学习angr记录 15~17 栈溢出

15.溢出到eax使得把good job推入puts输出

16.溢出到缓冲区地址更改字符串，使得输出good job

import angr
 
def main():
    proj = angr.Project("E:\\A_reverse\\angr_ctf-master\\dist\\16_angr_arbitrary_write")
    init_state = proj.factory.entry_state()
 
    def check_strncpy(state):           #在抵达strncpy的时候使用
        strncpy_dest = state.memory.load(state.regs.esp+4, 4, endness=proj.arch.memory_endness)
        strncpy_src = state.memory.load(state.regs.esp+8, 4, endness=proj.arch.memory_endness)
        strncpy_len = state.memory.load(state.regs.esp+12, 4, endness=proj.arch.memory_endness)
 
        src_contents = state.memory.load(strncpy_src, strncpy_len)
 
        if state.solver.symbolic(strncpy_dest) and state.solver.symbolic(src_contents):
 
            password_string = "NDYNWEUJ"
            buffer_address = 0x57584344
 
            does_src_hold_password = src_contents[-1:-64] == password_string
            does_dest_equal_buffer_address = strncpy_dest == buffer_address
 
            if state.satisfiable(extra_constraints=(does_src_hold_password, does_dest_equal_buffer_address)):#使用 state.satisfiable 检查在添加这些约束之后是否仍然存在满足这些约束的状态。这样可以确保只有在确实有可能满足这些约束时才会添加它们。
                state.add_constraints(does_src_hold_password, does_dest_equal_buffer_address)#添加约束：处于目标地址且地址有对应的字符串
                return True
            else:
                return False
        else:
            return False
 
    simulation = proj.factory.simgr(init_state)
 
    def success(state):
        strncpy_addr = 0x08048410
 
        if state.addr == strncpy_addr:
            return check_strncpy(state)
        else:
            return False
 
    simulation.explore(find=success)
 
    if simulation.found:
        solution_state = simulation.found[0]
        print(solution_state.posix.dumps(0))
 
if __name__ == '__main__':
    main()

17.溢出到地址输出good job

import angr
import claripy
import sys
# 1. Initialize the simulation and ask Angr to record unconstrained states.
# 2. Step through the simulation until we have found a state where eip is symbolic.
# 3. Constrain eip to equal the address of the "print_good" function.
#符号化的，即它们代表了一组可能的值而不是具体的值。
def main():
    proj = angr.Project("E:\\A_reverse\\angr_ctf-master\\dist\\17_angr_arbitrary_jump",load_options={"auto_load_libs":False})
    init_state = proj.factory.entry_state(add_options=angr.options.unicorn)
    
    simulation = proj.factory.simgr(
        init_state,
        save_unconstrained=True,#不受约束状态：在符号执行过程中，不受约束的状态是指那些没有足够约束条件来限制其执行路径的状态。它们可能是由于程序中的漏洞、错误处理路径或其他原因导致的.
                                #保存这些状态非常重要，因为它们通常表示程序的控制流可能被劫持，导致执行任意代码。通过保存这些状态，分析人员可以进一步检查这些路径，识别潜在的安全漏洞。
        stashes={               #stashes 是一个字典，用于定义不同类型状态的存储区。angr 使用这些存储区来分类和管理不同的状态
            'active':[init_state],
            'unconstrained': [],
            'found': []
        },
        veritesting = True
    )
 
    def has_found_solution():
        return simulation.found
 
    def has_unconstrained():
        return simulation.unconstrained
 
    def has_active():
        return simulation.active
 
    while( has_active() or has_unconstrained() ) and (not has_found_solution()) :
        simulation.move('unconstrained','found')                    #在模拟过程中，有时需要将状态从一个存储区移动到另一个存储区，例如从 unconstrained 移动到 found
        simulation.step()                                           #simulation.step() 方法会取出 active 存储区中的每个状态，并尝试执行它们的下一条指令。这可能涉及到实际的指令执行、条件跳转、函数调用等。
 
    if simulation.found:
        solution_state = simulation.found[0]
        solution_state.add_constraints(solution_state.regs.eip == 0x42585249)
        print(solution_state.posix.dumps(sys.stdin.fileno()))
    else:
        raise Exception('Could not find the solution')
 
if __name__ == '__main__':
  main()