学习angr记录--12~14

12.veritesting 功能
默认就是开启的。。。

13.添加angr准备好的simProcedures以避免路径爆炸

import angr
import sys
 
def main(argv):
  path_to_binary = "E:\\A_reverse\\angr_ctf-master\\dist\\13_angr_static_binary"
  project = angr.Project(path_to_binary,load_options={"auto_load_libs":True})
  initial_state = project.factory.entry_state(add_options=angr.options.unicorn)
  simulation = project.factory.simgr(initial_state,veritesting=True)
  project.hook(0x0804ED40, angr.SIM_PROCEDURES['libc']['printf']())
  project.hook(0x0804ED80, angr.SIM_PROCEDURES['libc']['scanf']())
  project.hook(0x0804F350, angr.SIM_PROCEDURES['libc']['puts']())
  project.hook(0x08048D10, angr.SIM_PROCEDURES['glibc']['__libc_start_main']())
  simulation.explore(find=lambda state: b"Good Job" in state.posix.dumps(sys.stdout.fileno()),
                     avoid=lambda state: b"Try again" in state.posix.dumps(sys.stdout.fileno()))
  
  if simulation.found:
    solution_state = simulation.found[0]
    print("%s" %(solution_state.posix.dumps(sys.stdin.fileno())))
  else:
    raise Exception('Could not find the solution')
 
if __name__ == '__main__':
  main(sys.argv)

14.符号执行动态链接库的函数

import angr
import sys
import claripy
 
def main(argv):
  path_to_binary = "E:\\A_reverse\\angr_ctf-master\\dist\\lib14_angr_shared_library.so"

  
  base = 0x5000000                                       #任意编一个base基址，这是因为动态链接库没有绝对地址，是位置无关代码，也叫PIC
  project = angr.Project(path_to_binary, load_options={
    'main_opts' : {                                      #在这里设置project的基址
      'custom_base_addr' : base
    }
  })
  
  buffer_pointer = claripy.BVV(0x3000000, 32)            #这一段是初始化进入函数的一些状态
  func_address = base + 0x6d7                            #打开.so文件获取该函数的文件地址
  initial_state = project.factory.call_state(func_address, buffer_pointer, claripy.BVV(8, 32))#传入一个指针，一个整数，整数化为位向量
  flag = claripy.BVS('flag', 8*8)                        #位向量化一个字符串，存到传入的地址中去
  initial_state.memory.store(buffer_pointer, flag)
  
  simulation = project.factory.simgr(initial_state,veritesting = True)
  func_end = base + 0x783
  simulation.explore(find=func_end)
  
  if simulation.found:
    solution_state = simulation.found[0]
    solution_state.add_constraints(solution_state.regs.eax != 0)#希望的结果是函数结束时返回1，添加约束
    print(solution_state.solver.eval(flag, cast_to=bytes))
  else:
    raise Exception('Could not find the solution')
 
if __name__ == '__main__':
  main(sys.argv)