I am trying to adapt the technique mentioned in https://blog.notso.pro/2019-03-26-angr-introduction-part2/ on another binary (02_angr_find_condition). The binary can be found at https://github.com/jakespringer/angr_ctf/tree/master/dist
I am trying to figure out the offset for the padding etc and I could not find the correct offset that can print out the correct password for the binary.
My code snippet as follows
def main():
base_address = 0x08048000
start_address = 0x08048645
def success(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
if b'Good Job.' in stdout_output:
return True
else: return False
def bad(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
if b'Try again.' in stdout_output:
return True
else: return False
getproject = angr.Project('angr_ctf/dist/02_angr_find_condition', auto_load_libs=False)
getstate = getproject.factory.entry_state(addr=start_address)
#set up the stack
getstate.regs.ebp = getstate.regs.esp
#this padding is for bytes prior (higher addresses) to the memory location we want to observe.
padding_length_bytes = 0x30
getstate.regs.esp -= padding_length_bytes
# Input is %8s so its eight characters
# character array to store input is 9 char bytes long.
input0 = claripy.BVS("input0", 64)
getstate.stack_push(input0)
for z in input0.chop(8):
getstate.solver.add(z >= 0x20)
getstate.solver.add(z <= 0x7f)
simgr = getproject.factory.simgr(getstate)
simgr.explore(find=success, avoid=bad)
print(simgr)
if len(simgr.found) > 0:
print(simgr.found[0].posix.dumps(0))
print(simgr.found[0].posix.dumps(1))
print(simgr.found[0].solver.eval(input0, cast_to=bytes))