针对angr提供的练习题,现在进行求解01_angr_avoid,它也是关于输入密码的问题,需要使用angr求解出正确密码。但是需要提供排除地址以减少路径求解时间。
具体代码如下所示
import angr
import sys
def main(argv):
path_to_binary = "01_angr_avoid"
project = angr.Project(path_to_binary)
initial_state = project.factory.entry_state()
simulation = project.factory.simgr(initial_state)
# Explore the binary, but this time, instead of only looking for a state that
# reaches the print_good_address, also find a state that does not reach
# will_not_succeed_address. The binary is pretty large, to save you some time,
# everything you will need to look at is near the beginning of the address
# space.
# (!)
print_good_address = 0x080485e0
will_not_succeed_address = 0x080485f2
simulation.explore(find=print_good_address, avoid=will_not_succeed_address)
if simulation.found:
solution_state = simulation.found[0]
print(solution_state.posix.dumps(sys.stdin.fileno()))
else:
raise Exception('Could not find the solution')
if __name__ == '__main__':
main(sys.argv)
我们需要确定目标地址和排除地址,此处,目标地址是0x080485e0,排除地址是0x080485f2。
目标是Good Job,所以需要求解它的指令地址。
由于try again表示再次求解,为减少路径求解时间,需要将其排除。
下面验证实验结果
执行刚刚写好的程序,保存为scaffold01.py,并将其与01_angr_avoid放于同一文件夹中,具体如下图所示。
再执行01_angr_avoid,然后需要我们输入angr刚刚求解出的密码即HUJOZMYS,结果为Good Job。
至此,求解01_angr_avoid已全部完成。