Angr安装与使用之使用篇（九）

针对angr提供的练习题，现在进行求解08_angr_constraints，需要使用angr求解出正确密码。
具体代码如下所示

import angr
import claripy
import sys

def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)

  start_address = 0x8048625
  initial_state = project.factory.blank_state(addr=start_address)

  password = claripy.BVS('password', 128)

  password_address = 0x804a050  #求解入口地址
  initial_state.memory.store(password_address, password)

  simulation = project.factory.simgr(initial_state)

  # Angr will not be able to reach the point at which the binary prints out
  # 'Good Job.'. We cannot use that as the target anymore.
  address_to_check_constraint = 0x08048565    #此外为check_equals_AUPDNNPROEZRJWKB函数的开始地址
  simulation.explore(find=address_to_check_constraint)

  if simulation.found:
    solution_state = simulation.found[0]

    # check_equals_AUPDNNPROEZRJWKB函数的使用是输入constrained_parameter_address与constrained_parameter_size_bytes
    constrained_parameter_address = 0x804a050     
    constrained_parameter_size_bytes = 0x10
    constrained_parameter_bitvector = solution_state.memory.load(constrained_parameter_address,constrained_parameter_size_bytes)
    
    constrained_parameter_desired_value = 'AUPDNNPROEZRJWKB' # :string

    # 构造一个表达式，判断constrained_parameter_bitvector与'AUPDNNPROEZRJWKB' 是否相等
    constraint_expression = constrained_parameter_bitvector == constrained_parameter_desired_value
    
    #并将表达式作为求解约束
    solution_state.add_constraints(constrained_parameter_bitvector == constrained_parameter_desired_value)

    solution = solution_state.solver.eval(password,cast_to=bytes)

    print('solution is: ',solution.decode('utf-8'))
  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

输入的入口地址为0x804a050，且其大小为16*8。

check_equals_AUPDNNPROEZRJWKB函数的开始地址为0x08048565。

下面验证实验结果
执行刚刚写好的程序，保存为scaffold08.py，并将其与08_angr_constraints放于同一文件夹中，具体如下图所示。

再执行08_angr_constraints，然后需要我们输入angr刚刚求解出的密码，结果为Good Job。

至此，求解08_angr_constraints已全部完成。