针对angr提供的练习题,现在进行求解08_angr_constraints,需要使用angr求解出正确密码。
具体代码如下所示
import angr
import claripy
import sys
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
start_address = 0x8048625
initial_state = project.factory.blank_state(addr=start_address)
password = claripy.BVS('password', 128)
password_address = 0x804a050 #求解入口地址
initial_state.memory.store(password_address, password)
simulation = project.factory.simgr(initial_state)
# Angr will not be able to reach the point at which the binary prints out
# 'Good Job.'. We cannot use that as the target anymore.
address_to_check_constraint = 0x08048565 #此外为check_equals_AUPDNNPROEZRJWKB函数的开始地址
simulation.explore(find=address_to_check_constraint)
if simulation.found:
solution_state = simulation.found[0]
# check_equals_AUPDNNPROEZRJWKB函数的使用是输入constrained_parameter_address与constrained_parameter_size_bytes
constrained_parameter_address = 0x804a050
constrained_parameter_size_bytes = 0x10
constrained_parameter_bitvector = solution_state.memory.load(constrained_parameter_address,constrained_parameter_size_bytes)
constrained_parameter_desired_value = 'AUPDNNPROEZRJWKB' # :string
# 构造一个表达式,判断constrained_parameter_bitvector与'AUPDNNPROEZRJWKB' 是否相等
constraint_expression = constrained_parameter_bitvector == constrained_parameter_desired_value
#并将表达式作为求解约束
solution_state.add_constraints(constrained_parameter_bitvector == constrained_parameter_desired_value)
solution = solution_state.solver.eval(password,cast_to=bytes)
print('solution is: ',solution.decode('utf-8'))
else:
raise Exception('Could not find the solution')
if __name__ == '__main__':
main(sys.argv)
输入的入口地址为0x804a050,且其大小为16*8。
check_equals_AUPDNNPROEZRJWKB函数的开始地址为0x08048565。
下面验证实验结果
执行刚刚写好的程序,保存为scaffold08.py,并将其与08_angr_constraints放于同一文件夹中,具体如下图所示。
再执行08_angr_constraints,然后需要我们输入angr刚刚求解出的密码,结果为Good Job。
至此,求解08_angr_constraints已全部完成。