Skip to content

Instantly share code, notes, and snippets.

@k3170makan

k3170makan/symbolic_registers.py

Created December 31, 2019 18:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save k3170makan/10ed0aaf6a16ffde11bc05dc4fc88ae2 to your computer and use it in GitHub Desktop.
Save k3170makan/10ed0aaf6a16ffde11bc05dc4fc88ae2 to your computer and use it in GitHub Desktop.
Download ZIP
Example of modeling register values using angr
Raw
symbolic_registers.py
#!/usr/bin/python3
import angr
import claripy
import sys
def solve(binary="",target=0x0,start=0x0,avoid=[]):
padding_length = 32
project = angr.Project(binary)
arg0 = claripy.BVS("arg0",32)
arg1 = claripy.BVS("arg1",32)
arg2 = claripy.BVS("arg2",32)
init_state = project.factory.blank_state(addr=start)
init_state.regs.eax = arg0
init_state.regs.ebx = arg1
init_state.regs.edx = arg2
simulation = project.factory.simgr(init_state)
simulation.explore(find=success,avoid=avoid);
if simulation.found:
solution_state = simulation.found[0]
solution0 = format(solution_state.solver.eval(arg0),'x')
solution1 = format(solution_state.solver.eval(arg1),'x')
solution2 = format(solution_state.solver.eval(arg2),'x')
print("[>>] %s %s %s" % (solution0,solution1,solution2))
def success(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
if b'Good Job' in stdout_output:
return True
return False
if __name__=="__main__":
if len(sys.argv) < 2:
print("[x] Usage: %s [binary]" % sys.argv[0])
binary_filename = sys.argv[1]
solve(binary=binary_filename,start=0x8048980)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment