angr_ctf部分题目writeup

08_angr_constraints

这题官方给的脚本似乎有问题，可行的解法是：

import angr


def main():
    path_to_binary = r"08_angr_constraints"
    project = angr.Project(path_to_binary, auto_load_libs=False)

    init_state = project.factory.entry_state()
    simgr = project.factory.simgr(init_state)

    find_address = 0x08048673

    simgr.explore(find=find_address)

    if simgr.found:
        solution_state = simgr.found[0]
        buffer_address = 0x0804A050  
        constrained_bitvector = solution_state.memory.load(buffer_address, 16)
        target_string = b"AUPDNNPROEZRJWKB" 
        solution_state.add_constraints(constrained_bitvector == target_string)

        flag = solution_state.posix.dumps(0)
        print(f"password : {flag.decode('utf-8', errors='ignore')}")


if __name__ == "__main__":
    main()

关键点是不要定位到“Good Job”，而是把地址find_address定在调用校验函数check_equals_AUPDNNPROEZRJWKB之前

12_angr_veritesting

这道题的官方解法是veritesting=True ，但是实践中发现内存可能溢出且长时间无输出，直接分析complex_function会发现参数1是固定的75，参数2是从93到93+31，所以可以写出等价的脚本

flag = ""
for i in range(32):
    a1 = 75
    a2 = i + 93
    char_val = (a1 - 65 + 2 * a2) % 26 + 65
    flag += chr(char_val)

print(f"[+] 直接算出的密码: {flag}")