|
1 | | -import angr |
2 | 1 | import sys |
3 | | -import claripy |
| 2 | +import angr |
| 3 | + |
| 4 | +def found_correct(state: angr.SimState): |
| 5 | + return b"Correct!" in state.posix.dumps(1) |
4 | 6 |
|
5 | | -angr.loggers.disable_root_logger() |
| 7 | +def avoid_wrong(state: angr.SimState): |
| 8 | + return b"Wrong key!" in state.posix.dumps(1) |
6 | 9 |
|
7 | 10 | def main(): |
8 | | - proj = angr.Project("chal", auto_load_libs=False) |
9 | | - flag_bytes = [claripy.BVS(f'byte_{i}', 8) for i in range(8)] |
10 | | - flag = claripy.Concat(*flag_bytes) |
| 11 | + angr.loggers.disable_root_logger() |
11 | 12 |
|
12 | | - state = proj.factory.full_init_state( |
13 | | - stdin = angr.SimFileStream(name='stdin', content=flag, has_end=True) |
14 | | - ) |
| 13 | + proj = angr.Project("./chal", auto_load_libs=False) |
| 14 | + state = proj.factory.entry_state(stdin=angr.SimFile) |
15 | 15 |
|
16 | | - simgr = proj.factory.simulation_manager(state) |
17 | | - |
18 | | - simgr.explore(find=lambda s: b"flag" in s.posix.dumps(1)) |
| 16 | + simgr = proj.factory.simgr(state) |
| 17 | + simgr.explore(find=found_correct, avoid=avoid_wrong) |
19 | 18 |
|
20 | | - if len(simgr.found) > 0: |
| 19 | + if simgr.found: |
21 | 20 | found_state = simgr.found[0] |
22 | | - solution = found_state.solver.eval(flag, cast_to=bytes) |
| 21 | + solution = found_state.posix.dumps(0) |
23 | 22 | sys.stdout.buffer.write(solution) |
24 | 23 | else: |
25 | | - print("No solution found") |
| 24 | + print("No solution found", file=sys.stderr) |
| 25 | + exit(1) |
26 | 26 |
|
27 | | -if __name__ == '__main__': |
| 27 | +if __name__ == "__main__": |
28 | 28 | main() |
0 commit comments