k3170makan/argv_example.angr.py

## argv_example.angr.py
#!/usr/bin/python3

import angr
import sys
import claripy

def solve(elf_binary="./binary.elf"):
	project = angr.Project(elf_binary)

	argv = claripy.BVS('argv',8*0x6)

	#build initial state
	initial_state = project.factory.entry_state(args=[elf_binary,argv])
	initial_state.add_constraints(argv.get_byte(0) == 0x3F)

	#setup simulation manager
	simulation = project.factory.simgr(initial_state)
	simulation.explore(find=is_successful)

	if len(simulation.found) > 0:
		for solution_state in simulation.found:
			print("[>>] {!r}".format(solution_state.solver.eval(argv,cast_to=bytes)))
	else:
		print("[>>] no solution found :(")
def is_successful(state):
	output = state.posix.dumps(sys.stdout.fileno())
	if b'nice one' in output:
		return True
	return False
if __name__=="__main__":
	if len(sys.argv) < 2:
		print("[*] need 2 arguments\nUsage: %s [binary path] [target address]")

	solve(sys.argv[1])
	#!/usr/bin/python3

	import angr
	import sys
	import claripy

	def solve(elf_binary="./binary.elf"):
	project = angr.Project(elf_binary)

	argv = claripy.BVS('argv',8*0x6)

	#build initial state
	initial_state = project.factory.entry_state(args=[elf_binary,argv])
	initial_state.add_constraints(argv.get_byte(0) == 0x3F)

	#setup simulation manager
	simulation = project.factory.simgr(initial_state)
	simulation.explore(find=is_successful)

	if len(simulation.found) > 0:
	for solution_state in simulation.found:
	print("[>>] {!r}".format(solution_state.solver.eval(argv,cast_to=bytes)))
	else:
	print("[>>] no solution found :(")
	def is_successful(state):
	output = state.posix.dumps(sys.stdout.fileno())
	if b'nice one' in output:
	return True
	return False
	if __name__=="__main__":
	if len(sys.argv) < 2:
	print("[*] need 2 arguments\nUsage: %s [binary path] [target address]")

	solve(sys.argv[1])