08_angr_constraints writeup

08_angr_constraints这题官方给的脚本似乎有问题，可行的解法是：

import angr


def main():
    path_to_binary = r"08_angr_constraints"
    project = angr.Project(path_to_binary, auto_load_libs=False)

    init_state = project.factory.entry_state()
    simgr = project.factory.simgr(init_state)

    find_address = 0x08048673

    simgr.explore(find=find_address)

    if simgr.found:
        solution_state = simgr.found[0]
        buffer_address = 0x0804A050  
        constrained_bitvector = solution_state.memory.load(buffer_address, 16)
        target_string = b"AUPDNNPROEZRJWKB" 
        solution_state.add_constraints(constrained_bitvector == target_string)

        flag = solution_state.posix.dumps(0)
        print(f"password : {flag.decode('utf-8', errors='ignore')}")


if __name__ == "__main__":
    main()

关键点是不要定位到“Good Job”，而是把地址find_address定在调用校验函数check_equals_AUPDNNPROEZRJWKB之前