image-20230107142246055

使用了一个两个数的数组,在八次运算后看是否相同,如果相同输出win

方法一

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

"""
Author: xoreaxeaxeax
Modified by David Manouchehri <manouchehri@protonmail.com>
Original at https://lists.cs.ucsb.edu/pipermail/angr/2016-August/000167.html

The purpose of this example is to show how to use symbolic write addresses.
"""

import angr
import claripy

def main():
p = angr.Project('./issue', load_options={"auto_load_libs": False})

# By default, all symbolic write indices are concretized.
state = p.factory.entry_state(add_options={angr.options.SYMBOLIC_WRITE_ADDRESSES})

u = claripy.BVS("u", 8)
state.memory.store(0x804a021, u)

sm = p.factory.simulation_manager(state)

def correct(state):
try:
return b'win' in state.posix.dumps(1)
except:
return False
def wrong(state):
try:
return b'lose' in state.posix.dumps(1)
except:
return False

sm.explore(find=correct, avoid=wrong)

# Alternatively, you can hardcode the addresses.
# sm.explore(find=0x80484e3, avoid=0x80484f5)

return sm.found[0].solver.eval_upto(u, 256)


def test():
good = set()
for u in range(256):
bits = [0, 0]
for i in range(8):
bits[u&(1<<i)!=0] += 1
if bits[0] == bits[1]:
good.add(u)

res = main()
assert set(res) == good

if __name__ == '__main__':
print(repr(main()))

u的地址可以通过ida查看

image-20230107142421990

image-20230107142427801

得到可以得到win的u的值

方法二

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# coding=utf-8
import angr
import claripy


def hook_demo(state):
state.regs.eax = 0
p = angr.Project("./issue", load_options={"auto_load_libs": False})
# hook 函数:addr 为待 hook 的地址
# hook 为 hook 的处理函数,在执行到 addr 时,会执行这个函数,同时把当前的 state 对象作为 参数传递过去
# length 为待 hook 指令的长度,在执行完 hook 函数以后,angr 需要根据 length 来跳过这条 指令,执行下一条指令
# hook 0x08048485 处的指令(xor eax,eax),等价于将 eax 设置为 0
# hook 并不会改变函数逻辑,只是更换实现方式,提升符号执行速度 p.hook(addr=0x08048485, hook=hook_demo, length=2)
p.hook(addr=0x08048485, hook=hook_demo, length=2)
ret = []
for _ in range(20):
state = p.factory.blank_state(addr=0x0804846B, add_options={"SYMBOLIC_WRITE_ADDRESSES"})
u = claripy.BVS("u", 8)
state.memory.store(0x0804A021, u)
sm = p.factory.simulation_manager(state)
sm.explore(find=0x080484DB)
st = sm.found[0]
ret.append(repr(st.solver.eval(u)))
print(ret)

image-20230107142506887

在这个方法中,explore使用了正确分支的函数地址,并且只求解一个值得到结果

但是实验中使用的hook函数似乎没有多大作用