用例源码以及二进制文件链接：https://github.com/angr/angr-doc/tree/master/examples/defcamp_r100

这道题非常非常简答啦！

就是要求输入一个password，check一下是否正确。

check函数逻辑：

signed __int64 __fastcall sub_4006FD(__int64 a1)
{
  signed int i; // [sp+14h] [bp-24h]@1
  const char *v3; // [sp+18h] [bp-20h]@1
  const char *v4; // [sp+20h] [bp-18h]@1
  const char *v5; // [sp+28h] [bp-10h]@1

  v3 = "Dufhbmf"; 
  v4 = "pG`imos";
  v5 = "ewUglpt";
  for ( i = 0; i <= 11; ++i )
  {
    if ( (&v3)[8 * (i % 3)][2 * (i / 3)] - *(_BYTE *)(i + a1) != 1 )
      return 1LL;
  }
  return 0LL;
}

所以只要找find_addr和avoid_addr，或者编写一个correct函数和一个wrong函数，过滤出满足条件的path就可以了。

用例源码：

find_addr  avoid_addr

import angr

def main():
    p = angr.Project("r100", load_options={'auto_load_libs': False})
    ex = p.surveyors.Explorer(find=(0x400844, ), avoid=(0x400855,))
    ex.run()

    return ex.found[0].posix.dumps(0).strip('\0\n')

def test():
    assert main() == 'Code_Talkers'

if __name__ == '__main__':
    print main()

correct函数  wrong函数

import angr

def main():
    def correct(state):
        if 'Nice' in state.posix.dumps(1):
            return True
        else: 
            return False
    def wrong(state):
        if 'Incorrect password' in state.posix.dumps(1):
            return True
        else: 
            return False
    p = angr.Project("r100", load_options={'auto_load_libs': False})
    ex = p.surveyors.Explorer(find=correct, avoid=wrong)
    ex.run()

    return ex.found[0].posix.dumps(0).strip('\0\n')

def test():
    assert main() == 'Code_Talkers'

if __name__ == '__main__':
    print main()