GitBook: [master] 4 pages modified

SUMMARY.md

@@ -500,7 +500,8 @@
 ## Reversing
 
 * [Reversing Tools & Basic Methods](reversing/reversing-tools-basic-methods/README.md)
-  * [Angr](reversing/reversing-tools-basic-methods/angr.md)
+  * [Angr](reversing/reversing-tools-basic-methods/angr/README.md)
+    * [Angr - Examples](reversing/reversing-tools-basic-methods/angr/angr-examples.md)
   * [Z3 - Satisfiability Modulo Theories \(SMT\)](reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md)
   * [Cheat Engine](reversing/reversing-tools-basic-methods/cheat-engine.md)
   * [Blobrunner](reversing/reversing-tools-basic-methods/blobrunner.md)

reversing/reversing-tools-basic-methods/angr/README.md

@@ -204,3 +204,7 @@ True
 
 Furthermore, you can use `proj.hook_symbol(name, hook)`, providing the name of a symbol as the first argument, to hook the address where the symbol lives
 
+## Examples
+
+
+

reversing/reversing-tools-basic-methods/angr/angr-examples.md

@@ -0,0 +1,46 @@
+# Angr - Examples
+
+### Find input to reach address
+
+```python
+import angr
+import sys
+
+def main(argv):
+  path_to_binary = argv[1]  # :string
+  project = angr.Project(path_to_binary)
+
+  # Tell Angr where to start executing (should it start from the main()
+  # function or somewhere else?) For now, use the entry_state function
+  # to instruct Angr to start from the main() function.
+  initial_state = project.factory.entry_state()
+
+  # Create a simulation manager initialized with the starting state. It provides
+  # a number of useful tools to search and execute the binary.
+  simulation = project.factory.simgr(initial_state)
+
+  # Explore the binary to attempt to find the address that prints "Good Job."
+  # You will have to find the address you want to find and insert it here. 
+  # This function will keep executing until it either finds a solution or it 
+  # has explored every possible path through the executable.
+  # (!)
+  print_good_address = 0x804867d
+  simulation.explore(find=print_good_address)
+
+  # Check that we have found a solution. The simulation.explore() method will
+  # set simulation.found to a list of the states that it could find that reach
+  # the instruction we asked it to search for. Remember, in Python, if a list
+  # is empty, it will be evaluated as false, otherwise true.
+  if simulation.found:
+    solution_state = simulation.found[0]
+
+    # Print the string that Angr wrote to stdin to follow solution_state. This 
+    # is our solution.
+    print(solution_state.posix.dumps(sys.stdin.fileno()))
+  else:
+    raise Exception('Could not find the solution')
+
+if __name__ == '__main__':
+  main(sys.argv)
+```
+