08_angr_constraints writeup
08_angr_constraints这题官方给的脚本似乎有问题,可行的解法是: import angr def main (): path_to_binary = r"08_angr_constraints" project = angr.Project(path_to_binary, auto_load_libs = False ) init_state = project.factory.entry_state() simgr = project.factory.simgr(init_state) find_address = 0x08048673 simgr.explore( find =find_address) if simgr.found: solution_state = simgr.found[ 0 ] buffer_address = 0x0804A050 constrained_bitvector = solution_state.memory.load(buffer_address, 16 ) target_string = b"AUPDNNPROEZRJWKB" solution_state.add_constraints(constrained_bitvector == target_string) flag = solution_state.posix.dumps( 0 ) print ( f" password : { flag.decode( 'utf-8' , errors = 'ignore' ) } " ) if __name__ == "__main__" : main() 关键点是不要定位到“Good Job”,而是把地址find_address定在调用校验函数check_equals_AUPDNNPROEZRJWKB之前