Angr_2

Angr学习，一些其他的操作

题目：15_angr_arbitrary_read

利用Angr实现内存地址的任意读

看到题目，得知这里是：

s = try_again;
 printf("Enter the password: ");
 __isoc99_scanf("%u %20s", &key, &v4);
 if ( key == 36134347 || key != 41810812 )
   puts(try_again);
 else
   puts(s);
 return 0;

不论输入什么，得到的都是try again，这里通过angr让他输出编程goog，所以这里就要修改s的指针，good的地址在程序中给出了

from angr import *
from claripy import *
import sys

p = Project("./15_angr_arbitrary_read", auto_load_libs = False)
init_state = p.factory.entry_state()

class ReScanf(SimProcedure):
    def run(self, fmt, para1, para2):
        in0 = BVS('in1', 32)
        in1 = BVS('in2', 20*8)

        for char in in1.chop(bits=8):
            self.state.add_constraints(char >= 'A', char <= 'Z')

        in1_addr = para1
        in2_addr = para2
        self.state.memory.store(in1_addr, in0, endness = p.arch.memory_endness)
        self.state.memory.store(in2_addr, in1)#, endness = p.arch.memory_endness)

        self.state.globals['solutions'] = (in0, in1)

name = '__isoc99_scanf'
p.hook_symbol(name, ReScanf())

def check_out(state):

    puts_para = state.memory.load(state.regs.esp + 4, 4, endness = p.arch.memory_endness)

    if state.solver.symbolic(puts_para):

        good_addr = 0x594e4257

        copid_state = state.copy()
        copid_state.add_constraints(puts_para == good_addr)

        if copid_state.satisfiable():
            state.add_constraints(puts_para == good_addr)
            return True
        else:
            return False

    else:
        return False



def is_successful(state):
        puts_address = 0x8048370
        if state.addr == puts_address:
            return check_out(state)
        else:
            return False

simulation = p.factory.simgr(init_state).explore(find = is_successful)

if simulation.found:
    solution_init = simulation.found[0]
    (in0, in1) = solution_init.globals['solutions']
    print(solution_init.solver.eval(in0))
    print(solution_init.solver.eval(in1,cast_to = bytes))

其实就是利用了scanf的栈溢出，来达到目的