🪴 Cyril

angr 使用符号化栈上的值

1分钟阅读

使用符号化栈上的值

import angr  
import claripy  
  
  
def main():  
    path = "./04_angr_symbolic_stack"  
    project = angr.Project(path, auto_load_libs=False)  
    start_addr = 0x08048697  
    initial_state = project.factory.blank_state(addr=start_addr)  
  
    initial_state.regs.esp = initial_state.regs.ebp  
    initial_state.regs.esp -= 0x8  
  
    key0 = claripy.BVS('key0', 32)  
    key1 = claripy.BVS('key1', 32)  
  
    initial_state.stack_push(key0)  
    initial_state.stack_push(key1)  
  
    simulation = project.factory.simgr(initial_state)  
  
    def is_successful(state: angr.SimState):  
        output = state.posix.dumps(1)  
        if b"Good Job." in output:  
            return True  
        else:  
            return False  
  
    def should_abort(state: angr.SimState):  
        output = state.posix.dumps(1)  
        if b"Try again." in output:  
            return True  
        else:  
            return False  
  
    simulation.explore(find=is_successful, avoid=should_abort)  
  
    if simulation.found:  
        for i in simulation.found:  
            solution_state = i  
            s0 = solution_state.solver.eval(key0)  
            s1 = solution_state.solver.eval(key1)  
            print(s0, s1)  
  
    else:  
        raise Exception("could not find the solution")  
  
  
if __name__ == '__main__':  
    main()```

关系图谱

最近笔记

反向链接