angr速刷

前言

速刷一下angr 学习一下较为浅薄层面的angr应用

基础脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import angr
import sys
def Go():
    path_to_binary = "angr2"
    project = angr.Project(path_to_binary, auto_load_libs=False)#创建实例
    initial_state = project.factory.entry_state()#得到程序的入口
    simulation = project.factory.simgr(initial_state)#创建仿真模拟器负责管理程序运行的路径
    print(project.arch)#输出框架
    print(hex(project.entry))#入口
    print(project.filename)#路径

    def is_successful(initial_state):
        stdout_output = initial_state.posix.dumps(sys.stdout.fileno())#这里改1也行 获取程序的标准输出
        if b'Good Job.' in stdout_output:
            return True
        else:
            return False

    def should_abort(initial_state):
        stdout_output = initial_state.posix.dumps(sys.stdout.fileno())
        if b'Try again.' in stdout_output:
            return True
        else:
            return False

    simulation.explore(find=is_successful, avoid=should_abort)#这里的参数也可以是Boolean类型 没绷住

    if simulation.found:#查询到了正确的路径
        solution_state = simulation.found[0]
        solution = solution_state.posix.dumps(1)#0是标准输入 1标准输出 2标准错误
        print(format(solution.decode("utf-8")))
    else:
        raise Exception('Could not find the solution')


if __name__ == "__main__":
    Go()

00_angr_find

image-20250525144203863

简单的修改 套以上脚本即可

image-20250525144842378

01_angr_avoid01_angr_avoid

image-20250525145206851

image-20250525145420812

相较于上面的避免输出 这次选择地址可以更快的梭哈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import angr
import sys
def Go():
    path_to_binary = "01_angr_avoid"
    project = angr.Project(path_to_binary, auto_load_libs=False)#创建实例
    initial_state = project.factory.entry_state()#得到程序的入口
    simulation = project.factory.simgr(initial_state)#创建仿真模拟器负责管理程序运行的路径
    print(project.arch)#输出框架
    print(hex(project.entry))#入口
    print(project.filename)#路径

    def is_successful(initial_state):
        stdout_output = initial_state.posix.dumps(sys.stdout.fileno())#这里改1也行 获取程序的标准输出
        if b'Good Job.' in stdout_output:
            return True
        else:
            return False

    def should_abort(initial_state):
        stdout_output = initial_state.posix.dumps(sys.stdout.fileno())
        if b'Try again.' in stdout_output:
            return True
        else:
            return False

    simulation.explore(find=is_successful, avoid=0x80485A8)#这里的参数也可以是Boolean类型 没绷住

    if simulation.found:#查询到了正确的路径
        solution_state = simulation.found[0]
        solution = solution_state.posix.dumps(1)#0是标准输入 1标准输出 2标准错误
        print(format(solution.decode("utf-8")))
    else:
        raise Exception('Could not find the solution')


if __name__ == "__main__":
    Go()

02_angr_find_condition

image-20250525145603918

image-20250525145758722

基础脚本速通

03_angr_symbolic_registers

image-20250525150018580

image-20250525150034113

image-20250525150324610

无伤大雅 依旧一把梭

04_angr_symbolic_stack

image-20250525150526234

依旧

05_angr_symbolic_memory

image-20250525152237147

06_angr_symbolic_dynamic_memory

image-20250525152340747