(逆向)angr 执行二进制函数

关于angr:

github 搜索angr



首先编译源码:

#include
unsigned int ORHash(char *str , int len){
     int i = 0 ;
     unsigned int hash = 1315423911;
     for (i =0;i         hash ^= (hash<<5 + (*str) + hash>>1 ) ;
     }
     return hash;


}
unsigned int TestFunc(char *s){
       int hash = 0 ;
       while (*s){
         hash += (*s);
         s++;
       }
       return hash;


}
int main(){


    unsigned int tmp = 0;
    tmp = 1315423911 ^328855977 + 3438859488 + ('y') ^((1315423911 ^ 328855977 + 3438859488 + ('y')) >> 2) +((1315423911 ^ 328855977 + 3438859488 + ('y')) << 5) +('y');
    printf("%u\n",tmp);
    printf("%u\n",'y');
    printf("test = %d\n",TestFunc("aass"));
    printf("orhash = %u\n" , ORHash("ysg" ,3));
}


得到可执行文件 test

用ida 得到函数ORHash的入口地址 0x40052D


下面使用angr 加载可执行文件test ,运行ORHash函数得到结果


import angr

b = angr.Project('test',load_options={'auto_load_libs':False})

cfg = b.analyses.CFGAccurate(keep_state = True)
addr = 0x40052D
# print cfg.graph
# print len(cfg.graph.nodes()),len(cfg.graph.edges())
#
# entry_node = cfg.get_any_node(addr)
#
# print 'contexts :' ,len(cfg.get_all_nodes(addr))
#
# print entry_node.predecessors
# print entry_node.successors


# print [jumpkind + ' to ' +hex(node.addr) for node , jumpkind in cfg.get_successors_and_jumpkind(entry_node)]

entry_func = cfg.kb.functions[addr]
# print entry_func.block_addrs
# func_graph = entry_func.transition_graph
# print func_graph
# print entry_func.returning
function = entry_func.callable
# p = []
out =  function("qwe",3)
print out
print out.args[0]

得到结果 947199883 

和原可执行文件输出一致

你可能感兴趣的:(反编译)