From 3a594c040ed7df05412dede6e75e24aba33d5589 Mon Sep 17 00:00:00 2001 From: "wellm@stellaglow" Date: Sat, 17 May 2025 22:28:39 +0800 Subject: [PATCH 1/2] Implemented solve.py to crack secret key in chal.c and get flag --- lab8/solve.py | 48 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/lab8/solve.py b/lab8/solve.py index 9ab3ee2..9890121 100755 --- a/lab8/solve.py +++ b/lab8/solve.py @@ -1,11 +1,51 @@ #!/usr/bin/env python3 - -import angr,sys +import angr +import claripy +from angr import options as angr_options +import logging +logging.getLogger("angr").setLevel(logging.ERROR) def main(): - secret_key = b"" - sys.stdout.buffer.write(secret_key) + project = angr.Project('./chal', auto_load_libs=False) + + # Create symbolic bitvectors: 8 characters, each 8 bits + input_len = 8 + input_chars = [claripy.BVS(f'char{i}', 8) for i in range(input_len)] + input_concat = claripy.Concat(*input_chars) + + # Append null terminator to simulate fgets() + input_with_null = claripy.Concat(input_concat, claripy.BVV(0, 8)) + + # Create the initial state and feed symbolic input to stdin + state = project.factory.full_init_state( + args=["./chal"], + stdin=input_with_null + ) + state.options.add(angr_options.ZERO_FILL_UNCONSTRAINED_MEMORY) + state.options.add(angr_options.ZERO_FILL_UNCONSTRAINED_REGISTERS) + + # Constrain input characters to be printable ASCII + for c in input_chars: + state.solver.add(c >= 0x20) # Avoid non-printable characters + state.solver.add(c <= 0x7e) + + # Explore paths to reach puts("Correct!") and avoid puts("Wrong key!") + simgr = project.factory.simgr(state) + + def is_successful(s): + return b"Correct!" in s.posix.dumps(1) + + def is_failed(s): + return b"Wrong key!" in s.posix.dumps(1) + + simgr.explore(find=is_successful, avoid=is_failed) + if simgr.found: + found = simgr.found[0] + result = found.solver.eval(input_concat, cast_to=bytes) + print(result.decode()) + else: + print("No solution found.") if __name__ == '__main__': main() From c113bab6b29a94f568a02cb6ba57f29511e21320 Mon Sep 17 00:00:00 2001 From: "wellm@stellaglow" Date: Mon, 19 May 2025 20:39:21 +0800 Subject: [PATCH 2/2] implement to crack --- lab8/solve.py | 48 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/lab8/solve.py b/lab8/solve.py index 9ab3ee2..9890121 100755 --- a/lab8/solve.py +++ b/lab8/solve.py @@ -1,11 +1,51 @@ #!/usr/bin/env python3 - -import angr,sys +import angr +import claripy +from angr import options as angr_options +import logging +logging.getLogger("angr").setLevel(logging.ERROR) def main(): - secret_key = b"" - sys.stdout.buffer.write(secret_key) + project = angr.Project('./chal', auto_load_libs=False) + + # Create symbolic bitvectors: 8 characters, each 8 bits + input_len = 8 + input_chars = [claripy.BVS(f'char{i}', 8) for i in range(input_len)] + input_concat = claripy.Concat(*input_chars) + + # Append null terminator to simulate fgets() + input_with_null = claripy.Concat(input_concat, claripy.BVV(0, 8)) + + # Create the initial state and feed symbolic input to stdin + state = project.factory.full_init_state( + args=["./chal"], + stdin=input_with_null + ) + state.options.add(angr_options.ZERO_FILL_UNCONSTRAINED_MEMORY) + state.options.add(angr_options.ZERO_FILL_UNCONSTRAINED_REGISTERS) + + # Constrain input characters to be printable ASCII + for c in input_chars: + state.solver.add(c >= 0x20) # Avoid non-printable characters + state.solver.add(c <= 0x7e) + + # Explore paths to reach puts("Correct!") and avoid puts("Wrong key!") + simgr = project.factory.simgr(state) + + def is_successful(s): + return b"Correct!" in s.posix.dumps(1) + + def is_failed(s): + return b"Wrong key!" in s.posix.dumps(1) + + simgr.explore(find=is_successful, avoid=is_failed) + if simgr.found: + found = simgr.found[0] + result = found.solver.eval(input_concat, cast_to=bytes) + print(result.decode()) + else: + print("No solution found.") if __name__ == '__main__': main()