liangwei1229git
commented
5 months ago 请问一下,这个题有可能用angr解吗?刚接触angr。。。
Open zsy-arch opened 2 years ago
liangwei1229git
commented
5 months ago 请问一下,这个题有可能用angr解吗?刚接触angr。。。
zsy-arch
commented
5 months ago @liangwei1229git 请问一下,这个题有可能用angr解吗?刚接触angr。。。
angr_solve.py:
import angr
import sys
project = angr.Project("./test1")
initial_state = project.factory.entry_state(
add_options={
angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS,
},
)
simulation = project.factory.simgr(initial_state)
def is_successful(state):
return b"yes" in state.posix.dumps(sys.stdout.fileno())
def should_abort(state):
return b"no" in state.posix.dumps(sys.stdout.fileno())
simulation.explore(find=is_successful, avoid=should_abort)
if simulation.found:
solution_state = simulation.found[0]
print(solution_state.posix.dumps(sys.stdin.fileno()).decode())
else:
raise Exception("Could not find the solution")test1.c:
#include <stdio.h>
int main()
{
char a2[10] = {0, 0, 0, 0, 0, 0, 0, 0};
int a3 = 0;
scanf("%s", a2);
if (*a2 != 0x64)
a3 ^= 3u;
else
a3 |= 4u;
if (a2[1] != 0x62)
{
a3 &= 0x61u;
}
else
{
a3 |= 0x14u;
}
if (a2[2] != 0x61)
a3 &= 0xAu;
else
a3 |= 0x84u;
if (a2[3] != 0x70)
a3 >>= 7;
else
a3 |= 0x114u;
if (a2[4] != 0x70)
a3 *= 2;
else
a3 |= 0x380u;
if (a2[5] != 0x73)
{
a3 ^= 0x1ADu;
}
else
{
a3 |= 0xA04u;
}
if (a2[6] != 0x65)
a3 |= 0x4Au;
else
a3 |= 0x2310u;
if (a2[7] != 0x63)
{
a3 &= 0x3A3u;
}
else
{
a3 |= 0x8A10u;
}
if (a3 == 0xAB94)
{
printf("yes");
}
else
{
printf("no");
}
return 0;
}在linux中运行的:
$ gcc -m32 test1.c -o test1
$ python angr_solve.py
dbappsec
https://zsy-arch.github.io/2022/07/17/buuoj-reverse-crackMe/
crackMe附件 crackme.exe 分析IDA定位到wmain函数 123456789101112131415161718192021222324252627282930313233343536373839404142434445int wmain(){ FILE v0; // eax FILE v1; // eax char v3; // [esp+3h] [ebp