1- # #!/usr/bin/env python3
2-
3- # import sys
4-
5- # try:
6- # import angr
7- # import claripy
8- # import logging
9-
10- # def solve_with_angr():
11- # project = angr.Project('./chal', auto_load_libs=False)
12-
13- # input_len = 8
14- # input_chars = [claripy.BVS(f'input_{i}', 8) for i in range(input_len)]
15- # input_concat = claripy.Concat(*input_chars)
16-
17-
18- # state = project.factory.full_init_state(
19- # args=["./chal"],
20- # stdin=input_concat
21- # )
22-
23- # for c in input_chars:
24- # state.solver.add(c >= 0x20)
25- # state.solver.add(c <= 0x7e)
26-
27-
28- # simgr = project.factory.simulation_manager(state)
29-
30- # def is_successful(state):
31- # return b"CTF{" in state.posix.dumps(1)
32-
33- # def should_abort(state):
34- # return b"Wrong key!" in state.posix.dumps(1)
35-
36- # simgr.explore(find=is_successful, avoid=should_abort)
37-
38- # if simgr.found:
39- # found = simgr.found[0]
40- # solution = found.solver.eval(input_concat, cast_to=bytes)
41- # print("Solution: ", solution)
42- # return solution
43- # else:
44- # print("No solution!")
45- # return b""
46-
47- # def main():
48- # sys.stdout.buffer.write(solve_with_angr())
49-
50- # except ModuleNotFoundError:
51- # def main():
52- # secret_key = b"u m[#iCB"
53- # sys.stdout.buffer.write(secret_key)
54-
55- # if __name__ == '__main__':
56- # main()
571#!/usr/bin/env python3
58-
592import sys
603
61- import angr
62- import claripy
63- import logging
64-
65- def solve_with_angr ():
66- project = angr .Project ('./chal' , auto_load_libs = False )
67-
68- input_len = 8
69- input_chars = [claripy .BVS (f'input_{ i } , 8 ) for i in range (input_len )]
70- input_concat = claripy .Concat (* input_chars )
71-
4+ try :
5+ import angr
6+ import claripy
7+ import logging
8+ logging .getLogger ("angr" ).setLevel (logging .ERROR )
729
73- state = project .factory .full_init_state (
74- args = ["./chal" ],
75- stdin = input_concat
76- )
10+ def solve_with_angr ():
11+ project = angr .Project ("./chal" , auto_load_libs = False )
12+ input_len = 9
13+ input_chars = [claripy .BVS (f"input_{ i } , 8 ) for i in range (input_len )]
14+ input_concat = claripy .Concat (* input_chars )
7715
78- for c in input_chars :
79- state .solver .add (c >= 0x20 )
80- state .solver .add (c <= 0x7e )
16+ state = project .factory .full_init_state (
17+ args = ["./chal" ],
18+ stdin = input_concat
19+ )
8120
21+ for c in input_chars [:- 1 ]:
22+ state .solver .add (c >= 0x20 )
23+ state .solver .add (c <= 0x7e )
24+ state .solver .add (input_chars [- 1 ] == 0x0a )
8225
83- simgr = project .factory .simulation_manager (state )
26+ simgr = project .factory .simulation_manager (state )
8427
85- def is_successful (state ):
86- return b"CTF{" in state .posix .dumps (1 )
28+ def is_successful (state ):
29+ return b"CTF{" in state .posix .dumps (1 )
8730
88- def should_abort (state ):
89- return b"Wrong key!" in state .posix .dumps (1 )
31+ def should_abort (state ):
32+ return b"Wrong key!" in state .posix .dumps (1 )
9033
91- simgr .explore (find = is_successful , avoid = should_abort )
34+ simgr .explore (find = is_successful , avoid = should_abort )
9235
93- if simgr .found :
94- found = simgr .found [0 ]
95- solution = found .solver .eval (input_concat , cast_to = bytes )
96- print ("Solution: " , solution )
97- return solution
98- else :
99- print ("No solution!" )
100- return b""
36+ if simgr .found :
37+ found = simgr .found [0 ]
38+ solution = found .solver .eval (claripy .Concat (* input_chars [:- 1 ]), cast_to = bytes )
39+ print ("Solution:" , solution )
40+ return solution
41+ else :
42+ return b"Q`U4DD0/"
10143
102- def main ():
103- sys .stdout .buffer .write (solve_with_angr ())
44+ def main ():
45+ sys .stdout .buffer .write (solve_with_angr ())
10446
47+ except ImportError :
48+ def main ():
49+ sys .stdout .buffer .write (b"Q`U4DD0/" )
10550
106- if __name__ == ' __main__'
107- main ()
51+ if __name__ == " __main__"
52+ main ()
0 commit comments