solver?
2. Z3-python
3. Lab - Cheating at Logic Challenges
4. Lab - Encoding CPU Instructions
5. Z3 in the Real World
6. angr!
7. Lab - Using angr in Anger
8. Wrap-up
angr!
++

angr!

http://angr.horse

https://github.com/angr/angr-doc/blob/master/docs/examples.md
++

angr!

Components

Shoulders of Giants...

VEX  Unicorn Engine  Capstone Engine
MWR Labs

++

angr!

http://angr.io/blog/throwing_a_tantrum_part_1/
MWR Labs

angr!

Features:

- Binary Loading
- Static Analysis
- Symbolic Execution
**OS Knowledge**

<table>
<thead>
<tr>
<th>Path</th>
<th>Description</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>advapi32</td>
<td>Add prototypes and MS 64-bit CC (#925)</td>
<td>6 months ago</td>
</tr>
<tr>
<td>cgc</td>
<td>Remove IS_SYSCALL and set is_syscall when it actually matters</td>
<td>13 days ago</td>
</tr>
<tr>
<td>definitions</td>
<td>Add stub for sigaction</td>
<td>13 days ago</td>
</tr>
<tr>
<td>glibc</td>
<td>Remove deprecated names, including .se, god rest their soul</td>
<td>A month ago</td>
</tr>
<tr>
<td>libc</td>
<td>Implement syslog simprocedure</td>
<td>13 days ago</td>
</tr>
<tr>
<td>linux_kernel</td>
<td>Remove IS_SYSCALL and set is_syscall when it actually matters</td>
<td>13 days ago</td>
</tr>
<tr>
<td>linux_loader</td>
<td>Remove deprecated names, including .se, god rest their soul</td>
<td>A month ago</td>
</tr>
<tr>
<td>msvcr</td>
<td>Remove deprecated names, including .se, god rest their soul</td>
<td>A month ago</td>
</tr>
<tr>
<td>ntdll</td>
<td>Add inhibit_autoret to simprocedures, set it whenever the user perfor...</td>
<td>11 months ago</td>
</tr>
<tr>
<td>posix</td>
<td>Clean up after myself, like an adult, I guess</td>
<td>13 days ago</td>
</tr>
<tr>
<td>stubs</td>
<td>Remove IS_SYSCALL and set is_syscall when it actually matters</td>
<td>13 days ago</td>
</tr>
<tr>
<td>testing</td>
<td>A little better. things import, but SimLibraries aren't hooked up and...</td>
<td>A year ago</td>
</tr>
<tr>
<td>tracer</td>
<td>Remove IS_SYSCALL and set is_syscall when it actually matters</td>
<td>13 days ago</td>
</tr>
<tr>
<td>uclibc</td>
<td>A little better. things import, but SimLibraries aren't hooked up and...</td>
<td>A year ago</td>
</tr>
<tr>
<td>win32</td>
<td>Remove deprecated names, including .se, god rest their soul</td>
<td>A month ago</td>
</tr>
</tbody>
</table>

[https://github.com/angr/angr/tree/master/angr/procedures](https://github.com/angr/angr/tree/master/angr/procedures)
import angr
from angr.sim_type import SimTypeString

class strdup(angr.SimProcedure):
    #pylint:disable=arguments-differ

    def run(self, s):
        self.arg_types = {0: self.ty_ptr(SimTypeString())}
        self.return_type = self.ty_ptr(SimTypeString())

        strlen = angr.SIM_PROCEDURES['libc']['strlen']
        strncpy = angr.SIM_PROCEDURES['libc']['strncpy']
        malloc = angr.SIM_PROCEDURES['libc']['malloc']

        src_len = self.inline_call(strlen, s).ret_expr
        new_s = self.inline_call(malloc, src_len + 1).ret_expr

        self.inline_call(strncpy, new_s, s, src_len + 1, src_len - src_len)

        return new_s
++

angr 8!

New features:

+ All Python 3
+ Byte strings everywhere
+ Simuvex fully integrated/deprecated
+ Big speed ups in CFG recovery

http://angr.io/blog/moving_to_angr_8/
Binary Loading

+ CLE (CLE Loads Everything)  
  https://github.com/angr/cle (ELF, IdaBIn, PE, Mach-O, Blob)

+ Capstone/VEX – x86, mips, arm, ppc

+ Archinfo – https://github.com/angr/archinfo
VEX

IR from Valgrind

The following ARM instruction:

```
subs R2, R2, #8
```

Becomes this VEX IR:

```
1  t0 = GET:I32(16)
2  t1 = 0x8:I32
3  t3 = Sub32(t0,t1)
4  PUT(16) = t3
5  PUT(68) = 0x59FC8:I32
```
++

Static Analysis

+ Control Flow Graphs
+ Data Flow Graphs
+ Value Set Analysis

‘VSA is a combined numeric–analysis and pointer analysis algorithm that determines a safe approximation of the set of numeric values or addresses that each register and a–loc holds at each program point’

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.76.637&rep=rep1&type=pdf
Symbolic Execution

