47 lines
1.6 KiB
Markdown
47 lines
1.6 KiB
Markdown
|
# Angr - Examples
|
||
|
|
|
||
|
|
### Find input to reach address
|
||
|
|
|
||
|
|
```python
|
||
|
|
import angr
|
||
|
|
import sys
|
||
|
|
|
||
|
|
def main(argv):
|
||
|
|
path_to_binary = argv[1] # :string
|
||
|
|
project = angr.Project(path_to_binary)
|
||
|
|
|
||
|
|
# Tell Angr where to start executing (should it start from the main()
|
||
|
|
# function or somewhere else?) For now, use the entry_state function
|
||
|
|
# to instruct Angr to start from the main() function.
|
||
|
|
initial_state = project.factory.entry_state()
|
||
|
|
|
||
|
|
# Create a simulation manager initialized with the starting state. It provides
|
||
|
|
# a number of useful tools to search and execute the binary.
|
||
|
|
simulation = project.factory.simgr(initial_state)
|
||
|
|
|
||
|
|
# Explore the binary to attempt to find the address that prints "Good Job."
|
||
|
|
# You will have to find the address you want to find and insert it here.
|
||
|
|
# This function will keep executing until it either finds a solution or it
|
||
|
|
# has explored every possible path through the executable.
|
||
|
|
# (!)
|
||
|
|
print_good_address = 0x804867d
|
||
|
|
simulation.explore(find=print_good_address)
|
||
|
|
|
||
|
|
# Check that we have found a solution. The simulation.explore() method will
|
||
|
|
# set simulation.found to a list of the states that it could find that reach
|
||
|
|
# the instruction we asked it to search for. Remember, in Python, if a list
|
||
|
|
# is empty, it will be evaluated as false, otherwise true.
|
||
|
|
if simulation.found:
|
||
|
|
solution_state = simulation.found[0]
|
||
|
|
|
||
|
|
# Print the string that Angr wrote to stdin to follow solution_state. This
|
||
|
|
# is our solution.
|
||
|
|
print(solution_state.posix.dumps(sys.stdin.fileno()))
|
||
|
|
else:
|
||
|
|
raise Exception('Could not find the solution')
|
||
|
|
|
||
|
|
if __name__ == '__main__':
|
||
|
|
main(sys.argv)
|
||
|
|
```
|
||
|
|
|