版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/xiangshangbashaonian/article/details/82953042
这个题目可以直接用angr来做 连分析都不用
对angr不太了解的童鞋可以看这个安装使用Angr符号执行来求解CTF逆向题
找到如下图所示两个地址即可
In [1]: import angr
WARNING | 2018-10-06 05:04:30,383 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups.
In [2]: import claripy
In [3]: proj = angr.Project("./Desktop/rev300")
---------------------------------------------------------------------------
Exception Traceback (most recent call last)
<ipython-input-3-e2682d5cb563> in <module>()
----> 1 proj = angr.Project("./Desktop/rev300")
/home/iqiqiya/.virtualenvs/angr/lib/python2.7/site-packages/angr/project.pyc in __init__(self, thing, default_analysis_mode, ignore_functions, use_sim_procedures, exclude_sim_procedures_func, exclude_sim_procedures_list, arch, simos, load_options, translation_cache, support_selfmodifying_code, store_function, load_function, analyses_preset, engines_preset, **kwargs)
120 self.loader = cle.Loader(thing, **load_options)
121 elif not isinstance(thing, (unicode, str)) or not os.path.exists(thing) or not os.path.isfile(thing):
--> 122 raise Exception("Not a valid binary file: %s" % repr(thing))
123 else:
124 # use angr's loader, provided by cle
Exception: Not a valid binary file: './Desktop/rev300'
In [4]: proj = angr.Project("./rev300")#上边报错是因为路径 把文件放在/就好
In [5]: argv1 = claripy.BVS('argv1',50*8)#猜测最大输入不超过50个字节
In [6]: state = proj.factory.entry_state(args=['./rev300',argv1])
In [7]: simgr = proj.factory.simgr(state)
In [8]: simgr.explore(find=0x080485E0,avoid=0x080485FE)#输入正确以及错误的地址
Out[8]: <SimulationManager with 1 found, 8 avoid>
In [9]: print simgr.found[0].solver.eval(argv1)
1063672768972179131287516445481467842776405221819183762775333007016231566631042703334175149294977912186305477505166868480
In [10]: print simgr.found[0].solver.eval(argv1,cast_to=str)#以字符串形式输出结果
Isengard #得到的结果
验证得flag
常规解法可以看这个
https://blog.csdn.net/u012763794/article/details/78468581?locationNum=7&fps=1