从程序的任意位置开始可以大大的减少测试的时间,使用的方法是控制程序运行到某时刻的寄存器的值来进行的。asisctffinals2015_fake
1 p = angr.Project("fake", auto_load_libs=False) 2 3 state = p.factory.blank_state(addr=0x4004AC) 4 inp = state.solver.BVS('inp', 8*8) 5 state.regs.rax = inp 6 7 simgr= p.factory.simulation_manager(state) 8 simgr.explore(find=0x400684) 9 found = simgr.found[0]
同样的,测试的结果也可以通过约束寄存器的值进行。
1 flag_addr = found.regs.rdi 2 found.add_constraints(found.memory.load(flag_addr, 5) == int(binascii.hexlify(b"ASIS{"), 16)) 3 4 # More constraints: the whole flag should be printable 5 flag = found.memory.load(flag_addr, 40) 6 for i in range(5, 5+32): 7 cond_0 = flag.get_byte(i) >= ord('0') 8 cond_1 = flag.get_byte(i) <= ord('9') 9 cond_2 = flag.get_byte(i) >= ord('a') 10 cond_3 = flag.get_byte(i) <= ord('f') 11 cond_4 = found.solver.And(cond_0, cond_1) 12 cond_5 = found.solver.And(cond_2, cond_3) 13 found.add_constraints(found.solver.Or(cond_4, cond_5)) 14 15 # And it ends with a '}' 16 found.add_constraints(flag.get_byte(32+5) == ord('}')) 17 18 # In fact, putting less constraints (for example, only constraining the first 19 # several characters) is enough to get the final flag, and Z3 runs much faster 20 # if there are less constraints. I added all constraints just to stay on the 21 # safe side. 22 23 flag_str = found.solver.eval(flag, cast_to=bytes) 24 return flag_str.rstrip(b'�')