当长度为>= 60时,angr strcmp无法工作
当长度为>= 60时,angr strcmp无法工作
提问于 2022-02-14 17:08:37
当长度为>= 60时,为什么angr不能解决这个问题?我只得到了一个死胡同。当我只检查g66时,答案是correct.But,当使用长度大于59的strcmp时,无法获得分叉状态。
solve.py
import angr
import claripy
p = angr.Project("a.out",auto_load_libs=True)
password_chars = [claripy.BVS("flag_%d" % i, 8) for i in range(70)]
password_ast = claripy.Concat(*password_chars)
simgr = p.factory.simulation_manager(p.factory.full_init_state(stdin=password_ast))
simgr.run()
print(simgr)target.c
#include <stdio.h>
int main(){
char g[100];
scanf("%s",g);
if(strcmp(g,"vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv")==0){ // 60 bytes
printf("Correct!");
}
return 0;
}输出
WARNING | 2022-02-15 00:51:30,367 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
WARNING | 2022-02-15 00:51:30,903 | angr.simos.simos | stdin is constrained to 70 bytes (has_end=True). If you are only providing the first 70 bytes instead of the entire stdin, please use stdin=SimFileStream(name='stdin', content=your_first_n_bytes, has_end=False).
WARNING | 2022-02-15 00:51:33,425 | angr.storage.memory_mixins.default_filler_mixin | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior.
WARNING | 2022-02-15 00:51:33,425 | angr.storage.memory_mixins.default_filler_mixin | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2022-02-15 00:51:33,425 | angr.storage.memory_mixins.default_filler_mixin | 1) setting a value to the initial state
WARNING | 2022-02-15 00:51:33,425 | angr.storage.memory_mixins.default_filler_mixin | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2022-02-15 00:51:33,425 | angr.storage.memory_mixins.default_filler_mixin | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to suppress these messages.
WARNING | 2022-02-15 00:51:33,425 | angr.storage.memory_mixins.default_filler_mixin | Filling memory at 0x7fffffffffeff40 with 8 unconstrained bytes referenced from 0x5a22d0 (strcmp+0x0 in libc.so.6 (0xa22d0))
<SimulationManager with 1 deadended>我发现我可以添加‘懒散解决’选项,我将得到分叉状态。但上面说是非卫星.?
import angr
import claripy
p = angr.Project("a.out",auto_load_libs=True)
password_chars = [claripy.BVS("flag_%d" % i, 8) for i in range(100)]
password_ast = claripy.Concat(*password_chars)
simgr = p.factory.simulation_manager(p.factory.full_init_state(stdin=password_ast,add_options={angr.options.LAZY_SOLVES}))
simgr.run()In [21]: %run solve.py
WARNING | 2022-02-15 01:48:11,156 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
WARNING | 2022-02-15 01:48:11,676 | angr.simos.simos | stdin is constrained to 100 bytes (has_end=True). If you are only providing the first 100 bytes instead of the entire stdin, please use stdin=SimFileStream(name='stdin', content=your_first_n_bytes, has_end=False).
WARNING | 2022-02-15 01:48:13,289 | angr.storage.memory_mixins.default_filler_mixin | Filling memory at 0x7fffffffffeff40 with 8 unconstrained bytes referenced from 0x5a22d0 (strcmp+0x0 in libc.so.6 (0xa22d0))
In [22]: simgr.deadended[1].posix.dumps(0)
---------------------------------------------------------------------------
UnsatError Traceback (most recent call last)回答 1
Stack Overflow用户
发布于 2022-02-14 19:33:01
首先,没有初始化"char g100“。这可能导致错误的比较,并使其地址与您的字符串的地址相同。尝试像这样初始化它:
char g[100] = { 0 };页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/71115602
复制相关文章
相似问题
腾讯云开发者
