文章26
标签0
分类4

angr-03_angr_symbolic_registers

需要输入三个参数

1.png

import angr
import sys
import claripy

def main(argv):
    bin_path = argv[1]
    p = angr.Project(bin_path)

    start_addr = 0x08048980
    init_state = p.factory.blank_state(addr=start_addr)
    
    pass1 = claripy.BVS("pass1",32)
    pass2 = claripy.BVS("pass2",32)
    pass3 = claripy.BVS("pass3",32)

    init_state.regs.eax = pass1
    init_state.regs.ebx = pass2
    init_state.regs.edx = pass3

    sm = p.factory.simulation_manager(init_state)

    def is_good(state):
        return b"Good Job" in state.posix.dumps(1)
    def is_bad(state):
        return b"Try again" in state.posix.dumps(1)

    sm.explore(find = is_good,avoid = is_bad)

    if sm.found:
        found_state = sm.found[0]

        password1 = found_state.solver.eval(pass1)
        password2 = found_state.solver.eval(pass2)
        password3 = found_state.solver.eval(pass3)

        print("Solution:{:x} {:x} {:x}".format(password1,password2,password3))
    else:
       raise Excoption("No solution found")
if __name__ == "__main__":
    main(sys.argv)

    0 评论

    ">