本文共 1660 字，大约阅读时间需要 5 分钟。

angr系列

伪代码分析

这里利用函数名字来进行hook操作：

 check_symbol='check_equals_ORSDDWXHZURJRBDH'

然后把相应的hook替换函数进行申明：

 p.hook_symbol(check_symbol,mySimPro())

实现替换函数：

 class mySimPro(angr.SimProcedure):        def run(self,user_input,user_input_length):            angr_bvs=self.state.memory.load(                user_input,                user_input_length                )            desired='ORSDDWXHZURJRBDH'            return claripy.If(                desired==angr_bvs,                claripy.BVV(1,32),                claripy.BVV(0,32)                )

脚本

import angrimport sysimport claripydef main(argv):    bin_path=argv[1]    p=angr.Project(bin_path)    init_state=p.factory.entry_state()    class mySimPro(angr.SimProcedure):        def run(self,user_input,user_input_length):            angr_bvs=self.state.memory.load(                user_input,                user_input_length                )            desired='ORSDDWXHZURJRBDH'            return claripy.If(                desired==angr_bvs,                claripy.BVV(1,32),                claripy.BVV(0,32)                )    check_symbol='check_equals_ORSDDWXHZURJRBDH'    p.hook_symbol(check_symbol,mySimPro())    sm=p.factory.simgr(init_state)    def is_good(state):        return b'Good Job.' in state.posix.dumps(1)    def is_bad(state):        return b'Try again.' in state.posix.dumps(1)    sm.explore(find=is_good,avoid=is_bad)    if sm.found:        found_state=sm.found[0]        password=found_state.posix.dumps(0)        print("Solution:{}".format(password.decode("utf-8")))    else:        raise Exception("Solution not found")if __name__=='__main__':    main(sys.argv)

MSWKNJNAVTTOZMRY

验证