- Execute binary using ‘symbolic values’
- Pass constraints for each path to a constraint solver to get inputs that will reach ‘x’ point
Symbolic Execution

```
unsigned int a = read_int();
unsigned int b = read_int();
if (a > 1) {
    if (b < 20) {
        if (a * b > 30) {
            func_one();
        } else {
            func_two();
        }
    } else {
        func_three();
    }
} else {
    func_four();
}
```
Symbolic Execution

```c
unsigned int a = read_int();
unsigned int b = read_int();
if( a > 1 ){
  if( b < 20 ){
    if( a * b > 30){
      func_one();
    } else {
      func_two();
    }
  } else {
    func_three();
  }
} else {
  func_four();
}
```

- $X > 1$ and $Y < 20$
- $X > 1$ and $Y < 20$
- $X > 1$ and $Y < 20$
- $X > 1$ and $Y < 20$
- $X * Y > 30$
- $X * Y > 30$
- $X * Y < 30$
- $X * Y < 30$
(State of) The Art of War: Offensive Techniques in Binary Analysis
Outline

1. What the Hell is a SMT Solver?
2. Z3-python
3. Lab - Cheating at Logic Challenges
4. Lab - Encoding CPU Instructions
5. Z3 in the Real World
6. angr!
7. Lab - Using angr in Anger
8. Wrap-up
Using angr in Anger

Lots of crackme/CTF examples:

https://github.com/angr/angr-doc/tree/master/examples
Using angr in Anger

Opaque predicates, easy mode

A nice work on malware deobfuscation, in which Capstone disassembler + Z3 are used to remove opaque predicates:

zubcic.re/blog/experiments

https://twitter.com/capstone_engine/status/766632168260972547
Opaque Predicates

angr/opaque_predicates

Step through example code
Dumping IOCTL Codes

‘I/O control codes (IOCTLs) are used for communication between user-mode applications and drivers, or for communication internally among drivers in a stack.’

https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/defining-i-o-control-codes
++

Dumping IOCTL Codes

+ Consist structure and values
+ Complex dispatch functions

https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
++

Dumping IOCTL Codes

+ Step through instruction by instruction
+ Save all evaluable register values
+ Process them to find potential IOCTL codes
+ Device code must match
+ Function codes should be in a set range
++

Dumping IOCTL Codes

angr/ioctls
++

Using angr in Anger

Used in
https://github.com/mwrlabs/win_driver_plugin
++

Hello World!

workon angr

angr/hello_world

objdump -d serial.o > disas.txt
Hello World!

- Library validates serial codes
- Several routines with harsher constraints
- Let’s walk through the examples!

Note: Step through generate_serial_skeleton.py and try to fill the second function, then step through the full solutions.
++

Calling Conventions – AMD64

+ Arguments are passed in Right-to-Left

+ Return values are returned in `rax`

+ First six arguments passed in registers: `rdi`, `rsi`, `rdx`, `rcx`, `r8`, `r9`

+ Any other arguments passed on the stack

```
int foo(int a, int b, int c, int d, int e, int f, int g)
```
++

Passing arguments

```python
arg = state.solver.BVS('serial', 8 * 128)
# Place the symbolic variable at a specific address
rand_addr = 0x00000000041414141
state.memory.store(rand_addr, arg)
# And then make rdi hold a pointer to it as the first argument
state.add_constraints(state.regs.rdi == rand_addr)
```
Evaluating symbolic variables

```python
sm = p.factory.simulation_manager(state)
sm.explore(find=base + 0x870, avoid=base + 0xaf5)
found = sm.found[0]
answer = found.solver.eval(arg, cast_to=str)
```
++

**Bomb lab! DIY!**

workon angr

angr/bomb_lab

```
(angr) user@Workshop:/Path/Workshop/angr/bomb_lab$ ls
bomb  bomb.c  bomb.h  Makefile  README.md  skeleton.py  solution.py
```
++

Bomb Lab

+ objdump -d bomb > disas.txt

+ **Note:** kaboom and phase_defused

```c
#pragma once
void phase_defused(void);
void kaboom(void);
void phase_one(char *);
void phase_two(char *, char *, char *);
void phase_three(int, int, int, int);
void phase_four(unsigned int *);
void phase_five(unsigned int *);
void phase_six(char *);
```
Cool angr Projects

+ CGC entry: https://github.com/mechaphish

+ AFL + angr for fuzzing:
  https://github.com/shellphish/driller

+ Heap analysis:
  https://github.com/angr/heaphopper
Outline

1. What the Hell is a SMT Solver?
2. Z3-python
3. Lab - Cheating at Logic Challenges
4. Lab - Encoding CPU Instructions
5. Z3 in the Real World
6. angr!
7. Lab - Using angr in Anger
8. Wrap-up
++

Wrap-up

Credits, people that did the hard work:

+ Dennis Yurichev
+ The angr team
+ Tomislav Zubcic
+ Sean Heelan
Further Reading

Great resource:

https://yurichev.com/writings/SAT_SMT_draft–EN.pdf

Great paper: