angr系列

00_angr_find

01_angr_avoid

02_angr_find_condition

03_angr_symbolic_registers

04_angr_symbolic_stack

05_angr_symbolic_memory

06_angr_symbolic_dynamic_memory

07_angr_symbolic_file

08_angr_constraints

09_angr_hooks

10_angr_simprocedures

13_angr_static_binary

文章目錄

• • angr系列
  • • 00_angr_find
    • 01_angr_avoid
    • 02_angr_find_condition
    • 03_angr_symbolic_registers
    • 04_angr_symbolic_stack
    • 05_angr_symbolic_memory
    • 06_angr_symbolic_dynamic_memory
    • 07_angr_symbolic_file
    • 08_angr_constraints
    • 09_angr_hooks
    • 10_angr_simprocedures
    • 13_angr_static_binary
  • 分析偽代碼
  • 腳本
  • 測試：

分析偽代碼

.text:080485C0 push offset user_input ; s .text:080485C5 call _memset .text:080485CA add esp, 10h .text:080485CD sub esp, 0Ch .text:080485D0 push offset aEnterThePasswo ; "Enter the password: " .text:080485D5 call _printf .text:080485DA add esp, 10h .text:080485DD sub esp, 0Ch .text:080485E0 push offset unk_A1BA1D8 .text:080485E5 push offset unk_A1BA1D0 .text:080485EA push offset unk_A1BA1C8 .text:080485EF push offset user_input .text:080485F4 push offset a8s8s8s8s ; "%8s %8s %8s %8s" .text:080485F9 call ___isoc99_scanf .text:080485FE add esp, 20h .text:08048601 mov [ebp+var_C], 0 .text:08048608 jmp short loc_8048637

一個字符是一字節，8個字符也就是8字節，也就是64位。需要符號化的內存單元地址為：

.text:080485E0 push offset unk_A1BA1D8 .text:080485E5 push offset unk_A1BA1D0 .text:080485EA push offset unk_A1BA1C8 .text:080485EF push offset user_input

所以這里需要去符號化這四個內存地址單元：

先申請四個變量

p1=init_state.solver.BVS('p1',64) p2=init_state.solver.BVS('p2',64)p3=init_state.solver.BVS('p3',64)p4=init_state.solver.BVS('p4',64)

把內存單元的地址值和變量之間進行一定關系的綁定

p4_addr=0x0A1BA1D8p3_addr=0x0A1BA1D0p2_addr=0x0A1BA1C8p1_addr=0x0A1BA1C0init_state.memory.store(p1_addr,p1)init_state.memory.store(p2_addr,p2)init_state.memory.store(p3_addr,p3)init_state.memory.store(p4_addr,p4)

對比一下符號化寄存器：

pass1=claripy.BVS('pass1',32)pass2=claripy.BVS('pass2',32)pass3=claripy.BVS('pass3',32)init_state.regs.eax=pass1init_state.regs.ebx=pass2init_state.regs.edx=pass3

最后再來對變量進行求解：

pass1=found_state.solver.eval(p1,cast_to=bytes)pass2=found_state.solver.eval(p2,cast_to=bytes)pass3=found_state.solver.eval(p3,cast_to=bytes)pass4=found_state.solver.eval(p4,cast_to=bytes)

腳本

import angr import sysdef main(argv):bin_path=argv[1]p=angr.Project(bin_path)start_addr=0x08048601init_state=p.factory.blank_state(addr=start_addr)p1=init_state.solver.BVS('p1',64) p2=init_state.solver.BVS('p2',64)p3=init_state.solver.BVS('p3',64)p4=init_state.solver.BVS('p4',64)p4_addr=0x0A1BA1D8p3_addr=0x0A1BA1D0p2_addr=0x0A1BA1C8p1_addr=0x0A1BA1C0init_state.memory.store(p1_addr,p1)init_state.memory.store(p2_addr,p2)init_state.memory.store(p3_addr,p3)init_state.memory.store(p4_addr,p4)sm=p.factory.simgr(init_state)def is_good(state):return b'Good Job.' in state.posix.dumps(1)def is_bad(state):return b'Try again.' in state.posix.dumps(1)sm.explore(find=is_good,avoid=is_bad)if sm.found:found_state=sm.found[0]pass1=found_state.solver.eval(p1,cast_to=bytes)pass2=found_state.solver.eval(p2,cast_to=bytes)pass3=found_state.solver.eval(p3,cast_to=bytes)pass4=found_state.solver.eval(p4,cast_to=bytes)print("Solution:{} {} {} {}".format(pass1.decode('utf-8'),pass2.decode('utf-8'),pass3.decode('utf-8'),pass4.decode('utf-8')))else:raise Exception("Solution not found") if __name__=="__main__":main(sys.argv)

NAXTHGNR JVSFTPWE LMGAUHWC XMDCPALU

測試：

總結

以上是生活随笔為你收集整理的angr学习笔记（6）（内存地址单元符号化）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。