angr 03_angr_symbolic_registers 寄存器符号化
Posted 漫小牛
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了angr 03_angr_symbolic_registers 寄存器符号化相关的知识,希望对你有一定的参考价值。
文章目录
03_angr_simbolic_registers是angr的第4个例子,下载位置:https://github.com/jakespringer/angr_ctf
1 解题过程
import angr
import sys
import claripy
def main(argv):
bin_path = argv[1]
p = angr.Project(bin_path)
start_addr = 0x08048980
init_state = p.factory.blank_state(addr=start_addr)
#新建 符号向量
pass1 = claripy.BVS('pass1', 32)
pass2 = claripy.BVS('pass2', 32)
pass3 = claripy.BVS('pass3', 32)
init_state.regs.eax = pass1
init_state.regs.ebx = pass2
init_state.regs.edx = pass3
sm = p.factory.simulation_manager(init_state)
def is_good(state):
return b'Good Job' in state.posix.dumps(1)
def is_bad(state):
return b'Try again' in state.posix.dumps(1)
sm.explore(find=is_good, avoid=is_bad)
if sm.found:
found_state = sm.found[0]
password1 = found_state.solver.eval(pass1)
password2 = found_state.solver.eval(pass2)
password3 = found_state.solver.eval(pass3)
# print("Solution: {} {} {}".format(password1, password2, password3))
print("Solution: {:x} {:x} {:x}".format(password1, password2, password3))
else:
raise Exception("No solution found")
if __name__ == '__main__':
main(sys.argv)
执行如下命令:
python 03.py 03_angr_symbolic_registers
得到solution:
Solution: b9ffd04e ccf63fe8 8fd4d959
将该Solution作为程序的输入,经验证无误:
(angr) dist$ ./03_angr_symbolic_registers
Enter the password: b9ffd04e ccf63fe8 8fd4d959
Good Job.
以上是关于angr 03_angr_symbolic_registers 寄存器符号化的主要内容,如果未能解决你的问题,请参考以下文章