使用符号化寄存器
import angr
import claripy
def main():
path_to_binary = "./03_angr_symbolic_registers"
project = angr.Project(path_to_binary, auto_load_libs=False)
start_address = 0x08048980
inital_state = project.factory.blank_state(addr=start_address)
passwd_size_in_bits = 32 #32位寄存器
pw0 = claripy.BVS('passwd0', passwd_size_in_bits)
pw1 = claripy.BVS('passwd0', passwd_size_in_bits)
pw2 = claripy.BVS('passwd0', passwd_size_in_bits)
inital_state.regs.eax = pw0 # 记录寄存器信息
inital_state.regs.ebx = pw1
inital_state.regs.edx = pw2
simulation = project.factory.simgr(inital_state)
def is_successful(state:angr.SimState):
stdout_output = state.posix.dumps(1)
if b"Good Job" in stdout_output:
return True
else:
return False
def should_abort(state:angr.SimState):
stdout_output = state.posix.dumps(1)
if b"Try again" in stdout_output:
return True
else:
return False
simulation.explore(find=is_successful,avoid=should_abort)
if simulation.found:
for i in simulation.found:
solution_state = i
solution0 = format(solution_state.solver.eval(pw0),'x') # 解得第一个可行解
solution1 = format(solution_state.solver.eval(pw1),'x')
solution2 = format(solution_state.solver.eval(pw2),'x')
solution = solution0+' '+solution1 + ' '+solution2
print("[+] Success! Solution is: {}".format(solution))
else:
raise Exception("Could not find the solution")
if __name__ == '__main__':
main()