Intro to Binary Analysis with Z3 and angr

Originally delivered by Sam Brown at Steelcon and hack.lu 2018, this was a three hour workshop introducing attendees to using Z3 and angr for binary analysis. The workshop provided an introduction to SMT solvers, the Z3 SMT solver and its python library and the angr binary analysis framework.

Through out the workshop exercises were provided which aimed to demonstrate potential applications of the technology to assist security researchers in carrying out reverse engineering and vulnerability research.

The slides provide a rough guide for the content and what order to try the exercises in.

Examples and Exercises

Z3

Name	Type	Description
N Queens	Example	'How can N queens be placed on an NxN chessboard so that no two of them attack each other?' Uses Z3 to generate solutions for an N * N chessboard
Hackvent 15	Example	Solution and walk through for solving a Hackvent 15 CTF challenge with Z3
Sudoku	Exercise	Try to solve Sudoku using Z3
RNG	Exercise	Optional exercises - using Z3 to find non-cryptographically secure random number generators seed value
x86	50/50	Half examples, half DIY - implement simiplified versions of x86 instructions using Z3
Opaque Predicates	Exercise	Use the instructions implemented previously to identify Opaque Predicates in small sequences of assembly instructions
Equivalence Checking	Example	Use the instructions implemented previously to identify equivalent sequences of instructions

angr

Name	Type	Description
opaque_predicates	Example	Using angr to identify opaque predicates with much less work :)
IOCTLs	Example	Identify Windows driver IOCTL codes using angr
Hello World	50/50	Exercise and walkthrough on using angr to generate valid arguments for a simple 'License Key Validator'
Bomb Lab	Exercise	DIY exercise using angr to solve a 'Bomb lab'

Setup

All code is in Python3 and you should only need to install the angr binary analysis framework.

mkvirtualenv --python=$(which python3) angr && python -m pip install angr
workon angr