angr_script

施工中

import angr, monkeyhex, claripy
proj = angr.Project('t/main.exe')
flag_chars = [claripy.BVS('flag_%d' % i, 8) for i in range(32)]
flag = claripy.Concat(*[claripy.BVV(b'flag{')]+flag_chars+[claripy.BVV(b'}\x00')])
state = proj.factory.call_state(0x140001000)
input_addr = 0

@proj.hook(0x140001093, length=5)
def get_input(state):
    global input_addr
    input_addr = state.regs.rdx
    state.memory.store(input_addr,flag)
    print('Input done')

@proj.hook(0x140001079, length=5)
def printf(state):
        return

simgr = proj.factory.simgr(state)
simgr.explore(find=0x1400013A1, avoid=0x1400013B7)
x=simgr.found[0].solver.eval(flag).to_bytes(39,"big")
print(x)

import angr
import sys

def is_successful(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return b'Right!' in stdout_output
def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return b'Wrong!' in stdout_output


def main(argv):
    path_to_binary = './ezRE2'  # :string
    project = angr.Project(path_to_binary,load_options={"auto_load_libs": False})
    initial_state = project.factory.entry_state()
    simulation = project.factory.simgr(initial_state)
    simulation.explore(find=is_successful,avoid=should_abort)
    if simulation.found:
        solution_state = simulation.found[0]
        print(solution_state.posix.dumps(0))
    else:
        raise Exception('Could not find the solution')

if __name__ == '__main__':
    main(sys.argv)